Merge pull request #13 from aws-solutions/release/v1.0.3

release/v1.0.3

Author: hayesry

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.3] - 2026-02-09
+
+### Security
+
+- Update dependencies to mitigate [CVE-2026-25547](https://nvd.nist.gov/vuln/detail/CVE-2026-25547) and [CVE-2026-0775](https://nvd.nist.gov/vuln/detail/CVE-2026-0775).
+
 ## [1.0.2] - 2026-02-05
 
 ### Security

solution-manifest.yaml

@@ -1,6 +1,6 @@
 id: SO0310
 name: deepracer-on-aws
-version: v1.0.2
+version: v1.0.3
 cloudformation_templates:
   - template: deepracer-on-aws.template
     main_template: true

source/apps/website/src/pages/CreateModel/components/ModelInfo/__tests__/utils.spec.tsx

@@ -0,0 +1,174 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+
+import { TRACKS } from '#constants/tracks';
+
+import { SortByValue } from '../constants';
+import { getTrackTiles } from '../utils';
+
+// Mock the tracks constant
+vi.mock('#constants/tracks', () => ({
+  TRACKS: [
+    {
+      trackId: 'track1',
+      name: 'Short Easy Track',
+      description: 'A short and easy track',
+      length: 10,
+      difficulty: 1,
+    },
+    {
+      trackId: 'track2',
+      name: 'Medium Track',
+      description: 'A medium difficulty track',
+      length: 20,
+      difficulty: 5,
+    },
+    {
+      trackId: 'track3',
+      name: 'Long Hard Track',
+      description: 'A long and difficult track',
+      length: 30,
+      difficulty: 10,
+    },
+  ],
+}));
+
+describe('getTrackTiles', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  describe('sorting functionality', () => {
+    it('sorts tracks by length shortest to longest', () => {
+      const result = getTrackTiles(SortByValue.LENGTH_SHORTEST, '');
+
+      expect(result).toHaveLength(3);
+      expect(result[0].value).toBe('track1');
+      expect(result[1].value).toBe('track2');
+      expect(result[2].value).toBe('track3');
+    });
+
+    it('sorts tracks by length longest to shortest', () => {
+      const result = getTrackTiles(SortByValue.LENGTH_LONGEST, '');
+
+      expect(result).toHaveLength(3);
+      expect(result[0].value).toBe('track3');
+      expect(result[1].value).toBe('track2');
+      expect(result[2].value).toBe('track1');
+    });
+
+    it('sorts tracks by difficulty most to least', () => {
+      const result = getTrackTiles(SortByValue.DIFFICULTY_MOST, '');
+
+      expect(result).toHaveLength(3);
+      expect(result[0].value).toBe('track1');
+      expect(result[1].value).toBe('track2');
+      expect(result[2].value).toBe('track3');
+    });
+
+    it('sorts tracks by difficulty least to most', () => {
+      const result = getTrackTiles(SortByValue.DIFFICULTY_LEAST, '');
+
+      expect(result).toHaveLength(3);
+      expect(result[0].value).toBe('track3');
+      expect(result[1].value).toBe('track2');
+      expect(result[2].value).toBe('track1');
+    });
+
+    it('uses LENGTH_SHORTEST as default sort', () => {
+      const result = getTrackTiles('invalid' as SortByValue, '');
+
+      expect(result).toHaveLength(3);
+      expect(result[0].value).toBe('track1');
+      expect(result[1].value).toBe('track2');
+      expect(result[2].value).toBe('track3');
+    });
+  });
+
+  describe('filtering functionality', () => {
+    it('filters tracks by name (case insensitive)', () => {
+      const result = getTrackTiles(SortByValue.LENGTH_SHORTEST, 'short');
+
+      expect(result).toHaveLength(1);
+      expect(result[0].value).toBe('track1');
+      expect(result[0].label).toBe('Short Easy Track');
+    });
+
+    it('filters tracks with partial match', () => {
+      const result = getTrackTiles(SortByValue.LENGTH_SHORTEST, 'track');
+
+      expect(result).toHaveLength(3);
+    });
+
+    it('returns empty array when no tracks match filter', () => {
+      const result = getTrackTiles(SortByValue.LENGTH_SHORTEST, 'nonexistent');
+
+      expect(result).toHaveLength(0);
+    });
+
+    it('handles empty filter string', () => {
+      const result = getTrackTiles(SortByValue.LENGTH_SHORTEST, '');
+
+      expect(result).toHaveLength(3);
+    });
+  });
+
+  describe('output format', () => {
+    it('returns correctly formatted track tiles', () => {
+      const result = getTrackTiles(SortByValue.LENGTH_SHORTEST, '');
+
+      expect(result[0]).toHaveProperty('label');
+      expect(result[0]).toHaveProperty('description');
+      expect(result[0]).toHaveProperty('image');
+      expect(result[0]).toHaveProperty('value');
+    });
+
+    it('includes track name as label', () => {
+      const result = getTrackTiles(SortByValue.LENGTH_SHORTEST, '');
+
+      expect(result[0].label).toBe('Short Easy Track');
+    });
+
+    it('includes track description', () => {
+      const result = getTrackTiles(SortByValue.LENGTH_SHORTEST, '');
+
+      expect(result[0].description).toBe('A short and easy track');
+    });
+
+    it('includes track ID as value', () => {
+      const result = getTrackTiles(SortByValue.LENGTH_SHORTEST, '');
+
+      expect(result[0].value).toBe('track1');
+    });
+  });
+
+  describe('immutability', () => {
+    it('does not mutate the original TRACKS array', () => {
+      const originalOrder = [...TRACKS];
+
+      getTrackTiles(SortByValue.LENGTH_LONGEST, '');
+
+      expect(TRACKS).toEqual(originalOrder);
+    });
+
+    it('does not mutate TRACKS when sorting by difficulty', () => {
+      const originalOrder = [...TRACKS];
+
+      getTrackTiles(SortByValue.DIFFICULTY_MOST, '');
+
+      expect(TRACKS).toEqual(originalOrder);
+    });
+  });
+
+  describe('combined sorting and filtering', () => {
+    it('applies both sorting and filtering correctly', () => {
+      const result = getTrackTiles(SortByValue.LENGTH_LONGEST, 'track');
+
+      expect(result).toHaveLength(3);
+      expect(result[0].value).toBe('track3');
+      expect(result[2].value).toBe('track1');
+    });
+  });
+});

