mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2026-05-29 21:20:21 +00:00
dd1b428789
* s3,iceberg: reject `..`/NUL in URL path vars Both gateway routers use mux.NewRouter().SkipClean(true), so a request like `GET /bucket-A/../evil-bucket/key` survives routing as bucket=bucket-A, object=../evil-bucket/key. The captured key is then joined into a filer path; util.JoinPath / path.Join collapse the `..` server-side and the read lands in evil-bucket. With auth on, IAM still authorizes against bucket-A (the mux var), so policy is evaluated against the wrong target. Add a middleware on the S3 bucket subrouter and the Iceberg REST router that rejects any `.`, `..`, NUL, or — for single-segment slots — embedded slash in the captured path vars before any handler runs. NormalizeObjectKey already folds `\` to `/` and decoding happens in mux, so `%2e%2e` and `..\` are caught. * s3,iceberg: reject empty captured vars and empty namespace parts Comma-ok the var lookup so we only check captured slots, then treat an empty captured value as a rejection on its own — downstream path.Join would otherwise collapse it and let the next segment pick the bucket. For iceberg, also reject empty parts after splitting the namespace on \x1F so leading/trailing/consecutive unit separators (which parseNamespace silently folds out) don't let distinct route values collapse to the same parsed namespace. Register loggingMiddleware before validateRequestPath on the iceberg router so rejected requests still produce an audit-log line.
39 lines
1.4 KiB
Go
39 lines
1.4 KiB
Go
package s3api
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
"github.com/gorilla/mux"
|
|
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
|
|
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
|
|
)
|
|
|
|
// validateRequestPath rejects requests whose captured {bucket}/{object} mux
|
|
// vars would normalize to a parent-directory traversal once joined into a
|
|
// filer path. The router runs with mux.NewRouter().SkipClean(true), so
|
|
// segments like `..` survive routing; the filer's util.JoinPath later collapses
|
|
// them via filepath.Join. Without this guard, `GET /bucket-A/../evil-bucket/k`
|
|
// matches as bucket=bucket-A, object=../evil-bucket/k, the filer resolves the
|
|
// read against evil-bucket, while IAM authorizes against bucket-A.
|
|
func validateRequestPath(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
vars := mux.Vars(r)
|
|
// When a var is in the matched route it must be non-empty: an empty
|
|
// bucket would let downstream path.Join collapse it and let the object
|
|
// key pick the bucket.
|
|
if bucket, ok := vars["bucket"]; ok {
|
|
if bucket == "" || !s3_constants.IsValidBucketName(bucket) {
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
|
|
return
|
|
}
|
|
}
|
|
if object, ok := vars["object"]; ok {
|
|
if object == "" || !s3_constants.IsValidObjectKey(object) {
|
|
s3err.WriteErrorResponse(w, r, s3err.ErrInvalidRequest)
|
|
return
|
|
}
|
|
}
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|