Merge branch 'release-1.44.70'

* release-1.44.70:
  Bumping version to 1.44.70
  Update changelog based on model updates
  Update `configure set` to validate configuration keys and values (#10163)

Author: aws-sdk-python-automation

.changes/1.44.70.json

@@ -0,0 +1,127 @@
+[
+  {
+    "category": "``acm``",
+    "description": "Adds support for searching for ACM certificates using the new SearchCertificates API.",
+    "type": "api-change"
+  },
+  {
+    "category": "``cloudfront``",
+    "description": "This release adds bring your own IP (BYOIP) IPv6 support to CloudFront's CreateAnycastIpList and UpdateAnycastIpList API through the IpamCidrConfigs field.",
+    "type": "api-change"
+  },
+  {
+    "category": "``dataexchange``",
+    "description": "Support Tags for AWS Data Exchange resource Assets",
+    "type": "api-change"
+  },
+  {
+    "category": "``datazone``",
+    "description": "Adds environmentConfigurationName field to CreateEnvironmentInput and UpdateEnvironmentInput, so that Domain Owners can now recover orphaned environments by recreating deleted configurations with the same name, and will auto-recover orphaned environments",
+    "type": "api-change"
+  },
+  {
+    "category": "``devops-agent``",
+    "description": "AWS DevOps Agent service General Availability release.",
+    "type": "api-change"
+  },
+  {
+    "category": "``dms``",
+    "description": "To successfully connect to the IBM DB2 LUW database server, you may need to specify additional security parameters that are passed to the JDBC driver. These parameters are EncryptionAlgorithm and SecurityMechanism. Both parameters accept integer values.",
+    "type": "api-change"
+  },
+  {
+    "category": "``ec2``",
+    "description": "This release updates the examples in the documentation for DescribeRegions and DescribeAvailabilityZones.",
+    "type": "api-change"
+  },
+  {
+    "category": "``endpoint-rules``",
+    "description": "Update endpoint-rules command to latest version",
+    "type": "api-change"
+  },
+  {
+    "category": "``geo-maps``",
+    "description": "This release expands map customization options with adjustable contour line density, dark mode support for Hybrid and Satellite views, enhanced traffic information across multiple map styles, and transit and truck travel modes for Monochrome and Hybrid map styles.",
+    "type": "api-change"
+  },
+  {
+    "category": "``kinesisanalyticsv2``",
+    "description": "Support for Flink 2.2 in Managed Service for Apache Flink",
+    "type": "api-change"
+  },
+  {
+    "category": "``mailmanager``",
+    "description": "Amazon SES Mail Manager now supports optional TLS policy for accepting unencrypted connections and mTLS authentication for ingress endpoints with configurable trust stores. Two new rule actions are available, Bounce for sending non-delivery reports and Lambda invocation for custom email processing.",
+    "type": "api-change"
+  },
+  {
+    "category": "``marketplace-agreement``",
+    "description": "This release adds 8 new APIs for AWS Marketplace sellers. 4 APIs for Cancellations (Send, List, Get, Cancel action on AgreementCancellationRequest), 3 APIs for Billing Adjustments (BatchCreate, List, Get action on BillingAdjustmentRequest), and 1 API to List Invoices (ListAgreementInvoiceLineItems)",
+    "type": "api-change"
+  },
+  {
+    "category": "``observabilityadmin``",
+    "description": "This release adds the Bedrock and Security Hub resource types for Omnia Enablement launch for March 31.",
+    "type": "api-change"
+  },
+  {
+    "category": "``odb``",
+    "description": "Adds support for EC2 Placement Group integration with ODB Network. The GetOdbNetwork and ListOdbNetworks API responses now include the ec2PlacementGroupIds field.",
+    "type": "api-change"
+  },
+  {
+    "category": "``opensearch``",
+    "description": "Support RegisterCapability, GetCapability, DeregisterCapability API for AI Assistant feature management for OpenSearch UI Applications",
+    "type": "api-change"
+  },
+  {
+    "category": "``organizations``",
+    "description": "Added Path field to Account and OrganizationalUnit objects in AWS Organizations API responses.",
+    "type": "api-change"
+  },
+  {
+    "category": "``partnercentral-selling``",
+    "description": "Adding EURO Currency for MRR Amount",
+    "type": "api-change"
+  },
+  {
+    "category": "``pinpoint-sms-voice-v2``",
+    "description": "This release adds RCS for Business messaging and Notify support. RCS lets you create and manage agents, send and receive messages in the US and Canada via SendTextMessage API, and configure SMS fallback. Notify lets you send templated OTP messages globally in minutes with no phone number required.",
+    "type": "api-change"
+  },
+  {
+    "category": "``quicksight``",
+    "description": "Adds StartAutomationJob and DescribeAutomationJob APIs for automation jobs. Adds three custom permission capabilities that allow admins to control whether users can manage Spaces and chat agents. Adds an OAuthClientCredentials structure to provide OAuth 2.0 client credentials inline to data sources.",
+    "type": "api-change"
+  },
+  {
+    "category": "``s3``",
+    "description": "Add Bucket Metrics configuration support to directory buckets",
+    "type": "api-change"
+  },
+  {
+    "category": "``s3control``",
+    "description": "Adding an optional auditContext parameter to S3 Access Grants credential vending API GetDataAccess to enable job-level audit correlation in S3 CloudTrail logs",
+    "type": "api-change"
+  },
+  {
+    "category": "``s3tables``",
+    "description": "S3 Tables now supports nested types when creating tables. Users can define complex column schemas using struct, list, and map types. These types can be composed together to model complex, hierarchical data structures within table schemas.",
+    "type": "api-change"
+  },
+  {
+    "category": "``securityagent``",
+    "description": "AWS Security Agent is a service that proactively secures applications throughout the development lifecycle with automated security reviews and on-demand penetration testing.",
+    "type": "api-change"
+  },
+  {
+    "category": "``sustainability``",
+    "description": "This is the first release of the AWS Sustainability SDK, which enables customers to access their sustainability impact data via API.",
+    "type": "api-change"
+  },
+  {
+    "category": "Configuration",
+    "description": "Update ``configure set`` command to return an error when newline or carriage-return characters are specified in the value.",
+    "type": "bugfix"
+  }
+]

