-
-
Notifications
You must be signed in to change notification settings - Fork 616
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
filter data is safe for tarfile extractall #1111
filter data is safe for tarfile extractall #1111
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks mostly good. We should also consider adding TarFile.extract() as it is also vulnerable. But that doesn't need to be part of this PR.
bc86707
to
349a344
Compare
Hello, thanks for your review! To test locally I used bandit tests/functional/test_functional.py |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you also add to the docstring:
.. versionchanged:: 1.7.8
Added check for filter parameter
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [APIFlask](https://apiflask.com) ([source](https://togithub.com/apiflask/apiflask), [changelog](https://apiflask.com/changelog)) | `2.1.0` -> `2.1.1` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/APIFlask/2.1.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/APIFlask/2.1.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/APIFlask/2.1.0/2.1.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/APIFlask/2.1.0/2.1.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [SQLAlchemy](https://www.sqlalchemy.org) ([changelog](https://docs.sqlalchemy.org/en/latest/changelog/)) | `2.0.27` -> `2.0.28` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/SQLAlchemy/2.0.28?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/SQLAlchemy/2.0.28?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/SQLAlchemy/2.0.27/2.0.28?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/SQLAlchemy/2.0.27/2.0.28?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [bandit](https://bandit.readthedocs.io/) ([source](https://togithub.com/PyCQA/bandit), [changelog](https://togithub.com/PyCQA/bandit/releases)) | `1.7.7` -> `1.7.8` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/bandit/1.7.8?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/bandit/1.7.8?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/bandit/1.7.7/1.7.8?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/bandit/1.7.7/1.7.8?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [boto3](https://togithub.com/boto/boto3) | `1.34.50` -> `1.34.60` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/boto3/1.34.60?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/boto3/1.34.60?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/boto3/1.34.50/1.34.60?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/boto3/1.34.50/1.34.60?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [botocore](https://togithub.com/boto/botocore) | `1.34.50` -> `1.34.60` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/botocore/1.34.60?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/botocore/1.34.60?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/botocore/1.34.50/1.34.60?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/botocore/1.34.50/1.34.60?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [marshmallow](https://togithub.com/marshmallow-code/marshmallow) ([changelog](https://marshmallow.readthedocs.io/en/latest/changelog.html)) | `3.21.0` -> `3.21.1` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/marshmallow/3.21.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/marshmallow/3.21.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/marshmallow/3.21.0/3.21.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/marshmallow/3.21.0/3.21.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [mypy](https://www.mypy-lang.org/) ([source](https://togithub.com/python/mypy), [changelog](https://mypy-lang.blogspot.com/)) | `1.8.0` -> `1.9.0` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/mypy/1.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/mypy/1.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/mypy/1.8.0/1.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/mypy/1.8.0/1.9.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [pydantic](https://togithub.com/pydantic/pydantic) ([changelog](https://docs.pydantic.dev/latest/changelog/)) | `2.6.2` -> `2.6.4` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/pydantic/2.6.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/pydantic/2.6.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/pydantic/2.6.2/2.6.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/pydantic/2.6.2/2.6.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>apiflask/apiflask (APIFlask)</summary> ### [`v2.1.1`](https://togithub.com/apiflask/apiflask/blob/HEAD/CHANGES.md#Version-211) [Compare Source](https://togithub.com/apiflask/apiflask/compare/2.1.0...2.1.1) Released: 2024/3/10 - Reuse the `File`, `Config` field, and file-related validators from flask-marshmallow ([issue #​540][issue_540]). - Add support for a `--quiet` option to the `flask spec` command ([issue #​548][issue_548]). - Fix the `flask spec` command for validators operating on complex data types ([issue #​547][issue_547]). [issue_540]: https://togithub.com/apiflask/apiflask/issues/540 [issue_548]: https://togithub.com/apiflask/apiflask/issues/548 [issue_547]: https://togithub.com/apiflask/apiflask/issues/547 </details> <details> <summary>PyCQA/bandit (bandit)</summary> ### [`v1.7.8`](https://togithub.com/PyCQA/bandit/releases/tag/1.7.8) [Compare Source](https://togithub.com/PyCQA/bandit/compare/1.7.7...1.7.8) #### What's Changed - Incorrect tag naming in readme by [@​lukehinds](https://togithub.com/lukehinds) in [https://github.com/PyCQA/bandit/pull/1105](https://togithub.com/PyCQA/bandit/pull/1105) - Utilize PyPI's trusted publishing by [@​ericwb](https://togithub.com/ericwb) in [https://github.com/PyCQA/bandit/pull/1107](https://togithub.com/PyCQA/bandit/pull/1107) - Bump sigstore/cosign-installer from 3.3.0 to 3.4.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/PyCQA/bandit/pull/1109](https://togithub.com/PyCQA/bandit/pull/1109) - Add 1.7.7 to versions of bug template by [@​ericwb](https://togithub.com/ericwb) in [https://github.com/PyCQA/bandit/pull/1110](https://togithub.com/PyCQA/bandit/pull/1110) - Use datetime to avoid updating copyright year by [@​ericwb](https://togithub.com/ericwb) in [https://github.com/PyCQA/bandit/pull/1112](https://togithub.com/PyCQA/bandit/pull/1112) - filter data is safe for tarfile extractall by [@​etienneschalk](https://togithub.com/etienneschalk) in [https://github.com/PyCQA/bandit/pull/1111](https://togithub.com/PyCQA/bandit/pull/1111) - Bump docker/setup-buildx-action from 3.0.0 to 3.1.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/PyCQA/bandit/pull/1115](https://togithub.com/PyCQA/bandit/pull/1115) - \[B605] Add functions that are vulnerable to shell injection. by [@​shihai1991](https://togithub.com/shihai1991) in [https://github.com/PyCQA/bandit/pull/1116](https://togithub.com/PyCQA/bandit/pull/1116) - Add a SARIF output formatter by [@​ericwb](https://togithub.com/ericwb) in [https://github.com/PyCQA/bandit/pull/1113](https://togithub.com/PyCQA/bandit/pull/1113) #### New Contributors - [@​etienneschalk](https://togithub.com/etienneschalk) made their first contribution in [https://github.com/PyCQA/bandit/pull/1111](https://togithub.com/PyCQA/bandit/pull/1111) - [@​shihai1991](https://togithub.com/shihai1991) made their first contribution in [https://github.com/PyCQA/bandit/pull/1116](https://togithub.com/PyCQA/bandit/pull/1116) **Full Changelog**: PyCQA/bandit@1.7.7...1.7.8 </details> <details> <summary>boto/boto3 (boto3)</summary> ### [`v1.34.60`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13460) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.59...1.34.60) \======= - api-change:`codestar-connections`: \[`botocore`] Added a sync configuration enum to disable publishing of deployment status to source providers (PublishDeploymentStatus). Added a sync configuration enum (TriggerStackUpdateOn) to only trigger changes. - api-change:`elasticache`: \[`botocore`] Revisions to API text that are now to be carried over to SDK text, changing usages of "SFO" in code examples to "us-west-1", and some other typos. - api-change:`mediapackagev2`: \[`botocore`] This release enables customers to safely update their MediaPackage v2 channel groups, channels and origin endpoints using entity tags. ### [`v1.34.59`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13459) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.58...1.34.59) \======= - api-change:`batch`: \[`botocore`] This release adds JobStateTimeLimitActions setting to the Job Queue API. It allows you to configure an action Batch can take for a blocking job in front of the queue after the defined period of time. The new parameter applies for ECS, EKS, and FARGATE Job Queues. - api-change:`bedrock-agent-runtime`: \[`botocore`] Documentation update for Bedrock Runtime Agent - api-change:`cloudtrail`: \[`botocore`] Added exceptions to CreateTrail, DescribeTrails, and ListImportFailures APIs. - api-change:`codebuild`: \[`botocore`] This release adds support for a new webhook event: PULL_REQUEST_CLOSED. - api-change:`cognito-idp`: \[`botocore`] Add ConcurrentModificationException to SetUserPoolMfaConfig - api-change:`guardduty`: \[`botocore`] Add RDS Provisioned and Serverless Usage types - api-change:`transfer`: \[`botocore`] Added DES_EDE3\_CBC to the list of supported encryption algorithms for messages sent with an AS2 connector. ### [`v1.34.58`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13458) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.57...1.34.58) \======= - api-change:`appconfig`: \[`botocore`] AWS AppConfig now supports dynamic parameters, which enhance the functionality of AppConfig Extensions by allowing you to provide parameter values to your Extensions at the time you deploy your configuration. - api-change:`ec2`: \[`botocore`] This release adds an optional parameter to RegisterImage and CopyImage APIs to support tagging AMIs at the time of creation. - api-change:`grafana`: \[`botocore`] Adds support for the new GrafanaToken as part of the Amazon Managed Grafana Enterprise plugins upgrade to associate your AWS account with a Grafana Labs account. - api-change:`lambda`: \[`botocore`] Documentation updates for AWS Lambda - api-change:`payment-cryptography-data`: \[`botocore`] AWS Payment Cryptography EMV Decrypt Feature Release - api-change:`rds`: \[`botocore`] Updates Amazon RDS documentation for io2 storage for Multi-AZ DB clusters - api-change:`snowball`: \[`botocore`] Doc-only update for change to EKS-Anywhere ordering. - api-change:`wafv2`: \[`botocore`] You can increase the max request body inspection size for some regional resources. The size setting is in the web ACL association config. Also, the AWSManagedRulesBotControlRuleSet EnableMachineLearning setting now takes a Boolean instead of a primitive boolean type, for languages like Java. - api-change:`workspaces`: \[`botocore`] Added note for user decoupling ### [`v1.34.57`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13457) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.56...1.34.57) \======= - api-change:`dynamodb`: \[`botocore`] Doc only updates for DynamoDB documentation - api-change:`imagebuilder`: \[`botocore`] Add PENDING status to Lifecycle Execution resource status. Add StartTime and EndTime to ListLifecycleExecutionResource API response. - api-change:`mwaa`: \[`botocore`] Amazon MWAA adds support for Apache Airflow v2.8.1. - api-change:`rds`: \[`botocore`] Updated the input of CreateDBCluster and ModifyDBCluster to support setting CA certificates. Updated the output of DescribeDBCluster to show current CA certificate setting value. - api-change:`redshift`: \[`botocore`] Update for documentation only. Covers port ranges, definition updates for data sharing, and definition updates to cluster-snapshot documentation. - api-change:`verifiedpermissions`: \[`botocore`] Deprecating details in favor of configuration for GetIdentitySource and ListIdentitySources APIs. ### [`v1.34.56`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13456) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.55...1.34.56) \======= - api-change:`apigateway`: \[`botocore`] Documentation updates for Amazon API Gateway - api-change:`chatbot`: \[`botocore`] Minor update to documentation. - api-change:`organizations`: \[`botocore`] This release contains an endpoint addition - api-change:`sesv2`: \[`botocore`] Adds support for providing custom headers within SendEmail and SendBulkEmail for SESv2. ### [`v1.34.55`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13455) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.54...1.34.55) \======= - api-change:`cloudformation`: \[`botocore`] Add DetailedStatus field to DescribeStackEvents and DescribeStacks APIs - api-change:`fsx`: \[`botocore`] Added support for creating FSx for NetApp ONTAP file systems with up to 12 HA pairs, delivering up to 72 GB/s of read throughput and 12 GB/s of write throughput. - api-change:`organizations`: \[`botocore`] Documentation update for AWS Organizations ### [`v1.34.54`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13454) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.53...1.34.54) \======= - api-change:`accessanalyzer`: \[`botocore`] Fixed a typo in description field. - api-change:`autoscaling`: \[`botocore`] With this release, Amazon EC2 Auto Scaling groups, EC2 Fleet, and Spot Fleet improve the default price protection behavior of attribute-based instance type selection of Spot Instances, to consistently select from a wide range of instance types. - api-change:`ec2`: \[`botocore`] With this release, Amazon EC2 Auto Scaling groups, EC2 Fleet, and Spot Fleet improve the default price protection behavior of attribute-based instance type selection of Spot Instances, to consistently select from a wide range of instance types. ### [`v1.34.53`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13453) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.52...1.34.53) \======= - api-change:`docdb-elastic`: \[`botocore`] Launched Elastic Clusters Readable Secondaries, Start/Stop, Configurable Shard Instance count, Automatic Backups and Snapshot Copying - api-change:`eks`: \[`botocore`] Added support for new AL2023 AMIs to the supported AMITypes. - api-change:`lexv2-models`: \[`botocore`] This release makes AMAZON.QnAIntent generally available in Amazon Lex. This generative AI feature leverages large language models available through Amazon Bedrock to automate frequently asked questions (FAQ) experience for end-users. - api-change:`migrationhuborchestrator`: \[`botocore`] Adds new CreateTemplate, UpdateTemplate and DeleteTemplate APIs. - api-change:`quicksight`: \[`botocore`] TooltipTarget for Combo chart visuals; ColumnConfiguration limit increase to 2000; Documentation Update - api-change:`sagemaker`: \[`botocore`] Adds support for ModelDataSource in Model Packages to support unzipped models. Adds support to specify SourceUri for models which allows registration of models without mandating a container for hosting. Using SourceUri, customers can decouple the model from hosting information during registration. - api-change:`securitylake`: \[`botocore`] Add capability to update the Data Lake's MetaStoreManager Role in order to perform required data lake updates to use Iceberg table format in their data lake or update the role for any other reason. ### [`v1.34.52`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13452) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.51...1.34.52) \======= - api-change:`batch`: \[`botocore`] This release adds Batch support for configuration of multicontainer jobs in ECS, Fargate, and EKS. This support is available for all types of jobs, including both array jobs and multi-node parallel jobs. - api-change:`bedrock-agent-runtime`: \[`botocore`] This release adds support to override search strategy performed by the Retrieve and RetrieveAndGenerate APIs for Amazon Bedrock Agents - api-change:`ce`: \[`botocore`] This release introduces the new API 'GetApproximateUsageRecords', which retrieves estimated usage records for hourly granularity or resource-level data at daily granularity. - api-change:`ec2`: \[`botocore`] This release increases the range of MaxResults for GetNetworkInsightsAccessScopeAnalysisFindings to 1,000. - api-change:`iot`: \[`botocore`] This release reduces the maximum results returned per query invocation from 500 to 100 for the SearchIndex API. This change has no implications as long as the API is invoked until the nextToken is NULL. - api-change:`wafv2`: \[`botocore`] AWS WAF now supports configurable time windows for request aggregation with rate-based rules. Customers can now select time windows of 1 minute, 2 minutes or 10 minutes, in addition to the previously supported 5 minutes. ### [`v1.34.51`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13451) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.50...1.34.51) \======= - api-change:`amplifyuibuilder`: \[`botocore`] We have added the ability to tag resources after they are created </details> <details> <summary>boto/botocore (botocore)</summary> ### [`v1.34.60`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13460) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.59...1.34.60) \======= - api-change:`codestar-connections`: Added a sync configuration enum to disable publishing of deployment status to source providers (PublishDeploymentStatus). Added a sync configuration enum (TriggerStackUpdateOn) to only trigger changes. - api-change:`elasticache`: Revisions to API text that are now to be carried over to SDK text, changing usages of "SFO" in code examples to "us-west-1", and some other typos. - api-change:`mediapackagev2`: This release enables customers to safely update their MediaPackage v2 channel groups, channels and origin endpoints using entity tags. ### [`v1.34.59`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13459) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.58...1.34.59) \======= - api-change:`batch`: This release adds JobStateTimeLimitActions setting to the Job Queue API. It allows you to configure an action Batch can take for a blocking job in front of the queue after the defined period of time. The new parameter applies for ECS, EKS, and FARGATE Job Queues. - api-change:`bedrock-agent-runtime`: Documentation update for Bedrock Runtime Agent - api-change:`cloudtrail`: Added exceptions to CreateTrail, DescribeTrails, and ListImportFailures APIs. - api-change:`codebuild`: This release adds support for a new webhook event: PULL_REQUEST_CLOSED. - api-change:`cognito-idp`: Add ConcurrentModificationException to SetUserPoolMfaConfig - api-change:`guardduty`: Add RDS Provisioned and Serverless Usage types - api-change:`transfer`: Added DES_EDE3\_CBC to the list of supported encryption algorithms for messages sent with an AS2 connector. ### [`v1.34.58`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13458) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.57...1.34.58) \======= - api-change:`appconfig`: AWS AppConfig now supports dynamic parameters, which enhance the functionality of AppConfig Extensions by allowing