Skip to content

Commit c50158b

Browse files
mfjarvismfjarvis
committed
VED-763: Resolve security warnings.
1 parent dbf9111 commit c50158b

File tree

1 file changed

+19
-4
lines changed

1 file changed

+19
-4
lines changed

mesh_processor/src/converter.py

Lines changed: 19 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,9 @@
1111
logger = logging.getLogger()
1212

1313
s3_client = boto3.client('s3')
14+
sts_client = boto3.client('sts')
1415

16+
aws_account_id = sts_client.get_caller_identity()['Account']
1517

1618
def parse_headers(headers_str: str) -> dict[str, str]:
1719
headers = dict(
@@ -80,9 +82,15 @@ def move_file(source_bucket: str, source_key: str, destination_bucket: str, dest
8082
s3_client.copy_object(
8183
CopySource={"Bucket": source_bucket, "Key": source_key},
8284
Bucket=destination_bucket,
83-
Key=destination_key
85+
Key=destination_key,
86+
ExpectedBucketOwner=aws_account_id,
87+
ExpectedSourceBucketOwner=aws_account_id,
88+
)
89+
s3_client.delete_object(
90+
Bucket=source_bucket,
91+
Key=source_key,
92+
ExpectedBucketOwner=aws_account_id,
8493
)
85-
s3_client.delete_object(Bucket=source_bucket, Key=source_key)
8694

8795

8896
def transfer_multipart_content(
@@ -149,15 +157,20 @@ def process_record(record: dict) -> None:
149157
file_key = record["s3"]["object"]["key"]
150158
logger.info(f"Processing {file_key}")
151159

152-
head_object_response = s3_client.head_object(Bucket=bucket_name, Key=file_key)
160+
head_object_response = s3_client.head_object(
161+
Bucket=bucket_name,
162+
Key=file_key,
163+
ExpectedBucketOwner=aws_account_id,
164+
)
153165
content_type = head_object_response['ContentType']
154166
media_type, content_type_params = parse_header_value(content_type)
155167
filename = head_object_response["Metadata"].get("mex-filename") or file_key
156168

157169
get_object_attributes_response = s3_client.get_object_attributes(
158170
Bucket=bucket_name,
159171
Key=file_key,
160-
ObjectAttributes=["Checksum"]
172+
ObjectAttributes=["Checksum"],
173+
ExpectedBucketOwner=aws_account_id,
161174
)
162175
checksum_obj = get_object_attributes_response["Checksum"]
163176
checksum = get_checksum_value(checksum_obj)
@@ -172,6 +185,8 @@ def process_record(record: dict) -> None:
172185
Bucket=DESTINATION_BUCKET_NAME,
173186
CopySource={"Bucket": bucket_name, "Key": file_key},
174187
Key=add_checksum_to_filename(filename, checksum),
188+
ExpectedBucketOwner=aws_account_id,
189+
ExpectedSourceBucketOwner=aws_account_id,
175190
)
176191

177192
logger.info(f"Transfer complete for {file_key}")

0 commit comments

Comments
 (0)