CHANGELOG.rst

@@ -2,6 +2,36 @@
 CHANGELOG
 =========
 
+1.44.70
+=======
+
+* api-change:``acm``: Adds support for searching for ACM certificates using the new SearchCertificates API.
+* api-change:``cloudfront``: This release adds bring your own IP (BYOIP) IPv6 support to CloudFront's CreateAnycastIpList and UpdateAnycastIpList API through the IpamCidrConfigs field.
+* api-change:``dataexchange``: Support Tags for AWS Data Exchange resource Assets
+* api-change:``datazone``: Adds environmentConfigurationName field to CreateEnvironmentInput and UpdateEnvironmentInput, so that Domain Owners can now recover orphaned environments by recreating deleted configurations with the same name, and will auto-recover orphaned environments
+* api-change:``devops-agent``: AWS DevOps Agent service General Availability release.
+* api-change:``dms``: To successfully connect to the IBM DB2 LUW database server, you may need to specify additional security parameters that are passed to the JDBC driver. These parameters are EncryptionAlgorithm and SecurityMechanism. Both parameters accept integer values.
+* api-change:``ec2``: This release updates the examples in the documentation for DescribeRegions and DescribeAvailabilityZones.
+* api-change:``endpoint-rules``: Update endpoint-rules command to latest version
+* api-change:``geo-maps``: This release expands map customization options with adjustable contour line density, dark mode support for Hybrid and Satellite views, enhanced traffic information across multiple map styles, and transit and truck travel modes for Monochrome and Hybrid map styles.
+* api-change:``kinesisanalyticsv2``: Support for Flink 2.2 in Managed Service for Apache Flink
+* api-change:``mailmanager``: Amazon SES Mail Manager now supports optional TLS policy for accepting unencrypted connections and mTLS authentication for ingress endpoints with configurable trust stores. Two new rule actions are available, Bounce for sending non-delivery reports and Lambda invocation for custom email processing.
+* api-change:``marketplace-agreement``: This release adds 8 new APIs for AWS Marketplace sellers. 4 APIs for Cancellations (Send, List, Get, Cancel action on AgreementCancellationRequest), 3 APIs for Billing Adjustments (BatchCreate, List, Get action on BillingAdjustmentRequest), and 1 API to List Invoices (ListAgreementInvoiceLineItems)
+* api-change:``observabilityadmin``: This release adds the Bedrock and Security Hub resource types for Omnia Enablement launch for March 31.
+* api-change:``odb``: Adds support for EC2 Placement Group integration with ODB Network. The GetOdbNetwork and ListOdbNetworks API responses now include the ec2PlacementGroupIds field.
+* api-change:``opensearch``: Support RegisterCapability, GetCapability, DeregisterCapability API for AI Assistant feature management for OpenSearch UI Applications
+* api-change:``organizations``: Added Path field to Account and OrganizationalUnit objects in AWS Organizations API responses.
+* api-change:``partnercentral-selling``: Adding EURO Currency for MRR Amount
+* api-change:``pinpoint-sms-voice-v2``: This release adds RCS for Business messaging and Notify support. RCS lets you create and manage agents, send and receive messages in the US and Canada via SendTextMessage API, and configure SMS fallback. Notify lets you send templated OTP messages globally in minutes with no phone number required.
+* api-change:``quicksight``: Adds StartAutomationJob and DescribeAutomationJob APIs for automation jobs. Adds three custom permission capabilities that allow admins to control whether users can manage Spaces and chat agents. Adds an OAuthClientCredentials structure to provide OAuth 2.0 client credentials inline to data sources.
+* api-change:``s3``: Add Bucket Metrics configuration support to directory buckets
+* api-change:``s3control``: Adding an optional auditContext parameter to S3 Access Grants credential vending API GetDataAccess to enable job-level audit correlation in S3 CloudTrail logs
+* api-change:``s3tables``: S3 Tables now supports nested types when creating tables. Users can define complex column schemas using struct, list, and map types. These types can be composed together to model complex, hierarchical data structures within table schemas.
+* api-change:``securityagent``: AWS Security Agent is a service that proactively secures applications throughout the development lifecycle with automated security reviews and on-demand penetration testing.
+* api-change:``sustainability``: This is the first release of the AWS Sustainability SDK, which enables customers to access their sustainability impact data via API.
+* bugfix:Configuration: Update ``configure set`` command to return an error when newline or carriage-return characters are specified in the value.
+
+
 1.44.69
 =======
 

