Merge from aws/aws-sam-cli/develop

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -2,7 +2,7 @@
 name: Bug report
 about: Create an Issue to report a bug
 title: "Bug: TITLE"
-labels: ['type/bug', 'stage/needs-triage']
+labels: ['stage/needs-triage']
 assignees: ''
 
 ---
@@ -32,8 +32,14 @@ If you do find an existing Issue, re-open or add a comment to that Issue instead
 
 ### Additional environment details (Ex: Windows, Mac, Amazon Linux etc)
 
+<!-- Either provide the following info (for AWS SAM CLI v1.68.0 or before) or paste the output of `sam --info` (AWS SAM CLI v1.69.0 or after). -->
+
 1. OS:
 2. `sam --version`:
 3. AWS region:
 
+```
+# Paste the output of `sam --info` here
+```
+
 `Add --debug flag to command you are running`

.github/workflows/build.yml

@@ -25,5 +25,6 @@ jobs:
     - uses: actions/setup-python@v4
       with:
         python-version: ${{ matrix.python }}
+    - run: test -f "./.github/ISSUE_TEMPLATE/Bug_report.md"  # prevent Bug_report.md from being renamed or deleted
     - run: make init
     - run: make pr

.github/workflows/codeql.yml

@@ -0,0 +1,78 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "develop", master ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "develop" ]
+  schedule:
+    - cron: '24 18 * * 0'
+
+jobs:
+  analyze:
+    name: Analyze
+    if: github.repository_owner == 'aws'
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+      statuses: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'python' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Use only 'java' to analyze code written in Java, Kotlin or both
+        # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
+    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+    # - run: |
+    #   echo "Run, Build Application using script"
+    #   ./location_of_script_within_repo/buildscript.sh
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"

.gitignore

@@ -163,6 +163,11 @@ typings/
 # Output of 'npm pack'
 *.tgz
 
+# Except test file
+!tests/functional/testdata/lib/utils/test.tgz
+!tests/functional/testdata/lib/utils/path_reversal_uxix.tgz
+!tests/functional/testdata/lib/utils/path_reversal_win.tgz
+
 # Yarn Integrity file
 .yarn-integrity
 

appveyor-ubuntu.yml

@@ -170,6 +170,9 @@ build_script:
 
 # Final clean up no matter success or failure
 on_finish:
+  # Upload test reports as artifacts
+  - sh: find "$APPVEYOR_BUILD_FOLDER" -type f -name 'TEST*.json' -print0 | xargs -0 -I '{}' appveyor PushArtifact '{}'
+
   - sh: 'export AWS_ACCESS_KEY_ID=$CI_ACCESS_ROLE_AWS_ACCESS_KEY_ID'
   - sh: 'export AWS_SECRET_ACCESS_KEY=$CI_ACCESS_ROLE_AWS_SECRET_ACCESS_KEY'
   - sh: 'export AWS_SESSION_TOKEN=$CI_ACCESS_ROLE_AWS_SESSION_TOKEN'
@@ -193,7 +196,7 @@ for:
 
       # Set JAVA_HOME to java11
       - sh: "JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64"
-      - sh: "pytest -vv tests/integration/buildcmd/test_build_cmd.py -k test_building_java11_in_process --json-report --json-report-file=TEST_REPORT-integration-buildcmd-java11"
+      - sh: "pytest -vv tests/integration/buildcmd/test_build_cmd.py -k test_building_java11_in_process --json-report --json-report-file=TEST_REPORT-integration-buildcmd-java11.json"
 
   # Local ZIP  Terraform Build integ testing
   -
@@ -350,6 +353,3 @@ for:
       # Smoke tests run in parallel - it runs on both Linux & Windows
       # Presence of the RUN_SMOKE envvar will run the smoke tests
       - ps: "If ($env:RUN_SMOKE) {pytest -n 4 -vv tests/smoke --json-report --json-report-file=TEST_REPORT-smoke.json}"
-
-artifacts:
-  - path: './TEST_REPORT*.json'

appveyor-windows.yml

@@ -123,6 +123,9 @@ install:
 
