Merge pull request #1613 from versity/sis/copyobject-non-empty-body

fix: adds request body check for CopyObject and UploadPartCopy
2026-01-05 11:24:52 +00:00 · 2025-11-04 11:39:56 -08:00
parent a6e8752b33 9a01185be9
commit efe4ccb5ec
3 changed files with 65 additions and 0 deletions
--- a/s3api/controllers/object-put.go
+++ b/s3api/controllers/object-put.go
@@ -354,6 +354,15 @@ func (c S3ApiController) UploadPartCopy(ctx *fiber.Ctx) (*Response, error) {
 		}, err
 	}

+	if len(ctx.Request().Body()) != 0 {
+		debuglogger.Logf("expected empty request body")
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrNonEmptyRequestBody)
+	}
+
 	if partNumber < minPartNumber || partNumber > maxPartNumber {
 		debuglogger.Logf("invalid part number: %d", partNumber)
 		return &Response{
@@ -490,6 +499,15 @@ func (c S3ApiController) CopyObject(ctx *fiber.Ctx) (*Response, error) {
 		}, err
 	}

+	if len(ctx.Request().Body()) != 0 {
+		debuglogger.Logf("expected empty request body")
+		return &Response{
+			MetaOpts: &MetaOptions{
+				BucketOwner: parsedAcl.Owner,
+			},
+		}, s3err.GetAPIError(s3err.ErrNonEmptyRequestBody)
+	}
+
 	metadata := utils.GetUserMetaData(&ctx.Request().Header)

 	if metaDirective != "" && metaDirective != types.MetadataDirectiveCopy && metaDirective != types.MetadataDirectiveReplace {
--- a/s3api/controllers/object-put_test.go
+++ b/s3api/controllers/object-put_test.go
@@ -599,6 +599,27 @@ func TestS3ApiController_UploadPartCopy(t *testing.T) {
 				err: s3err.GetAPIError(s3err.ErrInvalidCopySourceEncoding),
 			},
 		},
+		{
+			name: "non empty request body",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"X-Amz-Copy-Source": "bucket/object",
+				},
+				queries: map[string]string{
+					"partNumber": "2",
+				},
+				body: []byte("body"),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNonEmptyRequestBody),
+			},
+		},
 		{
 			name: "invalid part number",
 			input: testInput{
@@ -696,6 +717,7 @@ func TestS3ApiController_UploadPartCopy(t *testing.T) {
 					locals:  tt.input.locals,
 					headers: tt.input.headers,
 					queries: tt.input.queries,
+					body:    tt.input.body,
 				})
 		})
 	}
@@ -817,6 +839,24 @@ func TestS3ApiController_CopyObject(t *testing.T) {
 				err: s3err.GetAPIError(s3err.ErrInvalidCopySourceBucket),
 			},
 		},
+		{
+			name: "invalid copy source",
+			input: testInput{
+				locals: defaultLocals,
+				headers: map[string]string{
+					"X-Amz-Copy-Source": "bucket/object",
+				},
+				body: []byte("body"),
+			},
+			output: testOutput{
+				response: &Response{
+					MetaOpts: &MetaOptions{
+						BucketOwner: "root",
+					},
+				},
+				err: s3err.GetAPIError(s3err.ErrNonEmptyRequestBody),
+			},
+		},
 		{
 			name: "invalid metadata directive",
 			input: testInput{
@@ -999,6 +1039,7 @@ func TestS3ApiController_CopyObject(t *testing.T) {
 				ctxInputs{
 					locals:  tt.input.locals,
 					headers: tt.input.headers,
+					body:    tt.input.body,
 				})
 		})
 	}