Merge branch 'release-1.44.77'

* release-1.44.77:
  Bumping version to 1.44.77
  Update changelog based on model updates
  Tighten output file permissions (#10197)

Author: aws-sdk-python-automation

.changes/1.44.77.json

@@ -0,0 +1,37 @@
+[
+  {
+    "category": "``bcm-dashboards``",
+    "description": "Scheduled email reports of Billing and Cost Management Dashboards",
+    "type": "api-change"
+  },
+  {
+    "category": "``bedrock-agentcore``",
+    "description": "Introducing support for SearchRegistryRecords API on AgentCoreRegistry",
+    "type": "api-change"
+  },
+  {
+    "category": "``bedrock-agentcore-control``",
+    "description": "Initial release for CRUDL in AgentCore Registry Service",
+    "type": "api-change"
+  },
+  {
+    "category": "``mediaconnect``",
+    "description": "Adds support for MediaLive Channel-type Router Inputs.",
+    "type": "api-change"
+  },
+  {
+    "category": "``redshift-data``",
+    "description": "The BatchExecuteStatement API now supports named SQL parameters, enabling secure batch queries with parameterized values. This enhancement helps prevent SQL injection vulnerabilities and improves query reusability.",
+    "type": "api-change"
+  },
+  {
+    "category": "``sagemaker``",
+    "description": "Release support for g7e instance types for SageMaker HyperPod",
+    "type": "api-change"
+  },
+  {
+    "category": "s3, streaming output",
+    "description": "Output files created by S3 Select and streaming output commands are now created with owner-only permissions (0600). Existing files are also tightened to 0600 when overwritten.",
+    "type": "bugfix"
+  }
+]

CHANGELOG.rst

@@ -2,6 +2,18 @@
 CHANGELOG
 =========
 
+1.44.77
+=======
+
+* api-change:``bcm-dashboards``: Scheduled email reports of Billing and Cost Management Dashboards
+* api-change:``bedrock-agentcore``: Introducing support for SearchRegistryRecords API on AgentCoreRegistry
+* api-change:``bedrock-agentcore-control``: Initial release for CRUDL in AgentCore Registry Service
+* api-change:``mediaconnect``: Adds support for MediaLive Channel-type Router Inputs.
+* api-change:``redshift-data``: The BatchExecuteStatement API now supports named SQL parameters, enabling secure batch queries with parameterized values. This enhancement helps prevent SQL injection vulnerabilities and improves query reusability.
+* api-change:``sagemaker``: Release support for g7e instance types for SageMaker HyperPod
+* bugfix:s3, streaming output: Output files created by S3 Select and streaming output commands are now created with owner-only permissions (0600). Existing files are also tightened to 0600 when overwritten.
+
+
 1.44.76
 =======
 

awscli/__init__.py

@@ -18,7 +18,7 @@
 
 import os
 
-__version__ = '1.44.76'
+__version__ = '1.44.77'
 
 #
 # Get our data path to be added to botocore's search path

awscli/customizations/s3events.py

@@ -11,8 +11,10 @@
 # ANY KIND, either express or implied. See the License for the specific
 # language governing permissions and limitations under the License.
 """Add S3 specific event streaming output arg."""
-from awscli.arguments import CustomArgument
 
+import os
+
+from awscli.arguments import CustomArgument
 
 STREAM_HELP_TEXT = 'Filename where the records will be saved'
 
@@ -24,26 +26,28 @@ class DocSectionNotFoundError(Exception):
 def register_event_stream_arg(event_handlers):
     event_handlers.register(
         'building-argument-table.s3api.select-object-content',
-        add_event_stream_output_arg)
+        add_event_stream_output_arg,
+    )
     event_handlers.register_last(
-        'doc-output.s3api.select-object-content',
-        replace_event_stream_docs
+        'doc-output.s3api.select-object-content', replace_event_stream_docs
     )
 
 
 def register_document_expires_string(event_handlers):
-    event_handlers.register_last(
-        'doc-output.s3api',
-        document_expires_string
-    )
+    event_handlers.register_last('doc-output.s3api', document_expires_string)
 
-def add_event_stream_output_arg(argument_table, operation_model,
-                                session, **kwargs):
+
+def add_event_stream_output_arg(
+    argument_table, operation_model, session, **kwargs
+):
     argument_table['outfile'] = S3SelectStreamOutputArgument(
-        name='outfile', help_text=STREAM_HELP_TEXT,
-        cli_type_name='string', positional_arg=True,
+        name='outfile',
+        help_text=STREAM_HELP_TEXT,
+        cli_type_name='string',
+        positional_arg=True,
         stream_key=operation_model.output_shape.serialization['payload'],
-        session=session)
+        session=session,
+    )
 
 
 def replace_event_stream_docs(help_command, **kwargs):
@@ -56,11 +60,14 @@ def replace_event_stream_docs(help_command, **kwargs):
             # This should never happen, but in the rare case that it does
             # we should be raising something with a helpful error message.
             raise DocSectionNotFoundError(
-                'Could not find the "output" section for the command: %s'
-                % help_command)
+                f'Could not find the "output" section for the command: {help_command}'
+            )
     doc.write('======\nOutput\n======\n')
-    doc.write("This command generates no output.  The selected "
-              "object content is written to the specified outfile.\n")
+    doc.write(
+        "This command generates no output.  The selected "
+        "object content is written to the specified outfile.\n"
+    )
+
 
