Update to version 6.2.6 (#554)

Author: simonkrol

.gitignore

@@ -10,6 +10,7 @@
 
 # dependencies
 **/node_modules
+**/modules
 
 # test assets
 **/coverage

CHANGELOG.md

@@ -5,12 +5,44 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [6.2.5] - 2024-01-12
+## [6.2.6] - 2024-06-27
+
+### Added
+- StackId tag to CloudFrontLoggingBucket and its bucket name as a CfnOutput [#529](https://github.com/aws-solutions/serverless-image-handler/issues/529)
+- Test case to verify UTF-8 support in object key [#320](https://github.com/aws-solutions/serverless-image-handler/pull/320)
+- Test cases to verify crop functionality [#459](https://github.com/aws-solutions/serverless-image-handler/pull/459)
+- VERSION.txt and build script change to auto-update local package versions
+- S3:bucket-name tag for defining which source bucket to use in thumbor style requests [#521](https://github.com/aws-solutions/serverless-image-handler/pull/521)
+- Ability to override whether an image should be animated [#456](https://github.com/aws-solutions/serverless-image-handler/issues/456)
+- Support for 8-bit depth AVIF image type inference [#360](https://github.com/aws-solutions/serverless-image-handler/issues/360)
+
+### Changed
+- Decreased permissions allotted to CustomResource Lambda and ImageHandler Lambda
+- cdk update to 2.124.0
+- aws-solutions-constructs update to 2.51.0
+- SourceBucketsParameter to require explicit bucket names
+- Demo-ui dependency update
+- Demo-ui to be a package and manage script/stylesheet dependencies through NPM
+- Modified JPEG SOI marker parsing to only check first 2 bytes [#429]
+
+### Security
+- Upgraded follow-redirects to v1.15.6 for vulnerability CVE-2024-28849
+- Upgraded braces to v3.0.3 for vulnerability CVE-2024-4068
+
+### Removed
+- Unused CopyS3Assets custom resource
+
+### Fixed
+- Some error messages indicating incorrect file types
+- Solution version and id not being passed to Backend Lambda
+- Thumbor-style URL matching being overly permissive
+
+
+## [6.2.5] - 2024-01-03
 
 ### Fixed
 
 - Ensure accurate image metadata when generating Amazon Rekognition compatible images [#374](https://github.com/aws-solutions/serverless-image-handler/issues/374)
-- Upgraded axios to v1.6.5 for vulnerability CVE-2023-26159
 - Exclude demo-ui-config from being deleted upon BucketDeployment update sync when updating to a new version
 
 ### Changed
@@ -20,6 +52,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - typescript update to 5.3.3
 - GIF files without multiple pages are now treated as non-animated, allowing all filters to be used on them [#460](https://github.com/aws-solutions/serverless-image-handler/issues/460)
 
+### Security
+
+- Upgraded axios to v1.6.5 for vulnerability CVE-2023-26159
+
 ## [6.2.4] - 2023-12-06
 
 ### Changed

README.md

@@ -105,6 +105,8 @@ This solution collects anonymous operational metrics to help AWS improve the qua
 - [@Fjool](https://github.com/Fjool) for [#489](https://github.com/aws-solutions/serverless-image-handler/pull/489)
 - [@fvsnippets](https://github.com/fvsnippets) for [#373](https://github.com/aws-solutions/serverless-image-handler/pull/373), [#380](https://github.com/aws-solutions/serverless-image-handler/pull/380)
 - [@ccchapman](https://github.com/ccchapman) for [#490](https://github.com/aws-solutions/serverless-image-handler/pull/490)
+- [@bennet-esyoil][https://github.com/bennet-esyoil] for [#521](https://github.com/aws-solutions/serverless-image-handler/pull/521)
+- [@vaniyokk][https://github.com/vaniyokk] for [#511](https://github.com/aws-solutions/serverless-image-handler/pull/511)
 
 # License
 

VERSION.txt

@@ -0,0 +1 @@
+6.2.6

deployment/build-s3-dist.sh

@@ -32,6 +32,9 @@ mkdir -p "$template_dist_dir"
 rm -rf "$build_dist_dir"
 mkdir -p "$build_dist_dir"
 
