fix: Added status property validation for PutObjectLegalHold action

2026-01-04 02:53:55 +00:00 · 2024-05-17 12:39:27 -04:00
parent 1a540a747d
commit 4bde84eafd
4 changed files with 38 additions and 6 deletions
--- a/s3api/controllers/base.go
+++ b/s3api/controllers/base.go
@@ -1405,11 +1405,21 @@ func (c S3ApiController) PutActions(ctx *fiber.Ctx) error {
 	if ctx.Request().URI().QueryArgs().Has("legal-hold") {
 		var legalHold types.ObjectLockLegalHold
 		if err := xml.Unmarshal(ctx.Body(), &legalHold); err != nil {
-			return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidRequest), &MetaOpts{
-				Logger:      c.logger,
-				Action:      "PutObjectLegalHold",
-				BucketOwner: parsedAcl.Owner,
-			})
+			return SendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidRequest),
+				&MetaOpts{
+					Logger:      c.logger,
+					Action:      "PutObjectLegalHold",
+					BucketOwner: parsedAcl.Owner,
+				})
+		}
+
+		if legalHold.Status != types.ObjectLockLegalHoldStatusOff && legalHold.Status != types.ObjectLockLegalHoldStatusOn {
+			return SendResponse(ctx, s3err.GetAPIError(s3err.ErrMalformedXML),
+				&MetaOpts{
+					Logger:      c.logger,
+					Action:      "PutObjectLegalHold",
+					BucketOwner: parsedAcl.Owner,
+				})
 		}

 		if err := auth.VerifyAccess(ctx.Context(), c.be, auth.AccessOptions{
--- a/s3api/controllers/base_test.go
+++ b/s3api/controllers/base_test.go
@@ -896,7 +896,7 @@ func TestS3ApiController_PutActions(t *testing.T) {

 	legalHoldBody := `
 	<LegalHold xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
-		<Status>string</Status>
+		<Status>ON</Status>
 	</LegalHold>
 	`

--- a/tests/integration/group-tests.go
+++ b/tests/integration/group-tests.go
@@ -344,6 +344,7 @@ func TestPutObjectLegalHold(s *S3Conf) {
 	PutObjectLegalHold_non_existing_bucket(s)
 	PutObjectLegalHold_non_existing_object(s)
 	PutObjectLegalHold_invalid_body(s)
+	PutObjectLegalHold_invalid_status(s)
 	PutObjectLegalHold_unset_bucket_object_lock_config(s)
 	PutObjectLegalHold_disabled_bucket_object_lock_config(s)
 	PutObjectLegalHold_success(s)
@@ -654,6 +655,7 @@ func GetIntTests() IntTests {
 		"PutObjectLegalHold_non_existing_bucket":                             PutObjectLegalHold_non_existing_bucket,
 		"PutObjectLegalHold_non_existing_object":                             PutObjectLegalHold_non_existing_object,
 		"PutObjectLegalHold_invalid_body":                                    PutObjectLegalHold_invalid_body,
+		"PutObjectLegalHold_invalid_status":                                  PutObjectLegalHold_invalid_status,
 		"PutObjectLegalHold_unset_bucket_object_lock_config":                 PutObjectLegalHold_unset_bucket_object_lock_config,
 		"PutObjectLegalHold_disabled_bucket_object_lock_config":              PutObjectLegalHold_disabled_bucket_object_lock_config,
 		"PutObjectLegalHold_success":                                         PutObjectLegalHold_success,
--- a/tests/integration/tests.go
+++ b/tests/integration/tests.go
@@ -6933,6 +6933,26 @@ func PutObjectLegalHold_invalid_body(s *S3Conf) error {
 	})
 }

+func PutObjectLegalHold_invalid_status(s *S3Conf) error {
+	testName := "PutObjectLegalHold_invalid_status"
+	return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error {
+		ctx, cancel := context.WithTimeout(context.Background(), shortTimeout)
+		_, err := s3client.PutObjectLegalHold(ctx, &s3.PutObjectLegalHoldInput{
+			Bucket: &bucket,
+			Key:    getPtr("my-obj"),
+			LegalHold: &types.ObjectLockLegalHold{
+				Status: types.ObjectLockLegalHoldStatus("invalid_status"),
+			},
+		})
+		cancel()
+		if err := checkApiErr(err, s3err.GetAPIError(s3err.ErrMalformedXML)); err != nil {
+			return err
+		}
+
+		return nil
+	})
+}
+
 func PutObjectLegalHold_unset_bucket_object_lock_config(s *S3Conf) error {
 	testName := "PutObjectLegalHold_unset_bucket_object_lock_config"
 	return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error {