aws-sdk-core 3.240.0 → 3.241.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bfea66796a6586854e469946701deeb09f2b344e82967f505262052efea4c972
-  data.tar.gz: 98d0d7a3da929b82b7b14098d0041532d94ec0f88bfa04e74c5bcf8286e090b3
+  metadata.gz: 00ff34b8863f275c077125896abacdd231902a6a6749341c504b23aec8386538
+  data.tar.gz: a850b063cf92edc10d656bfbad52060f109928b38b22e5a6b57429fd4446ed9e
 SHA512:
-  metadata.gz: 65092f9f2795f01ee929393ccdbb06ca55d2e0ea420ac7004c0d24fe6bfd9e3b155cd2d4869b96a6deb64e65c8d4fd0e917e8834ea0cac3602a9289df6de4c4f
-  data.tar.gz: 806b5e412f3a25b956d607f948e957e71241b25fdea11306d43a9752570d5daa80e33740c543bc499d74412d63db8325c9c9bf39ae4738c971e318ac33503b47
+  metadata.gz: 98395234b252340f1b5699ed8647c83dfd974f4e6baf603ac38c12e0dafb4f48acb64c155e6cf57eef8d5a99d7522ce1b9cfc8e13e5a8b7675c01df6350b9183
+  data.tar.gz: 4121894cddfddbc75088516236ab2d5b98b14ca55a2a3d3d80f8a8b289540b07e5ac5d93bd30b085faa42a576193f989ddd0ec2f9bfffbbd0ce2b2c9a7bffa59

data/CHANGELOG.md

@@ -1,6 +1,26 @@
 Unreleased Changes
 ------------------
 
+3.241.3 (2026-01-08)
+------------------
+
+* Issue - Disable request trailer checksums when using non-HTTPs endpoints.
+
+3.241.2 (2026-01-07)
+------------------
+
+* Issue - Preserve existing Content-Encoding when applying request trailer checksum.
+
+3.241.1 (2026-01-06)
+------------------
+
+* Issue - Fix memory leak in ClockSkew retry plugin by normalizing endpoints to prevent unlimited hash growth.
+
+3.241.0 (2026-01-05)
+------------------
+
+* Feature - Improved memory efficiency when calculating request checksums.
+
 3.240.0 (2025-12-16)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-3.240.0
+3.241.3

data/lib/aws-sdk-core/plugins/checksum_algorithm.rb

@@ -4,7 +4,8 @@ module Aws
   module Plugins
     # @api private
     class ChecksumAlgorithm < Seahorse::Client::Plugin
-      CHUNK_SIZE = 1 * 1024 * 1024 # one MB
+      CHECKSUM_CHUNK_SIZE = 1 * 1024 * 1024 # one MB
+      DEFAULT_TRAILER_CHUNK_SIZE = 16_384 # 16 KB
 
       # determine the set of supported client side checksum algorithms
       # CRC32c requires aws-crt (optional sdk dependency) for support
@@ -21,6 +22,7 @@ module Aws
       end.freeze
 
       CRT_ALGORITHMS = %w[CRC32C CRC64NVME].freeze
+      DEFAULT_CHECKSUM = 'CRC32'
 
       # Priority order of checksum algorithms to validate responses against.
       # Remove any algorithms not supported by client (ie, depending on CRT availability).
@@ -37,8 +39,6 @@ module Aws
         'SHA256' => 44 + 1
       }.freeze
 
-      DEFAULT_CHECKSUM = 'CRC32'
-
       option(:request_checksum_calculation,
              doc_default: 'when_supported',
              doc_type: 'String',
@@ -162,9 +162,7 @@ module Aws
           context[:http_checksum] ||= {}
 
           # Set validation mode to enabled when supported.
-          if context.config.response_checksum_validation == 'when_supported'
-            enable_request_validation_mode(context)
-          end
+          enable_request_validation_mode(context) if context.config.response_checksum_validation == 'when_supported'
 
           @handler.call(context)
         end
@@ -194,9 +192,7 @@ module Aws
             calculate_request_checksum(context, request_algorithm)
           end
 
-          if should_verify_response_checksum?(context)
-            add_verify_response_checksum_handlers(context)
-          end
+          add_verify_response_checksum_handlers(context) if should_verify_response_checksum?(context)
 
           with_metrics(context.config, algorithm) { @handler.call(context) }
         end
@@ -279,8 +275,7 @@ module Aws
         # 1. **No existing checksum in header**: Skips if checksum header already present
         # 2. **Operation support**: Considers model, client configuration and user input.
         def should_calculate_request_checksum?(context)
-          !checksum_provided_as_header?(context.http_request.headers) &&
-            checksum_applicable?(context)
+          !checksum_provided_as_header?(context.http_request.headers) && checksum_applicable?(context)
         end
 
