Skip to content

v1.18.0
Compare
Choose a tag to compare
@ericzbeard ericzbeard released this 29 Oct 23:25
· 32 commits to main since this release
v1.18.0
4c72bec
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

This release addresses a security issue that would allow an attacker to predict the name of the rain asset bucket and create it before a user issues a rain pkg command, which uploads assets such as Lambda function code to the bucket. This would give the attacker full access to the contents uploaded by Rain, since they own the bucket. This release adds the ExpectedBucketOwner argument to S3 calls, which causes an Access Denied error if the bucket does not belong to the same account. Additionally, this release adds the s3-bucket argument to the rain bootstrap command, which allows users to create an asset bucket with a user-supplied name, which will be stored in SSM Parameter Store with the key rain-bucket for reference by future Rain commands. We recommend that users upgrade to v1.18.0, and verify that the expected rain asset bucket exists within their own account. Users who do not use the pkg or deploy commands are not affected by this issue. Users who supply the optional s3-bucket argument to those commands are not affected if the bucket they specify is in their account.

What's Changed

  • When merging templates with Outputs, replace Imports that reference Exported Names by @ericzbeard in #565
  • Add expected bucket owner checks to s3 operations by @ericzbeard in #566

Full Changelog: v1.17.0...v1.18.0

Contributors

ericzbeard
Assets 18
Loading