fix: validate s3 ownership controls rule (#9684)

weed/s3api/s3api_bucket_handlers.go

@@ -1059,7 +1059,7 @@ func (s3a *S3ApiServer) PutBucketOwnershipControls(w http.ResponseWriter, r *htt
 		return
 	}
 
-	if len(v.Rules) != 1 {
+	if len(v.Rules) != 1 || v.Rules[0] == nil || v.Rules[0].ObjectOwnership == nil {
 		s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
 		return
 	}

weed/s3api/s3api_bucket_handlers_misc_test.go

@@ -9,9 +9,11 @@ import (
 	"testing"
 	"time"
 
+	"github.com/aws/aws-sdk-go/service/s3"
 	"github.com/gorilla/mux"
 	"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
 	"github.com/seaweedfs/seaweedfs/weed/s3api/policy_engine"
+	"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
 )
 
 func newMiscTestServer(t *testing.T, bucket string) *S3ApiServer {
@@ -102,6 +104,36 @@ func TestPutBucketRequestPaymentRequesterRejected(t *testing.T) {
 	}
 }
 
+func TestPutBucketOwnershipControlsRejectsRuleWithoutObjectOwnership(t *testing.T) {
+	ownerID := AccountAdmin.Id
+	s3a := &S3ApiServer{
+		bucketRegistry: &BucketRegistry{
+			metadataCache: map[string]*BucketMetaData{
+				"b": {
+					Name: "b",
+					Owner: &s3.Owner{
+						ID: &ownerID,
+					},
+				},
+			},
+			notFound: map[string]struct{}{},
+		},
+	}
+	body := `<OwnershipControls><Rule></Rule></OwnershipControls>`
+	req := newBucketRequest(http.MethodPut, "b", "ownershipControls=", body)
+	req.Header.Set(s3_constants.AmzAccountId, AccountAdmin.Id)
+	rec := httptest.NewRecorder()
+
+	s3a.PutBucketOwnershipControls(rec, req)
+
+	if rec.Code != http.StatusBadRequest {
+		t.Fatalf("status = %d, want %d, body=%s", rec.Code, http.StatusBadRequest, rec.Body.String())
+	}
+	if !strings.Contains(rec.Body.String(), "InvalidRequest") {
+		t.Fatalf("body missing InvalidRequest: %s", rec.Body.String())
+	}
+}
+
 func TestGetBucketAccelerateConfiguration(t *testing.T) {
 	s3a := newMiscTestServer(t, "b")
 	req := newBucketRequest(http.MethodGet, "b", "accelerate=", "")