 def document_expires_string(help_command, **kwargs):
     doc = help_command.doc
@@ -78,7 +85,7 @@ def document_expires_string(help_command, **kwargs):
         f'\n\n{" " * doc.style.indentation * doc.style.indent_width}',
         'ExpiresString -> (string)\n\n',
         '\tThe raw, unparsed value of the ``Expires`` field.',
-        f'\n\n{" " * doc.style.indentation * doc.style.indent_width}'
+        f'\n\n{" " * doc.style.indentation * doc.style.indent_width}',
     ]
 
     for idx, write in enumerate(deprecation_note_and_expires_string):
@@ -91,7 +98,7 @@ class S3SelectStreamOutputArgument(CustomArgument):
     _DOCUMENT_AS_REQUIRED = True
 
     def __init__(self, stream_key, session, **kwargs):
-        super(S3SelectStreamOutputArgument, self).__init__(**kwargs)
+        super().__init__(**kwargs)
         # This is the key in the response body where we can find the
         # streamed contents.
         self._stream_key = stream_key
@@ -100,8 +107,9 @@ def __init__(self, stream_key, session, **kwargs):
 
     def add_to_params(self, parameters, value):
         self._output_file = value
-        self._session.register('after-call.s3.SelectObjectContent',
-                               self.save_file)
+        self._session.register(
+            'after-call.s3.SelectObjectContent', self.save_file
+        )
 
     def save_file(self, parsed, **kwargs):
         # This method is hooked into after-call which fires
@@ -112,7 +120,11 @@ def save_file(self, parsed, **kwargs):
         if self._stream_key not in parsed:
             return
         event_stream = parsed[self._stream_key]
-        with open(self._output_file, 'wb') as fp:
+        fd = os.open(
+            self._output_file, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600
+        )
+        os.chmod(self._output_file, 0o600)
+        with os.fdopen(fd, 'wb') as fp:
             for event in event_stream:
                 if 'Records' in event:
                     fp.write(event['Records']['Payload'])

awscli/customizations/streamingoutputarg.py

@@ -10,21 +10,26 @@
 # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
 # ANY KIND, either express or implied. See the License for the specific
 # language governing permissions and limitations under the License.
+import os
+
 from botocore.model import Shape
 
 from awscli.arguments import BaseCLIArgument
 
 
-def add_streaming_output_arg(argument_table, operation_model,
-                             session, **kwargs):
+def add_streaming_output_arg(
+    argument_table, operation_model, session, **kwargs
+):
     # Implementation detail:  hooked up to 'building-argument-table'
     # event.
     if _has_streaming_output(operation_model):
         streaming_argument_name = _get_streaming_argument_name(operation_model)
         argument_table['outfile'] = StreamingOutputArgument(
             response_key=streaming_argument_name,
             operation_model=operation_model,
-            session=session, name='outfile')
+            session=session,
+            name='outfile',
+        )
 
 
 def _has_streaming_output(model):
@@ -36,15 +41,16 @@ def _get_streaming_argument_name(model):
 
 
 class StreamingOutputArgument(BaseCLIArgument):
-
     BUFFER_SIZE = 32768
     HELP = 'Filename where the content will be saved'
 
-    def __init__(self, response_key, operation_model, name,
-                 session, buffer_size=None):
+    def __init__(
+        self, response_key, operation_model, name, session, buffer_size=None
+    ):
         self._name = name
-        self.argument_model = Shape('StreamingOutputArgument',
-                                    {'type': 'string'})
+        self.argument_model = Shape(
+            'StreamingOutputArgument', {'type': 'string'}
+        )
         if buffer_size is None:
             buffer_size = self.BUFFER_SIZE
         self._buffer_size = buffer_size
@@ -81,15 +87,15 @@ def documentation(self):
         return self.HELP
 
     def add_to_parser(self, parser):
-        parser.add_argument(self._name, metavar=self.py_name,
-                            help=self.HELP)
+        parser.add_argument(self._name, metavar=self.py_name, help=self.HELP)
 
     def add_to_params(self, parameters, value):
         self._output_file = value
         service_id = self._operation_model.service_model.service_id.hyphenize()
         operation_name = self._operation_model.name
-        self._session.register('after-call.%s.%s' % (
-            service_id, operation_name), self.save_file)
+        self._session.register(
+            f'after-call.{service_id}.{operation_name}', self.save_file
+        )
 
     def save_file(self, parsed, **kwargs):
         if self._response_key not in parsed:
@@ -100,7 +106,11 @@ def save_file(self, parsed, **kwargs):
             return
         body = parsed[self._response_key]
         buffer_size = self._buffer_size
-        with open(self._output_file, 'wb') as fp:
+        fd = os.open(
+            self._output_file, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600
+        )
+        os.chmod(self._output_file, 0o600)
+        with os.fdopen(fd, 'wb') as fp:
             data = body.read(buffer_size)
             while data:
                 fp.write(data)

doc/source/conf.py

@@ -52,7 +52,7 @@
 # The short X.Y version.
 version = '1.44.'
 # The full version, including alpha/beta/rc tags.
-release = '1.44.76'
+release = '1.44.77'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

setup.cfg

@@ -3,7 +3,7 @@ universal = 0
 
 [metadata]
 requires_dist =
-        botocore==1.42.86
+        botocore==1.42.87
         docutils>=0.18.1,<=0.19
         s3transfer>=0.16.0,<0.17.0
         PyYAML>=3.10,<6.1

setup.py

@@ -24,7 +24,7 @@ def find_version(*file_paths):
 
 
 install_requires = [
-    'botocore==1.42.86',
+    'botocore==1.42.87',
     'docutils>=0.18.1,<=0.19',
     's3transfer>=0.16.0,<0.17.0',
     'PyYAML>=3.10,<6.1',