Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support AWS-SDK since 3.286.2 breaking changes #49664

Closed
wants to merge 2 commits into from
Closed

Support AWS-SDK since 3.286.2 breaking changes #49664

wants to merge 2 commits into from

Conversation

danielsimkus
Copy link
Contributor

@danielsimkus danielsimkus commented Jan 12, 2024
edited
Loading

Why

Version 3.286.2 of aws-sdk-php changes the way QueueUrl is handled after switching SQS Client to the Json protocol.
https://github.com/aws/aws-sdk-php/releases/tag/3.286.2

This works fine if you're actually using an SQS queue-name only, but if you're using a different full URL for local (i.e. elasticmq) it forcibly attempts to hit the default AWS SQS url instead.

Also the versions 3 -> 3.288.1 are affected by the following security warning:

+-------------------+----------------------------------------------------------------------------------+
| Package           | aws/aws-sdk-php                                                                  |
| CVE               | CVE-2023-51651                                                                   |
| Title             | Potential URI resolution path traversal in the AWS SDK for PHP                   |
| URL               | https://nvd.nist.gov/vuln/detail/CVE-2023-51651                                  |
| Affected versions | >=3.0.0,<3.288.1                                                                 |
| Reported at       | 2023-11-22T00:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

Therefore I've updated the composer json to require the latest safe release from aws-sdk-php

Thoughts before submitting for review

The way I've done it will more than likely break it for people that aren't using the full URL.
Ideally we would:

  • Manually build it to the full AWS SQS url if it isn't already a url.
  • Or, maybe more preferably, we only use Endpoint if it's actually a full URL (prefix + queue + suffix)

@github-actions GitHub Actions
Copy link

Thanks for submitting a PR!

In order to review and merge PRs most efficiently, we require that all PRs grant maintainer edit access before we review them. For information on how to do this, see the relevant GitHub documentation. Additionally, GitHub doesn't allow maintainer permissions from organization accounts. Please resubmit this PR from a personal GitHub account with maintainer permissions enabled.

@github-actions github-actions bot closed this Jan 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@danielsimkus