Fixes CVE-2023-51651 Potential URI resolution path traversal in the AWS SDK for PHP

[joelpittet]

Description

+-------------------+----------------------------------------------------------------------------------+
| Package           | aws/aws-sdk-php                                                                  |
| CVE               | CVE-2023-51651                                                                   |
| Title             | Potential URI resolution path traversal in the AWS SDK for PHP                   |
| URL               | https://github.com/advisories/GHSA-557v-xcg6-rm5m                                |
| Affected versions | <3.288.1                                                                         |
| Reported at       | 2023-12-21T23:16:13+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

Type of change

• Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

Composer audit before and after fix

[joelpittet]

This didn't fix it because

❯ composer update "aws/aws-sdk-php:3.288.1" --dry-run
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - aws/aws-sdk-php 3.288.1 requires aws/aws-crt-php ^1.2.3 -> found aws/aws-crt-php[v1.2.3, v1.2.4] but the package is fixed to v1.0.2 (lock file version) by a partial update and that version does not match. Make sure you list it as an argument for the update command.
    - league/flysystem-aws-s3-v3 1.0.30 requires aws/aws-sdk-php ^3.20.0 -> satisfiable by aws/aws-sdk-php[3.288.1].
    - league/flysystem-aws-s3-v3 is locked to version 1.0.30 and an update of this package was not requested.

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.

[joelpittet]

Added dependencies and ran with PHP 7.4 to preserve that platform requirement

[joelpittet]

FTR here is what is getting updated:

❯ ddev composer update "aws/aws-sdk-php" -W
Loading composer repositories with package information
Updating dependencies
Lock file operations: 0 installs, 10 updates, 0 removals
  - Upgrading aws/aws-crt-php (v1.0.2 => v1.2.4)
  - Upgrading aws/aws-sdk-php (3.258.2 => 3.295.4)
  - Upgrading guzzlehttp/guzzle (7.4.5 => 7.8.1)
  - Upgrading guzzlehttp/promises (1.5.1 => 2.0.2)
  - Upgrading guzzlehttp/psr7 (2.4.5 => 2.6.2)
  - Upgrading mtdowling/jmespath.php (2.6.1 => 2.7.0)
  - Upgrading psr/http-client (1.0.1 => 1.0.3)
  - Upgrading psr/http-factory (1.0.1 => 1.0.2)
  - Upgrading psr/http-message (1.0.1 => 1.1)
  - Upgrading symfony/polyfill-mbstring (v1.26.0 => v1.28.0)

[uberbrady]

Thank you for the contribution to help keep us secure! It's very much appreciated.

I tested it by doing this - first, I read up on the AWS SDK for PHP, and its minimum PHP versions - which are very conservative (which I like). Then, I tested by switching my system version of PHP to each of 7.4.x, 8.0.x, and 8.1.x and blowing out ./vendors and running composer install - and ensuring that php artisan test works.

I should note that php 8.2.x does not work (dependencies will not install), but I am hoping that we will be able to enable that - and maybe even 8.3 - once we can release Snipe-IT v7.

Thanks again!

[snipe]

TY @joelpittet!