+headline "[Init] Ensure package versions are updated"
+npm --prefix "$source_dir" run bump-version
+
 headline "[Build] Synthesize cdk template and assets"
 cd "$cdk_source_dir"
 npm run clean:install

deployment/cdk-solution-helper/package-lock.json

@@ -22,7 +22,7 @@
   },
   "dependencies": {
     "adm-zip": "^0.5.10",
-    "aws-cdk-lib": "^2.118.0"
+    "aws-cdk-lib": "^2.124.0"
   },
   "overrides": {
     "semver": "7.5.4"

deployment/cdk-solution-helper/package.json

@@ -20,12 +20,13 @@ if (DIST_OUTPUT_BUCKET && SOLUTION_NAME && VERSION)
 
 const app = new App();
 const solutionDisplayName = "Serverless Image Handler";
-const description = `(${app.node.tryGetContext("solutionId")}) - ${solutionDisplayName}. Version ${VERSION ?? app.node.tryGetContext("solutionVersion")}`;
+const solutionVersion = VERSION ?? app.node.tryGetContext("solutionVersion");
+const description = `(${app.node.tryGetContext("solutionId")}) - ${solutionDisplayName}. Version ${solutionVersion}`;
 // eslint-disable-next-line no-new
 new ServerlessImageHandlerStack(app, "ServerlessImageHandlerStack", {
-  synthesizer: synthesizer,
-  description: description,
+  synthesizer,
+  description,
   solutionId: app.node.tryGetContext("solutionId"),
-  solutionVersion: app.node.tryGetContext("solutionVersion"),
+  solutionVersion,
   solutionName: app.node.tryGetContext("solutionName"),
 });

source/constructs/bin/constructs.ts

@@ -2,7 +2,7 @@
   "app": "npx ts-node --prefer-ts-exts bin/constructs.ts",
   "context": {
     "solutionId": "SO0023",
-    "solutionVersion": "custom-v6.2.5",
+    "solutionVersion": "custom-v6.2.6",
     "solutionName": "serverless-image-handler"
   }
 }

source/constructs/cdk.json

@@ -31,11 +31,13 @@ import * as api from "aws-cdk-lib/aws-apigateway";
 
 export interface BackEndProps extends SolutionConstructProps {
   readonly solutionVersion: string;
+  readonly solutionId: string;
   readonly solutionName: string;
   readonly secretsManagerPolicy: Policy;
   readonly logsBucket: IBucket;
   readonly uuid: string;
   readonly cloudFrontPriceClass: string;
+  readonly createSourceBucketsResource: (key?: string) => string[];
 }
 
 export class BackEnd extends Construct {
@@ -64,15 +66,16 @@ export class BackEnd extends Construct {
           ],
         }),
         new PolicyStatement({
-          actions: ["s3:GetObject", "s3:PutObject", "s3:ListBucket"],
-          resources: [
-            Stack.of(this).formatArn({
-              service: "s3",
-              resource: "*",
-              region: "",
-              account: "",
-            }),
-          ],
+          actions: ["s3:GetObject"],
+          resources: props.createSourceBucketsResource("/*"),
+        }),
+        new PolicyStatement({
+          actions: ["s3:ListBucket"],
+          resources: props.createSourceBucketsResource(),
+        }),
+        new PolicyStatement({
+          actions: ["s3:GetObject"],
+          resources: [`arn:aws:s3:::${props.fallbackImageS3Bucket}/${props.fallbackImageS3KeyBucket}`],
         }),
         new PolicyStatement({
           actions: ["rekognition:DetectFaces", "rekognition:DetectModerationLabels"],
@@ -106,6 +109,8 @@ export class BackEnd extends Construct {
         ENABLE_DEFAULT_FALLBACK_IMAGE: props.enableDefaultFallbackImage,
         DEFAULT_FALLBACK_IMAGE_BUCKET: props.fallbackImageS3Bucket,
         DEFAULT_FALLBACK_IMAGE_KEY: props.fallbackImageS3KeyBucket,
+        SOLUTION_VERSION: props.solutionVersion,
+        SOLUTION_ID: props.solutionId,
       },
       bundling: {
         externalModules: ["sharp"],

source/constructs/lib/back-end/back-end-construct.ts

@@ -7,9 +7,9 @@ import { Function as LambdaFunction, Runtime } from "aws-cdk-lib/aws-lambda";
 import { NodejsFunction } from "aws-cdk-lib/aws-lambda-nodejs";
 import { Bucket, IBucket } from "aws-cdk-lib/aws-s3";
 import { BucketDeployment, Source as S3Source } from "aws-cdk-lib/aws-s3-deployment";
-import { ArnFormat, Aspects, Aws, CfnCondition, CfnResource, CustomResource, Duration, Lazy, Stack } from "aws-cdk-lib";
+import { ArnFormat, Aspects, Aws, CfnCondition, CfnResource, CustomResource, Duration, Fn, Lazy, Stack } from "aws-cdk-lib";
 import { Construct } from "constructs";
-import { addCfnSuppressRules } from "../../../utils/utils";
+import { addCfnCondition, addCfnSuppressRules } from "../../../utils/utils";
 