source/apps/website/src/pages/CreateModel/components/ModelInfo/utils.tsx

@@ -10,17 +10,17 @@ export const getTrackTiles = (sortBy: SortByValue, filteringText: string) => {
 
   switch (sortBy) {
     case SortByValue.LENGTH_LONGEST:
-      sortedTracks = TRACKS.sort((a, b) => b.length - a.length);
+      sortedTracks = [...TRACKS].sort((a, b) => b.length - a.length);
       break;
     case SortByValue.DIFFICULTY_MOST:
-      sortedTracks = TRACKS.sort((a, b) => a.difficulty - b.difficulty);
+      sortedTracks = [...TRACKS].sort((a, b) => a.difficulty - b.difficulty);
       break;
     case SortByValue.DIFFICULTY_LEAST:
-      sortedTracks = TRACKS.sort((a, b) => b.difficulty - a.difficulty);
+      sortedTracks = [...TRACKS].sort((a, b) => b.difficulty - a.difficulty);
       break;
     case SortByValue.LENGTH_SHORTEST:
     default:
-      sortedTracks = TRACKS.sort((a, b) => a.length - b.length);
+      sortedTracks = [...TRACKS].sort((a, b) => a.length - b.length);
       break;
   }
 

source/apps/website/src/services/deepRacer/__tests__/middleware.spec.ts

@@ -8,7 +8,7 @@ import { MiddlewareStack } from '@smithy/types';
 import { type AuthSession, fetchAuthSession } from 'aws-amplify/auth';
 import { vi } from 'vitest';
 
-import { httpSigningMiddleware, httpSigningPlugin } from '../middleware';
+import { httpSigningMiddleware, httpSigningPlugin, signRequest } from '../middleware';
 