 # Final clean up no matter success or failure
 on_finish:
+  # Upload test reports as artifacts
+  - ps: Get-ChildItem .\TEST*.json | % { Push-AppveyorArtifact $_.FullName -FileName $_.Name }
+
   - ps: "
   If (Test-Path env:BY_CANARY){
     $env:AWS_ACCESS_KEY_ID = $env:CI_ACCESS_ROLE_AWS_ACCESS_KEY_ID;
@@ -283,7 +286,4 @@ for:
 # Uncomment for RDP
 # on_finish:
 #   - ps: $blockRdp = $true; iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1'))
-
-artifacts:
-  - path: './TEST_REPORT*.json'
 

requirements/base.txt

@@ -9,7 +9,7 @@ jmespath~=0.10.0
 ruamel_yaml==0.17.21
 PyYAML>=5.4.1,==5.*
 cookiecutter~=2.1.1
-aws-sam-translator==1.57.0
+aws-sam-translator==1.58.0
 #docker minor version updates can include breaking changes. Auto update micro version only.
 docker~=4.2.0
 dateparser~=1.0

requirements/reproducible-linux.txt

@@ -19,10 +19,10 @@ aws-lambda-builders==1.24.0 \
     --hash=sha256:6e46ce9365edb20259acae4a21f41fa46c701aaa58d2fb681022e4f0998de2d1 \
     --hash=sha256:fd7277e01a3c280c5a2a5ca5eb7888594ecddbc8355d1f519ea48a1f07f9d2d8
     # via aws-sam-cli (setup.py)
-aws-sam-translator==1.57.0 \
-    --hash=sha256:5953b973468f72c11ce6fe3ae4c5bea11fb774bf46c91970e3ab4460c5e1798e \
-    --hash=sha256:8bfdb6dd8cdc9b777e54de1924e60eddc6f068218016e28f629db2bd41af953e \
-    --hash=sha256:b7fd46bf28d94d5d5174883534469358edb4612b64a6eff1db884d267a45a6e3
+aws-sam-translator==1.58.0 \
+    --hash=sha256:627997303bcfb69209bc752f6b5b28b665b07341cec353d3711b05fc30e21ef8 \
+    --hash=sha256:74eff244a4923320e5df2f37617d85505356353e6022ae9812c6f0abcfbad5d3 \
+    --hash=sha256:9aaa3070a205669fdb3821b0c3eccaba1ff7917327c0e7d23dcc16d131d5dc30
     # via
     #   aws-sam-cli (setup.py)
     #   cfn-lint

samcli/__init__.py

@@ -2,4 +2,4 @@
 SAM CLI version
 """
 
-__version__ = "1.70.1"
+__version__ = "1.71.0"

samcli/commands/build/build_context.py

@@ -76,6 +76,7 @@ def __init__(
         print_success_message: bool = True,
         locate_layer_nested: bool = False,
         hook_name: Optional[str] = None,
+        build_in_source: Optional[bool] = None,
     ) -> None:
         """
         Initialize the class
@@ -129,6 +130,8 @@ def __init__(
             Locate layer to its actual, worked with nested stack
         hook_name: Optional[str]
             Name of the hook package
+        build_in_source: Optional[bool]
+            Set to True to build in the source directory.
         """
 
         self._resource_identifier = resource_identifier
@@ -167,6 +170,7 @@ def __init__(
         self._stacks: List[Stack] = []
         self._locate_layer_nested = locate_layer_nested
         self._hook_name = hook_name
+        self._build_in_source = build_in_source
 
     def __enter__(self) -> "BuildContext":
         self.set_up()
@@ -246,6 +250,7 @@ def run(self):
                 container_env_var_file=self._container_env_var_file,
                 build_images=self._build_images,
                 combine_dependencies=not self._create_auto_dependency_layer,
+                build_in_source=self._build_in_source,
             )
         except FunctionNotFound as ex:
             raise UserException(str(ex), wrapped_from=ex.__class__.__name__) from ex

samcli/commands/build/command.py

@@ -204,6 +204,7 @@ def cli(
         build_image,
         exclude,
         hook_name,
+        None,  # TODO: replace with build_in_source once it's added as a click option
     )  # pragma: no cover
 
 
@@ -228,6 +229,7 @@ def do_cli(  # pylint: disable=too-many-locals, too-many-statements
     build_image: Optional[Tuple[str]],
     exclude: Optional[Tuple[str, ...]],
     hook_name: Optional[str],
+    build_in_source: Optional[bool],
 ) -> None:
     """
     Implementation of the ``cli`` method
@@ -272,6 +274,7 @@ def do_cli(  # pylint: disable=too-many-locals, too-many-statements
         excluded_resources=exclude,
         aws_region=click_ctx.region,
         hook_name=hook_name,
+        build_in_source=build_in_source,
     ) as ctx:
         ctx.run()
 

samcli/commands/exceptions.py

@@ -1,6 +1,9 @@
 """
 Class containing error conditions that are exposed to the user.
 """
+import traceback
+from urllib.parse import quote
+from typing import Optional, IO
 
 import click
 
@@ -25,6 +28,46 @@ def __init__(self, message, wrapped_from=None):
         click.ClickException.__init__(self, message)
 