you to provide parameter values to your Extensions at the time you deploy your configuration. - api-change:`ec2`: This release adds an optional parameter to RegisterImage and CopyImage APIs to support tagging AMIs at the time of creation. - api-change:`grafana`: Adds support for the new GrafanaToken as part of the Amazon Managed Grafana Enterprise plugins upgrade to associate your AWS account with a Grafana Labs account. - api-change:`lambda`: Documentation updates for AWS Lambda - api-change:`payment-cryptography-data`: AWS Payment Cryptography EMV Decrypt Feature Release - api-change:`rds`: Updates Amazon RDS documentation for io2 storage for Multi-AZ DB clusters - api-change:`snowball`: Doc-only update for change to EKS-Anywhere ordering. - api-change:`wafv2`: You can increase the max request body inspection size for some regional resources. The size setting is in the web ACL association config. Also, the AWSManagedRulesBotControlRuleSet EnableMachineLearning setting now takes a Boolean instead of a primitive boolean type, for languages like Java. - api-change:`workspaces`: Added note for user decoupling ### [`v1.34.57`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13457) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.56...1.34.57) \======= - api-change:`dynamodb`: Doc only updates for DynamoDB documentation - api-change:`imagebuilder`: Add PENDING status to Lifecycle Execution resource status. Add StartTime and EndTime to ListLifecycleExecutionResource API response. - api-change:`mwaa`: Amazon MWAA adds support for Apache Airflow v2.8.1. - api-change:`rds`: Updated the input of CreateDBCluster and ModifyDBCluster to support setting CA certificates. Updated the output of DescribeDBCluster to show current CA certificate setting value. - api-change:`redshift`: Update for documentation only. Covers port ranges, definition updates for data sharing, and definition updates to cluster-snapshot documentation. - api-change:`verifiedpermissions`: Deprecating details in favor of configuration for GetIdentitySource and ListIdentitySources APIs. ### [`v1.34.56`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13456) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.55...1.34.56) \======= - api-change:`apigateway`: Documentation updates for Amazon API Gateway - api-change:`chatbot`: Minor update to documentation. - api-change:`organizations`: This release contains an endpoint addition - api-change:`sesv2`: Adds support for providing custom headers within SendEmail and SendBulkEmail for SESv2. ### [`v1.34.55`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13455) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.54...1.34.55) \======= - api-change:`cloudformation`: Add DetailedStatus field to DescribeStackEvents and DescribeStacks APIs - api-change:`fsx`: Added support for creating FSx for NetApp ONTAP file systems with up to 12 HA pairs, delivering up to 72 GB/s of read throughput and 12 GB/s of write throughput. - api-change:`organizations`: Documentation update for AWS Organizations ### [`v1.34.54`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13454) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.53...1.34.54) \======= - api-change:`accessanalyzer`: Fixed a typo in description field. - api-change:`autoscaling`: With this release, Amazon EC2 Auto Scaling groups, EC2 Fleet, and Spot Fleet improve the default price protection behavior of attribute-based instance type selection of Spot Instances, to consistently select from a wide range of instance types. - api-change:`ec2`: With this release, Amazon EC2 Auto Scaling groups, EC2 Fleet, and Spot Fleet improve the default price protection behavior of attribute-based instance type selection of Spot Instances, to consistently select from a wide range of instance types. ### [`v1.34.53`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13453) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.52...1.34.53) \======= - api-change:`docdb-elastic`: Launched Elastic Clusters Readable Secondaries, Start/Stop, Configurable Shard Instance count, Automatic Backups and Snapshot Copying - api-change:`eks`: Added support for new AL2023 AMIs to the supported AMITypes. - api-change:`lexv2-models`: This release makes AMAZON.QnAIntent generally available in Amazon Lex. This generative AI feature leverages large language models available through Amazon Bedrock to automate frequently asked questions (FAQ) experience for end-users. - api-change:`migrationhuborchestrator`: Adds new CreateTemplate, UpdateTemplate and DeleteTemplate APIs. - api-change:`quicksight`: TooltipTarget for Combo chart visuals; ColumnConfiguration limit increase to 2000; Documentation Update - api-change:`sagemaker`: Adds support for ModelDataSource in Model Packages to support