 // Mock dependencies
 vi.mock('@aws-crypto/sha256-browser', () => ({
@@ -23,7 +23,7 @@ vi.mock('aws-amplify/auth', () => ({
   fetchAuthSession: vi.fn(),
 }));
 
-vi.mock('#utils/envUtils', () => ({
+vi.mock('../../utils/envUtils.js', () => ({
   environmentConfig: {
     region: 'us-east-1',
   },
@@ -36,13 +36,14 @@ describe('middleware', () => {
     operation: { name: 'TestOperation' },
   };
   const mockSignedRequest = { headers: { Authorization: 'AWS4-HMAC-SHA256...' } };
+  const mockSignatureV4Instance = {
+    sign: vi.fn().mockResolvedValue(mockSignedRequest),
+  };
 
   beforeEach(() => {
     vi.clearAllMocks();
     // Mock SignatureV4 instance
-    (SignatureV4 as unknown as ReturnType<typeof vi.fn>).mockImplementation(() => ({
-      sign: vi.fn().mockResolvedValue(mockSignedRequest),
-    }));
+    (SignatureV4 as unknown as ReturnType<typeof vi.fn>).mockImplementation(() => mockSignatureV4Instance);
   });
 
   describe('httpSigningMiddleware', () => {
@@ -135,4 +136,102 @@ describe('middleware', () => {
       });
     });
   });
+
+  describe('signRequest', () => {
+    it('should sign request successfully with valid credentials', async () => {
+      const mockSession: AuthSession = {
+        credentials: {
+          accessKeyId: 'test-access-key-id',
+          secretAccessKey: 'test-secret-access-key',
+          sessionToken: 'test-session-token',
+        },
+        identityId: 'test-identity-id',
+        tokens: {
+          accessToken: {
+            toString: () => 'test-access-token',
+            payload: {},
+          },
+          idToken: {
+            toString: () => 'test-id-token',
+            payload: {},
+          },
+        },
+      };
+
+      const mockRequest = new HttpRequest({
+        method: 'POST',
+        protocol: 'https:',
+        hostname: 'api.example.com',
+        path: '/test',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+      });
+
+      const result = await signRequest(mockSession, mockRequest);
+
+      expect(result.headers.authorization).toBeDefined();
+      expect(result.headers['Content-Type']).toBeDefined();
+      expect(result.headers['x-amz-content-sha256']).toBeDefined();
+      expect(result.headers['x-amz-date']).toBeDefined();
+      expect(result.headers['x-amz-security-token']).toBeDefined();
+      expect(mockRequest).toBeDefined();
+    });
+
+    it('should throw error when session has no credentials', async () => {
+      const mockSession: AuthSession = {
+        credentials: undefined,
+        identityId: 'test-identity-id',
+        tokens: {
+          accessToken: {
+            toString: () => 'test-access-token',
+            payload: {},
+          },
+          idToken: {
+            toString: () => 'test-id-token',
+            payload: {},
+          },
+        },
+      };
+
+      const mockRequest = new HttpRequest({
+        method: 'GET',
+        protocol: 'https:',
+        hostname: 'api.example.com',
+        path: '/test',
+      });
+
+      await expect(signRequest(mockSession, mockRequest)).rejects.toThrow('No credentials found');
+
+      expect(SignatureV4).not.toHaveBeenCalled();
+    });
+
+    it('should throw error when session credentials are undefined', async () => {
+      const mockSession: AuthSession = {
+        credentials: undefined,
+        identityId: 'test-identity-id',
+        tokens: {
+          accessToken: {
+            toString: () => 'test-access-token',
+            payload: {},
+          },
+          idToken: {
+            toString: () => 'test-id-token',
+            payload: {},
+          },
+        },
+      };
+
+      const mockRequest = new HttpRequest({
+        method: 'PUT',
+        protocol: 'https:',
+        hostname: 'api.example.com',
+        path: '/test',
+      });
+
+      await expect(signRequest(mockSession, mockRequest)).rejects.toThrow('No credentials found');
+
+      expect(SignatureV4).not.toHaveBeenCalled();
+    });
+  });
 });