awscli/__init__.py

@@ -18,7 +18,7 @@
 
 import os
 
-__version__ = '1.44.69'
+__version__ = '1.44.70'
 
 #
 # Get our data path to be added to botocore's search path

awscli/customizations/configure/writer.py

@@ -24,6 +24,19 @@ class ConfigFileWriter(object):
         r'(?P<value>.*)$'
     )
 
+    def _validate_no_newlines_or_carriage_returns(
+        self,
+        value,
+        label='value',
+        msg_override=None,
+    ):
+        if isinstance(value, str) and ('\n' in value or '\r' in value):
+            err_msg = msg_override if msg_override is not None else (
+                f"Invalid {label}: newline "
+                f"characters and carriage returns are not allowed: {value!r}"
+            )
+            raise ValueError(err_msg)
+
     def update_config(self, new_values, config_filename):
         """Update config file with new values.
 
@@ -52,6 +65,38 @@ def update_config(self, new_values, config_filename):
 
         """
         section_name = new_values.pop('__section__', 'default')
+        self._validate_no_newlines_or_carriage_returns(
+            section_name,
+            'section name'
+        )
+        for k, v in new_values.items():
+            self._validate_no_newlines_or_carriage_returns(k, 'key')
+            if not isinstance(v, dict):
+                # Override error msg to prevent
+                # leaking sensitive config values to stderr.
+                self._validate_no_newlines_or_carriage_returns(
+                    v,
+                    'value',
+                    msg_override=(
+                        f"Invalid value for key {k}: "
+                        f"newline characters and carriage "
+                        f"returns are not allowed."
+                    )
+                )
+            else:
+                for sk, sv in v.items():
+                    # Override error msg to prevent
+                    # leaking sensitive config values to stderr.
+                    self._validate_no_newlines_or_carriage_returns(sk, 'key')
+                    self._validate_no_newlines_or_carriage_returns(
+                        sv,
+                        'value',
+                        msg_override = (
+                            f"Invalid value for key {k}: "
+                            f"newline characters and carriage "
+                            f"returns are not allowed."
+                        )
+                    )
         if not os.path.isfile(config_filename):
             self._create_file(config_filename)
             self._write_new_section(section_name, new_values, config_filename)

doc/source/conf.py

@@ -52,7 +52,7 @@
 # The short X.Y version.
 version = '1.44.'
 # The full version, including alpha/beta/rc tags.
-release = '1.44.69'
+release = '1.44.70'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

setup.cfg

@@ -3,7 +3,7 @@ universal = 0
 
 [metadata]
 requires_dist =
-        botocore==1.42.79
+        botocore==1.42.80
         docutils>=0.18.1,<=0.19
         s3transfer>=0.16.0,<0.17.0
         PyYAML>=3.10,<6.1

setup.py

@@ -24,7 +24,7 @@ def find_version(*file_paths):
 
 
 install_requires = [
-    'botocore==1.42.79',
+    'botocore==1.42.80',
     'docutils>=0.18.1,<=0.19',
     's3transfer>=0.16.0,<0.17.0',
     'PyYAML>=3.10,<6.1',

tests/functional/configure/test_configure.py

@@ -374,6 +374,62 @@ def test_can_handle_empty_section(self):
             self.get_config_file_contents(),
         )
 