unzipped models. Adds support to specify SourceUri for models which allows registration of models without mandating a container for hosting. Using SourceUri, customers can decouple the model from hosting information during registration. - api-change:`securitylake`: Add capability to update the Data Lake's MetaStoreManager Role in order to perform required data lake updates to use Iceberg table format in their data lake or update the role for any other reason. ### [`v1.34.52`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13452) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.51...1.34.52) \======= - api-change:`batch`: This release adds Batch support for configuration of multicontainer jobs in ECS, Fargate, and EKS. This support is available for all types of jobs, including both array jobs and multi-node parallel jobs. - api-change:`bedrock-agent-runtime`: This release adds support to override search strategy performed by the Retrieve and RetrieveAndGenerate APIs for Amazon Bedrock Agents - api-change:`ce`: This release introduces the new API 'GetApproximateUsageRecords', which retrieves estimated usage records for hourly granularity or resource-level data at daily granularity. - api-change:`ec2`: This release increases the range of MaxResults for GetNetworkInsightsAccessScopeAnalysisFindings to 1,000. - api-change:`iot`: This release reduces the maximum results returned per query invocation from 500 to 100 for the SearchIndex API. This change has no implications as long as the API is invoked until the nextToken is NULL. - api-change:`wafv2`: AWS WAF now supports configurable time windows for request aggregation with rate-based rules. Customers can now select time windows of 1 minute, 2 minutes or 10 minutes, in addition to the previously supported 5 minutes. ### [`v1.34.51`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13451) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.50...1.34.51) \======= - api-change:`amplifyuibuilder`: We have added the ability to tag resources after they are created </details> <details> <summary>marshmallow-code/marshmallow (marshmallow)</summary> ### [`v3.21.1`](https://togithub.com/marshmallow-code/marshmallow/compare/3.21.0...3.21.1) [Compare Source](https://togithub.com/marshmallow-code/marshmallow/compare/3.21.0...3.21.1) </details> <details> <summary>python/mypy (mypy)</summary> ### [`v1.9.0`](https://togithub.com/python/mypy/compare/v1.8.0...1.9.0) [Compare Source](https://togithub.com/python/mypy/compare/v1.8.0...1.9.0) </details> <details> <summary>pydantic/pydantic (pydantic)</summary> ### [`v2.6.4`](https://togithub.com/pydantic/pydantic/blob/HEAD/HISTORY.md#v264-2024-03-12) [Compare Source](https://togithub.com/pydantic/pydantic/compare/v2.6.3...v2.6.4) [GitHub release](https://togithub.com/pydantic/pydantic/releases/tag/v2.6.4) ##### What's Changed ##### Fixes - Fix usage of `AliasGenerator` with `computed_field` decorator by [@​sydney-runkle](https://togithub.com/sydney-runkle) in [#​8806](https://togithub.com/pydantic/pydantic/pull/8806) - Fix nested discriminated union schema gen, pt 2 by [@​sydney-runkle](https://togithub.com/sydney-runkle) in [#​8932](https://togithub.com/pydantic/pydantic/pull/8932) - Fix bug with no_strict_optional=True caused by API deferral by [@​dmontagu](https://togithub.com/dmontagu) in [#​8826](https://togithub.com/pydantic/pydantic/pull/8826) ### [`v2.6.3`](https://togithub.com/pydantic/pydantic/blob/HEAD/HISTORY.md#v263-2024-02-27) [Compare Source](https://togithub.com/pydantic/pydantic/compare/v2.6.2...v2.6.3) [GitHub release](https://togithub.com/pydantic/pydantic/releases/tag/v2.6.3) ##### What's Changed ##### Packaging - Update `pydantic-settings` version in the docs by [@​hramezani](https://togithub.com/hramezani) in [#​8906](https://togithub.com/pydantic/pydantic/pull/8906) ##### Fixes - Fix discriminated union schema gen bug by [@​sydney-runkle](https://togithub.com/sydney-runkle) in [#​8904](https://togithub.com/pydantic/pydantic/pull/8904) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "on the 2nd and 4th day instance on sunday after 9pm" in timezone America/New_York, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/HHS/simpler-grants-gov). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzAuMCIsInVwZGF0ZWRJblZlciI6IjM3LjIzOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Michael Chouinard <chouinar6@gmail.com>
Related to issue #1038
Currently the following line:
tarfile.extractall(path=some_path, filter="data")
raises an error. See comment #1038 (comment)However, this should be safe according to comment #1038 (comment)
This PR does not attempt to fix issue #1038, but starts by making the line aforementioned legal. If
filter="data"
is detected, the rule is early exited.cc @mattiasb
Closes: #1025