         # Checks if checksum calculation should proceed based on operation requirements and client settings.
@@ -321,12 +316,13 @@ module Aws
         end
 
         def checksum_request_in(context)
-          if context.operation['unsignedPayload'] ||
-             context.operation['authtype'] == 'v4-unsigned-body'
-            'trailer'
-          else
-            'header'
-          end
+          return 'header' unless supports_trailer_checksums?(context.operation)
+
+          should_fallback_to_header?(context) ? 'header' : 'trailer'
+        end
+
+        def supports_trailer_checksums?(operation)
+          operation['unsignedPayload'] || operation['authtype'] == 'v4-unsigned-body'
         end
 
         def calculate_request_checksum(context, checksum_properties)
@@ -334,6 +330,7 @@ module Aws
           if (algorithm_header = checksum_properties[:request_algorithm_header])
             headers[algorithm_header] = checksum_properties[:algorithm]
           end
+
           case checksum_properties[:in]
           when 'header'
             apply_request_checksum(context, headers, checksum_properties)
@@ -344,19 +341,34 @@ module Aws
           end
         end
 
+        def should_fallback_to_header?(context)
+          # Trailer implementation within Mac/JRUBY environment is facing some
+          # network issues that will need further investigation:
+          # * https://github.com/jruby/jruby-openssl/issues/271
+          # * https://github.com/jruby/jruby-openssl/issues/317
+          return true if defined?(JRUBY_VERSION)
+
+          # Chunked signing is currently not supported
+          # Https is required for unsigned payload for security
+          return true if context.http_request.endpoint.scheme == 'http'
+
+          context[:skip_trailer_checksums]
+        end
+
         def apply_request_checksum(context, headers, checksum_properties)
           header_name = checksum_properties[:name]
-          body = context.http_request.body_contents
           headers[header_name] = calculate_checksum(
             checksum_properties[:algorithm],
-            body
+            context.http_request.body
           )
         end
 
         def calculate_checksum(algorithm, body)
           digest = ChecksumAlgorithm.digest_for_algorithm(algorithm)
           if body.respond_to?(:read)
+            body.rewind
             update_in_chunks(digest, body)
+            body.rewind
           else
             digest.update(body)
           end
@@ -365,7 +377,7 @@ module Aws
 
         def update_in_chunks(digest, io)
           loop do
-            chunk = io.read(CHUNK_SIZE)
+            chunk = io.read(CHECKSUM_CHUNK_SIZE)
             break unless chunk
 
             digest.update(chunk)
@@ -377,7 +389,12 @@ module Aws
           location_name = checksum_properties[:name]
 
           # set required headers
-          headers['Content-Encoding'] = 'aws-chunked'
+          headers['Content-Encoding'] =
+            if headers['Content-Encoding']
+              headers['Content-Encoding'] += ', aws-chunked'
+            else
+              'aws-chunked'
+            end
           headers['X-Amz-Content-Sha256'] = 'STREAMING-UNSIGNED-PAYLOAD-TRAILER'
           headers['X-Amz-Trailer'] = location_name
 
@@ -388,13 +405,14 @@ module Aws
           unless context.http_request.body.respond_to?(:size)
             raise Aws::Errors::ChecksumError, 'Could not determine length of the body'
           end
-          headers['X-Amz-Decoded-Content-Length'] = context.http_request.body.size
 
-          context.http_request.body = AwsChunkedTrailerDigestIO.new(
-            context.http_request.body,
-            checksum_properties[:algorithm],
-            location_name
-          )
+          headers['X-Amz-Decoded-Content-Length'] = context.http_request.body.size
+          context.http_request.body =
+            AwsChunkedTrailerDigestIO.new(
+              io: context.http_request.body,
+              algorithm: checksum_properties[:algorithm],
+              location_name: location_name
+            )
         end
 
         def should_verify_response_checksum?(context)
@@ -412,15 +430,11 @@ module Aws
         end
 
         def add_verify_response_headers_handler(context, checksum_context)
-          validation_list = CHECKSUM_ALGORITHM_PRIORITIES &
-                            operation_response_algorithms(context)
+          validation_list = CHECKSUM_ALGORITHM_PRIORITIES & operation_response_algorithms(context)
           context[:http_checksum][:validation_list] = validation_list
 
           context.http_response.on_headers do |_status, headers|
-            header_name, algorithm = response_header_to_verify(
-              headers,
-              validation_list
-            )
+            header_name, algorithm = response_header_to_verify(headers, validation_list)
             next unless header_name
 
             expected = headers[header_name]
@@ -466,52 +480,94 @@ module Aws
       # Wrapper for request body that implements application-layer
       # chunking with Digest computed on chunks + added as a trailer
       class AwsChunkedTrailerDigestIO
-        CHUNK_SIZE = 16_384
+        CHUNK_OVERHEAD = 4 # "\r\n\r\n"
+        HEX_BASE = 16
 
-        def initialize(io, algorithm, location_name)
-          @io = io
-          @location_name = location_name
-          @algorithm = algorithm
-          @digest = ChecksumAlgorithm.digest_for_algorithm(algorithm)
-          @trailer_io = nil
+        def initialize(options = {})
+          @io = options.delete(:io)
+          @location_name = options.delete(:location_name)
+          @algorithm = options.delete(:algorithm)
+          @digest = ChecksumAlgorithm.digest_for_algorithm(@algorithm)
+          @chunk_size = Thread.current[:net_http_override_body_stream_chunk] || DEFAULT_TRAILER_CHUNK_SIZE
+          @overhead_bytes = calculate_overhead(@chunk_size)
+          @base_chunk_size = @chunk_size - @overhead_bytes
+          @encoded_buffer = +''
+          @eof = false
         end
 
         # the size of the application layer aws-chunked + trailer body
         def size
-          # compute the number of chunks
-          # a full chunk has 4 + 4 bytes overhead, a partial chunk is len.to_s(16).size + 4
           orig_body_size = @io.size
-          n_full_chunks = orig_body_size / CHUNK_SIZE
-          partial_bytes = orig_body_size % CHUNK_SIZE
-          chunked_body_size = n_full_chunks * (CHUNK_SIZE + 8)
-          chunked_body_size += partial_bytes.to_s(16).size + partial_bytes + 4 unless  partial_bytes.zero?
+          n_full_chunks = orig_body_size / @base_chunk_size
+          partial_bytes = orig_body_size % @base_chunk_size
+
+          full_chunk_overhead = @base_chunk_size.to_s(HEX_BASE).size + CHUNK_OVERHEAD
+          chunked_body_size = n_full_chunks * (@base_chunk_size + full_chunk_overhead)
+          unless partial_bytes.zero?
+            chunked_body_size += partial_bytes.to_s(HEX_BASE).size + partial_bytes + CHUNK_OVERHEAD
+          end
           trailer_size = ChecksumAlgorithm.trailer_length(@algorithm, @location_name)
           chunked_body_size + trailer_size
         end
 
         def rewind
           @io.rewind
+          @encoded_buffer = +''
+          @eof = false
+          @digest = ChecksumAlgorithm.digest_for_algorithm(@algorithm)
         end
 
-        def read(length, buf = nil)
-          # account for possible leftover bytes at the end, if we have trailer bytes, send them
-          if @trailer_io
-            return @trailer_io.read(length, buf)
-          end
+        def read(length = nil, buf = nil)
+          return '' if length&.zero?
+          return if eof?
 
-          chunk = @io.read(length)
-          if chunk
-            @digest.update(chunk)
-            application_chunked = "#{chunk.bytesize.to_s(16)}\r\n#{chunk}\r\n"
-            return StringIO.new(application_chunked).read(application_chunked.size, buf)
+          buf&.clear
+          output_buffer = buf || +''
+
+          fill_encoded_buffer(length)
+
+          if length
+            output_buffer << @encoded_buffer.slice!(0, length)
           else
-            trailers = {}
-            trailers[@location_name] = @digest.base64digest
-            trailers = trailers.map { |k,v| "#{k}:#{v}" }.join("\r\n")
-            @trailer_io = StringIO.new("0\r\n#{trailers}\r\n\r\n")
-            chunk = @trailer_io.read(length, buf)
+            output_buffer << @encoded_buffer
+            @encoded_buffer.clear
+          end
+
+          output_buffer.empty? && eof? ? nil : output_buffer
+        end
+
+        def eof?
+          @eof && @encoded_buffer.empty?
+        end
+
+        private
+
+        def calculate_overhead(chunk_size)
+          chunk_size.to_s(HEX_BASE).size + CHUNK_OVERHEAD
+        end
+
+        def fill_encoded_buffer(required_length)
+          return if required_length && @encoded_buffer.bytesize >= required_length
+
+          while !@eof && fill_data?(required_length)
+            chunk = @io.read(@base_chunk_size)
+            if chunk && !chunk.empty?
+              @digest.update(chunk)
+              @encoded_buffer << "#{chunk.bytesize.to_s(HEX_BASE)}\r\n#{chunk}\r\n"
+            else
+              @encoded_buffer << "0\r\n#{trailer_string}\r\n\r\n"
+              @eof = true
+            end
           end
-          chunk
+        end
+
+        def trailer_string
+          { @location_name => @digest.base64digest }.map { |k, v| "#{k}:#{v}" }.join("\r\n")
+        end
+
+        # Returns true if more data needs to be read into the buffer
+        def fill_data?(length)
+          length.nil? || @encoded_buffer.bytesize < length
         end
       end
     end

data/lib/aws-sdk-core/plugins/retries/clock_skew.rb

@@ -3,10 +3,8 @@
 module Aws
   module Plugins
     module Retries
-
       # @api private
       class ClockSkew
-
         CLOCK_SKEW_THRESHOLD = 5 * 60 # five minutes
 
         def initialize
@@ -22,9 +20,9 @@ module Aws
         end
 
         # Gets the clock_correction in seconds to apply to a given endpoint
-        # @param endpoint [URI / String]
+        # @param endpoint [URI, String]
         def clock_correction(endpoint)
-          @mutex.synchronize { @endpoint_clock_corrections[endpoint.to_s] }
+          @mutex.synchronize { @endpoint_clock_corrections[normalized_endpoint(endpoint)] }
         end
 
         # The estimated skew factors in any clock skew from
@@ -35,7 +33,7 @@ module Aws
         # Estimated Skew should not be used to correct clock skew errors
         # it should only be used to estimate TTL for a request
         def estimated_skew(endpoint)
-          @mutex.synchronize { @endpoint_estimated_skews[endpoint.to_s] }
+          @mutex.synchronize { @endpoint_estimated_skews[normalized_endpoint(endpoint)] }
         end
 
         # Determines whether a request has clock skew by comparing
@@ -55,9 +53,9 @@ module Aws
           endpoint = context.http_request.endpoint
           now_utc = Time.now.utc
           server_time = server_time(context.http_response)
-          if server_time && (now_utc - server_time).abs > CLOCK_SKEW_THRESHOLD
-            set_clock_correction(endpoint, server_time - now_utc)
-          end
+          return unless server_time && (now_utc - server_time).abs > CLOCK_SKEW_THRESHOLD
+
+          set_clock_correction(normalized_endpoint(endpoint), server_time - now_utc)
         end
 
         # Called for every request
@@ -69,20 +67,35 @@ module Aws
           now_utc = Time.now.utc
           server_time = server_time(context.http_response)
           return unless server_time
+
           @mutex.synchronize do
-            @endpoint_estimated_skews[endpoint.to_s] = server_time - now_utc
+            @endpoint_estimated_skews[normalized_endpoint(endpoint)] = server_time - now_utc
           end
         end
 
         private
 
+        ##
+        # @param endpoint [URI, String]
+        #     the endpoint to normalize
+        #
+        # @return [String]
+        #     the endpoint's schema, host, and port - without any path or query arguments
+        def normalized_endpoint(endpoint)
+          uri = endpoint.is_a?(URI::Generic) ? endpoint : URI(endpoint.to_s)
+
+          return endpoint.to_s unless uri.scheme && uri.host
+
+          "#{uri.scheme}://#{uri.host}:#{uri.port}"
+        rescue URI::InvalidURIError
+          endpoint.to_s
+        end
+
         # @param response [Seahorse::Client::Http::Response:]
         def server_time(response)
-          begin
-            Time.parse(response.headers['date']).utc
-          rescue
-            nil
-          end
+          Time.parse(response.headers['date']).utc
+        rescue StandardError
+          nil
         end
 
         # Sets the clock correction for an endpoint
@@ -90,11 +103,10 @@ module Aws
         # @param correction [Number]
         def set_clock_correction(endpoint, correction)
           @mutex.synchronize do
-            @endpoint_clock_corrections[endpoint.to_s] = correction
+            @endpoint_clock_corrections[normalized_endpoint(endpoint)] = correction
           end
         end
       end
     end
   end
 end
-

data/lib/aws-sdk-signin/client.rb

@@ -579,7 +579,7 @@ module Aws::Signin
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.240.0'
+      context[:gem_version] = '3.241.3'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-signin.rb