+    def test_set_rejects_newline_in_value(self):
+        _, stderr, _ = self.run_cmd(
+            ["configure", "set", "region", "us-east-1\nus-west-2"],
+            expected_rc=255,
+        )
+        self.assertIn("newline", stderr)
+        # To avoid leaking sensitive values,
+        # values should not appear in stderr.
+        self.assertNotIn("us-east-1\nus-west-2", stderr)
+
+    def test_set_rejects_carriage_return_in_value(self):
+        _, stderr, _ = self.run_cmd(
+            ["configure", "set", "region", "us-east-1\rus-west-2"],
+            expected_rc=255,
+        )
+        self.assertIn("newline", stderr)
+        # To avoid leaking sensitive values,
+        # values should not appear in stderr.
+        self.assertNotIn("us-east-1\rus-west-2", stderr)
+
+    def test_set_rejects_newline_in_nested_value(self):
+        _, stderr, _ = self.run_cmd(
+            ["configure", "set", "default.s3.signature_version", "s3v4\nfoo"],
+            expected_rc=255,
+        )
+        self.assertIn("newline", stderr)
+        # To avoid leaking sensitive values,
+        # values should not appear in stderr.
+        self.assertNotIn("s3v4\nfoo", stderr)
+
+    def test_newline_injection_does_not_write_injected_key_to_file(self):
+        # Simulates: aws configure set output $'table\nregion = us-east-1'
+        # The injected key must not appear anywhere in the config file.
+        self.set_config_file_contents("[default]\n")
+        self.run_cmd(
+            ["configure", "set", "output", "table\nregion = us-east-1"],
+            expected_rc=255,
+        )
+        contents = self.get_config_file_contents()
+        self.assertNotIn("region", contents)
+
+    def test_newline_injection_does_not_set_injected_key_in_parsed_config(self):
+        # Even if the file were somehow written, the injected key must not be
+        # readable back via 'configure get'.
+        self.set_config_file_contents("[default]\n")
+        self.run_cmd(
+            ["configure", "set", "output", "table\nregion = us-east-1"],
+            expected_rc=255,
+        )
+        # Re-create the driver so it re-reads the (unchanged) config file.
+        self.driver = create_clidriver()
+        stdout, _, _ = self.run_cmd(
+            "configure get region", expected_rc=1
+        )
+        self.assertEqual(stdout.strip(), "")
+
 
 class TestConfigureHasArgTable(unittest.TestCase):
     def test_configure_command_has_arg_table(self):

tests/unit/customizations/configure/test_writer.py

@@ -369,3 +369,39 @@ def test_appends_newline_on_new_section(self):
             '[new-section]\n'
             'region = us-west-2\n'
         )
+
+    def test_newline_in_value_raises(self):
+        with open(self.config_filename, 'w') as f:
+            f.write('[default]\nfoo = bar\n')
+        with self.assertRaises(ValueError):
+            self.writer.update_config({'foo': 'bad\nvalue'}, self.config_filename)
+
+    def test_carriage_return_in_value_raises(self):
+        with open(self.config_filename, 'w') as f:
+            f.write('[default]\nfoo = bar\n')
+        with self.assertRaises(ValueError):
+            self.writer.update_config({'foo': 'bad\rvalue'}, self.config_filename)
+
+    def test_newline_in_key_raises(self):
+        with open(self.config_filename, 'w') as f:
+            f.write('[default]\nfoo = bar\n')
+        with self.assertRaises(ValueError):
+            self.writer.update_config({'bad\nkey': 'value'}, self.config_filename)
+
+    def test_newline_in_section_name_raises(self):
+        with open(self.config_filename, 'w') as f:
+            f.write('[default]\nfoo = bar\n')
+        with self.assertRaises(ValueError):
+            self.writer.update_config(
+                {'foo': 'value', '__section__': 'bad\nsection'},
+                self.config_filename
+            )
+
+    def test_newline_in_nested_value_raises(self):
+        with open(self.config_filename, 'w') as f:
+            f.write('[default]\n')
+        with self.assertRaises(ValueError):
+            self.writer.update_config(
+                {'__section__': 'default', 's3': {'key': 'bad\nvalue'}},
+                self.config_filename
+            )