 
+class UnhandledException(click.ClickException):
+    """
+    Exception class to re-wrap any exception that is not a UserException.
+    Typically this means there is a bug in SAM CLI.
+    """
+
+    GH_ISSUE_SEARCH_URL = "https://github.com/aws/aws-sam-cli/issues?q=is%3Aissue+is%3Aopen+{title}"
+    GH_BUG_REPORT_URL = "https://github.com/aws/aws-sam-cli/issues/new?template=Bug_report.md&title={title}"
+    # NOTE (hawflau): actual exitcode is 1 to not break existing behavior. Only report 255 to telemetry
+    exit_code = 1
+
+    def __init__(self, command: str, exception: Exception) -> None:
+        self._command = command
+        self._exception = exception
+        self.__traceback__ = self._exception.__traceback__
+
+        click.ClickException.__init__(self, type(exception).__name__)
+
+    def show(self, file: Optional[IO] = None) -> None:
+        """Overriding show to customize printing stack trace and message"""
+        if file is None:
+            file = click._compat.get_text_stderr()  # pylint: disable=protected-access
+
+        tb = "".join(traceback.format_tb(self.__traceback__))
+        click.echo(f"\nError: {self._exception}", file=file, err=True)
+        click.echo(f"Traceback:\n{tb}", file=file, err=True)
+
+        encoded_title = quote(f"Bug: {self._command} - {type(self._exception).__name__}")
+        lookup_url = self.GH_ISSUE_SEARCH_URL.format(title=encoded_title)
+        create_issue_url = self.GH_BUG_REPORT_URL.format(title=encoded_title)
+        msg = (
+            f'An unexpected error was encountered while executing "{self._command}".\n'
+            "Search for an existing issue:\n"
+            f"{lookup_url}\n"
+            "Or create a bug report:\n"
+            f"{create_issue_url}"
+        )
+        click.secho(msg, file=file, err=True, fg="yellow")
+
+
 class CredentialsError(UserException):
     """
     Exception class when credentials that have been passed are invalid.

samcli/commands/local/lib/local_lambda.py

@@ -210,6 +210,7 @@ def get_invoke_config(self, function: Function) -> FunctionConfig:
             memory=function.memory,
             timeout=function_timeout,
             env_vars=env_vars,
+            runtime_management_config=function.runtime_management_config,
         )
 
     def _make_env_vars(self, function: Function) -> EnvironmentVariables:

samcli/commands/sync/command.py

@@ -210,6 +210,7 @@ def cli(
         use_container,
         config_file,
         config_env,
+        None,  # TODO: replace with build_in_source once it's added as a click option
     )  # pragma: no cover
 
 
@@ -239,6 +240,7 @@ def do_cli(
     use_container: bool,
     config_file: str,
     config_env: str,
+    build_in_source: Optional[bool],
 ) -> None:
     """
     Implementation of the ``cli`` method
@@ -290,6 +292,7 @@ def do_cli(
         stack_name=stack_name,
         print_success_message=False,
         locate_layer_nested=True,
+        build_in_source=build_in_source,
     ) as build_context:
         built_template = os.path.join(build_dir, DEFAULT_TEMPLATE_NAME)
 

samcli/lib/build/app_builder.py

@@ -100,6 +100,7 @@ def __init__(
         container_env_var_file: Optional[str] = None,
         build_images: Optional[Dict] = None,
         combine_dependencies: bool = True,
+        build_in_source: Optional[bool] = None,
     ) -> None:
         """
         Initialize the class
@@ -141,6 +142,8 @@ def __init__(
         combine_dependencies: bool
             An optional bool parameter to inform lambda builders whether we should separate the source code and
             dependencies or not.
+        build_in_source: Optional[bool]
+            Set to True to build in the source directory.
         """
         self._resources_to_build = resources_to_build
         self._build_dir = build_dir
@@ -162,6 +165,7 @@ def __init__(
         self._container_env_var_file = container_env_var_file
         self._build_images = build_images or {}
         self._combine_dependencies = combine_dependencies
+        self._build_in_source = build_in_source
 
     def build(self) -> ApplicationBuildResult:
         """
@@ -857,6 +861,7 @@ def _build_function_in_process(
                 combine_dependencies=combine_dependencies,
                 is_building_layer=is_building_layer,
                 experimental_flags=get_enabled_experimental_flags(),
+                build_in_source=self._build_in_source,
             )
         except LambdaBuilderError as ex:
             raise BuildError(wrapped_from=ex.__class__.__name__, msg=str(ex)) from ex
@@ -911,6 +916,7 @@ def _build_function_on_container(
             env_vars=container_env_vars,
             image=build_image,
             is_building_layer=is_building_layer,
+            build_in_source=self._build_in_source,
         )
 
         try: