viaprog/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2026-06-13 23:36:45 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
seaweedfs/weed/s3api/s3api_path_validation.go
T
Chris Lu 0345658ea8 [s3] validate indirect filer path inputs (#9931) 
* s3: validate indirect filer path inputs

* s3: avoid query parsing on common request path

* filer: scope copy/move source against JWT AllowedPrefixes

maybeCheckJwtAuthorization only checked r.URL.Path, but copy and move read
their source from the cp.from / mv.from query params. A prefix-restricted
token could copy or move data out of a subtree it cannot otherwise reach.
Check every path the request touches, reusing pathHasComponentPrefix so
`..` in the source is collapsed before the prefix match.

* s3: confine iceberg CreateTable location to the catalog bucket

CreateTable derived the metadata bucket and path from the client-supplied
req.Location / req.Name and wrote there directly, so a caller scoped to one
table bucket could place metadata in another bucket (and path.Join collapsed
any `..`). Require the parsed bucket to equal the request's catalog bucket
and reject traversal segments in the table path.

* webdav: clean client path before subFolder confinement

wrappedFs concatenated subFolder + name before the underlying FileSystem
ran path.Clean, so `..` in the request path or COPY/MOVE Destination
resolved across the FilerRootPath confinement boundary. Clean the name as a
rooted path first so traversal segments collapse below subFolder. Only the
non-default -filer.path (non-empty subFolder) setup was affected.

* filer: enforce read-only rule on real write path with destination header

The x-seaweedfs-destination header overrides the path used for storage-rule
matching while the entry is written at r.URL.Path, letting a caller select a
writable rule for a read-only target. When the header is present, also check
the read-only/quota rule against the actual write path.
2026-06-11 21:56:16 -07:00

88 lines
2.6 KiB
Go
Raw Permalink Blame History

package s3api
import (
"net/http"
"net/url"
"strings"
"github.com/gorilla/mux"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
)
func hasPathSegmentQuery(rawQuery string) bool {
if strings.Contains(rawQuery, "versionId") || strings.Contains(rawQuery, "uploadId") {
return true
}
if !strings.Contains(rawQuery, "%") {
return false
}
for rawQuery != "" {
field := rawQuery
if i := strings.IndexByte(rawQuery, '&'); i >= 0 {
field, rawQuery = rawQuery[:i], rawQuery[i+1:]
} else {
rawQuery = ""
}
if i := strings.IndexByte(field, '='); i >= 0 {
field = field[:i]
}
if !strings.Contains(field, "%") {
continue
}
key, err := url.QueryUnescape(field)
if err == nil && (key == "versionId" || key == "uploadId") {
return true
}
}
return false
}
func hasInvalidPathSegment(values []string) bool {
for _, value := range values {
if value != "" && !s3_constants.IsValidPathSegment(value) {
return true
}
}
return false
}
// validateRequestPath rejects requests whose captured {bucket}/{object} mux
// vars would normalize to a parent-directory traversal once joined into a
// filer path. The router runs with mux.NewRouter().SkipClean(true), so
// segments like `..` survive routing; the filer's util.JoinPath later collapses
// them via filepath.Join. Without this guard, `GET /bucket-A/../evil-bucket/k`
// matches as bucket=bucket-A, object=../evil-bucket/k, the filer resolves the
// read against evil-bucket, while IAM authorizes against bucket-A.
func validateRequestPath(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
vars := mux.Vars(r)
// When a var is in the matched route it must be non-empty: an empty
// bucket would let downstream path.Join collapse it and let the object
// key pick the bucket.
if bucket, ok := vars["bucket"]; ok {
if bucket == "" || !s3_constants.IsValidBucketName(bucket) {
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
return
}
}
if object, ok := vars["object"]; ok {
if object == "" || !s3_constants.IsValidObjectKey(object) {
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
return
}
}
// versionId and uploadId are later used as filer entry names. Avoid
// parsing every request's query while still recognizing encoded names.
if hasPathSegmentQuery(r.URL.RawQuery) {
query := r.URL.Query()
if hasInvalidPathSegment(query["versionId"]) || hasInvalidPathSegment(query["uploadId"]) {
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
return
}
}
next.ServeHTTP(w, r)
})
}
Reference in New Issue View Git Blame Copy Permalink