 import { SolutionConstructProps } from "../../types";
 import { CommonResourcesProps, Conditions } from "../common-resources-construct";
@@ -45,7 +45,6 @@ export interface SetupValidateSecretsManagerProps {
 }
 
 export class CustomResourcesConstruct extends Construct {
-  private readonly solutionVersion: string;
   private readonly conditions: Conditions;
   private readonly customResourceRole: Role;
   private readonly customResourceLambda: LambdaFunction;
@@ -54,7 +53,6 @@ export class CustomResourcesConstruct extends Construct {
   constructor(scope: Construct, id: string, props: CustomResourcesConstructProps) {
     super(scope, id);
 
-    this.solutionVersion = props.solutionVersion;
     this.conditions = props.conditions;
 
     this.customResourceRole = new Role(this, "CustomResourceRole", {
@@ -75,16 +73,26 @@ export class CustomResourcesConstruct extends Construct {
                 }),
               ],
             }),
+            new PolicyStatement({
+              actions: ['s3:ListBucket'],
+              resources: this.createSourceBucketsResource()
+            }),
+            new PolicyStatement({
+              actions: [
+                "s3:GetObject",
+              ],
+              resources: [
+                `arn:aws:s3:::${props.fallbackImageS3Bucket}/${props.fallbackImageS3KeyBucket}`,
+              ],
+            }),
             new PolicyStatement({
               actions: [
                 "s3:putBucketAcl",
                 "s3:putEncryptionConfiguration",
                 "s3:putBucketPolicy",
                 "s3:CreateBucket",
-                "s3:GetObject",
-                "s3:PutObject",
-                "s3:ListBucket",
                 "s3:PutBucketOwnershipControls",
+                "s3:PutBucketTagging"
               ],
               resources: [
                 Stack.of(this).formatArn({
@@ -142,6 +150,21 @@ export class CustomResourcesConstruct extends Construct {
     this.uuid = customResourceUuid.getAttString("UUID");
   }
 
+  public setupWebsiteHostingBucketPolicy(websiteHostingBucket: IBucket) {
+    const websiteHostingBucketPolicy = new Policy(this, "WebsiteHostingBucketPolicy", {
+      document: new PolicyDocument({
+        statements: [
+          new PolicyStatement({
+            actions: ["s3:GetObject", "s3:PutObject",],
+            resources: [websiteHostingBucket.bucketArn + "/*"],
+          }),
+        ],
+      }),
+      roles: [this.customResourceRole],
+    })
+    addCfnCondition(websiteHostingBucketPolicy, this.conditions.deployUICondition);
+  };
+
   public setupAnonymousMetric(props: AnonymousMetricCustomResourceProps) {
     this.createCustomResource("CustomResourceAnonymousMetric", this.customResourceLambda, {
       CustomAction: "sendMetric",
@@ -181,7 +204,9 @@ export class CustomResourcesConstruct extends Construct {
     // Stage static assets for the front-end from the local
     /* eslint-disable no-new */
     const bucketDeployment = new BucketDeployment(this, "DeployWebsite", {
-      sources: [S3Source.asset(path.join(__dirname, "../../../../demo-ui"))],
+      sources: [
+        S3Source.asset(path.join(__dirname, "../../../../demo-ui"), { exclude: ["node_modules/*"] }),
+      ],
       destinationBucket: props.hostingBucket,
       exclude: ["demo-ui-config.js"],
     });
@@ -235,6 +260,22 @@ export class CustomResourcesConstruct extends Construct {
     return optInRegionAccessLogBucket;
   }
 
+  public createSourceBucketsResource(resourceName: string = "") {
+    return Fn.split(
+      ',',
+      Fn.sub(
+        `arn:aws:s3:::\${rest}${resourceName}`,
+
+        {
+          rest: Fn.join(
+            `${resourceName},arn:aws:s3:::`,
+            Fn.split(",", Fn.join("", Fn.split(" ", Fn.ref('SourceBucketsParameter'))))
+          ),
+        },
+      ),
+    )
+  }
+
   private createCustomResource(
     id: string,
     customResourceFunction: LambdaFunction,