From 4478ed1143e626ee13f7db890990c6e99fc1b11d Mon Sep 17 00:00:00 2001 From: Ben McClelland Date: Tue, 6 May 2025 17:42:05 -0700 Subject: [PATCH] fix: panic with malformed request in event/log handlers Sending the following malformed request with eevnt notifcations or access logs enabled will cause a panic related to parsing the bucket and object from the invalid request path: printf "GET GET HTTP/1.1\r\nHost: $HOST\r\n\r\n" | nc 127.0.0.1 7070 The fix is to add bounds checks on the slice returned from splitting the request path to set the bucket/object. Fixes #1269 --- s3event/event.go | 7 ++++++- s3log/file.go | 5 ++++- s3log/webhook.go | 5 ++++- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/s3event/event.go b/s3event/event.go index e172836..32c49f0 100644 --- a/s3event/event.go +++ b/s3event/event.go @@ -141,7 +141,12 @@ func InitEventSender(cfg *EventConfig) (S3EventSender, error) { func createEventSchema(ctx *fiber.Ctx, meta EventMeta, configId ConfigurationId) EventSchema { path := strings.Split(ctx.Path(), "/") - bucket, object := path[1], strings.Join(path[2:], "/") + + var bucket, object string + if len(path) > 1 { + bucket, object = path[1], strings.Join(path[2:], "/") + } + acc := ctx.Locals("account").(auth.Account) return EventSchema{ diff --git a/s3log/file.go b/s3log/file.go index 9d36fff..3254caf 100644 --- a/s3log/file.go +++ b/s3log/file.go @@ -68,7 +68,10 @@ func (f *FileLogger) Log(ctx *fiber.Ctx, err error, body []byte, meta LogMeta) { access := "-" reqURI := ctx.OriginalURL() path := strings.Split(ctx.Path(), "/") - bucket, object := path[1], strings.Join(path[2:], "/") + var bucket, object string + if len(path) > 1 { + bucket, object = path[1], strings.Join(path[2:], "/") + } errorCode := "" httpStatus := 200 startTime := ctx.Locals("startTime").(time.Time) diff --git a/s3log/webhook.go b/s3log/webhook.go index 1fe7cb6..c0e52af 100644 --- a/s3log/webhook.go +++ b/s3log/webhook.go @@ -65,7 +65,10 @@ func (wl *WebhookLogger) Log(ctx *fiber.Ctx, err error, body []byte, meta LogMet access := "-" reqURI := ctx.OriginalURL() path := strings.Split(ctx.Path(), "/") - bucket, object := path[1], strings.Join(path[2:], "/") + var bucket, object string + if len(path) > 1 { + bucket, object = path[1], strings.Join(path[2:], "/") + } errorCode := "" httpStatus := 200 startTime := ctx.Locals("startTime").(time.Time)