@@ -56,7 +56,7 @@ module Aws::Signin
   autoload :EndpointProvider, 'aws-sdk-signin/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-signin/endpoints'
 
-  GEM_VERSION = '3.240.0'
+  GEM_VERSION = '3.241.3'
 
 end
 

data/lib/aws-sdk-sso/client.rb

@@ -698,7 +698,7 @@ module Aws::SSO
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.240.0'
+      context[:gem_version] = '3.241.3'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sso.rb

@@ -56,7 +56,7 @@ module Aws::SSO
   autoload :EndpointProvider, 'aws-sdk-sso/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-sso/endpoints'
 
-  GEM_VERSION = '3.240.0'
+  GEM_VERSION = '3.241.3'
 
 end
 

data/lib/aws-sdk-ssooidc/client.rb

@@ -1081,7 +1081,7 @@ module Aws::SSOOIDC
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.240.0'
+      context[:gem_version] = '3.241.3'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-ssooidc.rb

@@ -56,7 +56,7 @@ module Aws::SSOOIDC
   autoload :EndpointProvider, 'aws-sdk-ssooidc/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-ssooidc/endpoints'
 
-  GEM_VERSION = '3.240.0'
+  GEM_VERSION = '3.241.3'
 
 end
 

data/lib/aws-sdk-sts/client.rb

@@ -2725,7 +2725,7 @@ module Aws::STS
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.240.0'
+      context[:gem_version] = '3.241.3'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sts.rb

@@ -56,7 +56,7 @@ module Aws::STS
   autoload :EndpointProvider, 'aws-sdk-sts/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-sts/endpoints'
 
-  GEM_VERSION = '3.240.0'
+  GEM_VERSION = '3.241.3'
 
 end
 

data/lib/seahorse/client/net_http/patches.rb

@@ -6,28 +6,61 @@ module Seahorse
   module Client
     # @api private
     module NetHttp
-
       # @api private
       module Patches
-
         def self.apply!
-          Net::HTTPGenericRequest.prepend(PatchDefaultContentType)
+          Net::HTTPGenericRequest.prepend(RequestPatches)
         end
 
-        # For requests with bodies, Net::HTTP sets a default content type of:
-        #   'application/x-www-form-urlencoded'
-        # There are cases where we should not send content type at all.
-        # Even when no body is supplied, Net::HTTP uses a default empty body
-        # and sets it anyway. This patch disables the behavior when a Thread
-        # local variable is set.
-        module PatchDefaultContentType
+        # Patches intended to override Net::HTTP functionality
+        module RequestPatches
+          # For requests with bodies, Net::HTTP sets a default content type of:
+          #   'application/x-www-form-urlencoded'
+          # There are cases where we should not send content type at all.
+          # Even when no body is supplied, Net::HTTP uses a default empty body
+          # and sets it anyway. This patch disables the behavior when a Thread
+          # local variable is set.
+          # See: https://github.com/ruby/net-http/issues/205
           def supply_default_content_type
             return if Thread.current[:net_http_skip_default_content_type]
 
             super
           end
-        end
 
+          # IO.copy_stream is capped at 16KB buffer so this patch intends to
+          # increase its chunk size for better performance.
+          # Only intended to use for S3 TM implementation.
+          # See: https://github.com/ruby/net-http/blob/master/lib/net/http/generic_request.rb#L292
+          def send_request_with_body_stream(sock, ver, path, f)
+            return super unless (chunk_size = Thread.current[:net_http_override_body_stream_chunk])
+
+            unless content_length || chunked?
+              raise ArgumentError, 'Content-Length not given and Transfer-Encoding is not `chunked`'
+            end
+
+            supply_default_content_type
+            write_header(sock, ver, path)
+            wait_for_continue sock, ver if sock.continue_timeout
+            if chunked?
+              chunker = Chunker.new(sock)
+              RequestIO.custom_stream(f, chunker, chunk_size)
+              chunker.finish
+            else
+              RequestIO.custom_stream(f, sock, chunk_size)
+            end
+          end
+
+          class RequestIO
+            def self.custom_stream(src, dst, chunk_size)
+              copied = 0
+              while (chunk = src.read(chunk_size))
+                dst.write(chunk)
+                copied += chunk.bytesize
+              end
+              copied
+            end
+          end
+        end
       end
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-core
 version: !ruby/object:Gem::Version
-  version: 3.240.0
+  version: 3.241.3
 platform: ruby
 authors:
 - Amazon Web Services