mirror of
https://github.com/minio/minio.git
synced 2025-01-11 15:03:22 -05:00
Add test for fixed post policy exploit (#16855)
This commit is contained in:
parent
8d6558b236
commit
09c733677a
@ -27,6 +27,7 @@ import (
|
|||||||
"net/http"
|
"net/http"
|
||||||
"net/http/httptest"
|
"net/http/httptest"
|
||||||
"net/url"
|
"net/url"
|
||||||
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
@ -114,6 +115,65 @@ func newPostPolicyBytesV2(bucketName, objectKey string, expiration time.Time) []
|
|||||||
return []byte(retStr)
|
return []byte(retStr)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Wrapper
|
||||||
|
func TestPostPolicyReservedBucketExploit(t *testing.T) {
|
||||||
|
ExecObjectLayerTestWithDirs(t, testPostPolicyReservedBucketExploit)
|
||||||
|
}
|
||||||
|
|
||||||
|
// testPostPolicyReservedBucketExploit is a test for the exploit fixed in PR
|
||||||
|
// #16849
|
||||||
|
func testPostPolicyReservedBucketExploit(obj ObjectLayer, instanceType string, dirs []string, t TestErrHandler) {
|
||||||
|
if err := newTestConfig(globalMinioDefaultRegion, obj); err != nil {
|
||||||
|
t.Fatalf("Initializing config.json failed")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Register the API end points with Erasure/FS object layer.
|
||||||
|
apiRouter := initTestAPIEndPoints(obj, []string{"PostPolicy"})
|
||||||
|
|
||||||
|
credentials := globalActiveCred
|
||||||
|
bucketName := minioMetaBucket
|
||||||
|
objectName := "config/x"
|
||||||
|
|
||||||
|
// This exploit needs browser to be enabled.
|
||||||
|
if !globalBrowserEnabled {
|
||||||
|
globalBrowserEnabled = true
|
||||||
|
defer func() { globalBrowserEnabled = false }()
|
||||||
|
}
|
||||||
|
|
||||||
|
// initialize HTTP NewRecorder, this records any mutations to response writer inside the handler.
|
||||||
|
rec := httptest.NewRecorder()
|
||||||
|
req, perr := newPostRequestV4("", bucketName, objectName, []byte("pwned"), credentials.AccessKey, credentials.SecretKey)
|
||||||
|
if perr != nil {
|
||||||
|
t.Fatalf("Test %s: Failed to create HTTP request for PostPolicyHandler: <ERROR> %v", instanceType, perr)
|
||||||
|
}
|
||||||
|
|
||||||
|
contentTypeHdr := req.Header.Get("Content-Type")
|
||||||
|
contentTypeHdr = strings.Replace(contentTypeHdr, "multipart/form-data", "multipart/form-datA", 1)
|
||||||
|
req.Header.Set("Content-Type", contentTypeHdr)
|
||||||
|
req.Header.Set("User-Agent", "Mozilla")
|
||||||
|
|
||||||
|
// Since `apiRouter` satisfies `http.Handler` it has a ServeHTTP to execute the logic ofthe handler.
|
||||||
|
// Call the ServeHTTP to execute the handler.
|
||||||
|
apiRouter.ServeHTTP(rec, req)
|
||||||
|
|
||||||
|
ctx, cancel := context.WithCancel(GlobalContext)
|
||||||
|
defer cancel()
|
||||||
|
|
||||||
|
// Now check if we actually wrote to backend (regardless of the response
|
||||||
|
// returned by the server).
|
||||||
|
z := obj.(*erasureServerPools)
|
||||||
|
xl := z.serverPools[0].sets[0]
|
||||||
|
erasureDisks := xl.getDisks()
|
||||||
|
parts, errs := readAllFileInfo(ctx, erasureDisks, bucketName, objectName+"/upload.txt", "", false)
|
||||||
|
for i := range parts {
|
||||||
|
if errs[i] == nil {
|
||||||
|
if parts[i].Name == objectName+"/upload.txt" {
|
||||||
|
t.Errorf("Test %s: Failed to stop post policy handler from writing to minioMetaBucket", instanceType)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Wrapper for calling TestPostPolicyBucketHandler tests for both Erasure multiple disks and single node setup.
|
// Wrapper for calling TestPostPolicyBucketHandler tests for both Erasure multiple disks and single node setup.
|
||||||
func TestPostPolicyBucketHandler(t *testing.T) {
|
func TestPostPolicyBucketHandler(t *testing.T) {
|
||||||
ExecObjectLayerTest(t, testPostPolicyBucketHandler)
|
ExecObjectLayerTest(t, testPostPolicyBucketHandler)
|
||||||
|
@ -1885,21 +1885,29 @@ func ExecObjectLayerTestWithDirs(t TestErrHandler, objTest objTestTypeWithDirs)
|
|||||||
ctx, cancel := context.WithCancel(context.Background())
|
ctx, cancel := context.WithCancel(context.Background())
|
||||||
defer cancel()
|
defer cancel()
|
||||||
|
|
||||||
|
if localMetacacheMgr != nil {
|
||||||
|
localMetacacheMgr.deleteAll()
|
||||||
|
}
|
||||||
|
|
||||||
|
initAllSubsystems(ctx)
|
||||||
objLayer, fsDirs, err := prepareErasure16(ctx)
|
objLayer, fsDirs, err := prepareErasure16(ctx)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("Initialization of object layer failed for Erasure setup: %s", err)
|
t.Fatalf("Initialization of object layer failed for Erasure setup: %s", err)
|
||||||
}
|
}
|
||||||
defer objLayer.Shutdown(ctx)
|
setObjectLayer(objLayer)
|
||||||
|
initConfigSubsystem(ctx, objLayer)
|
||||||
// initialize the server and obtain the credentials and root.
|
globalIAMSys.Init(ctx, objLayer, globalEtcdClient, 2*time.Second)
|
||||||
// credentials are necessary to sign the HTTP request.
|
|
||||||
if err = newTestConfig(globalMinioDefaultRegion, objLayer); err != nil {
|
|
||||||
t.Fatal("Unexpected error", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Executing the object layer tests for Erasure.
|
// Executing the object layer tests for Erasure.
|
||||||
objTest(objLayer, ErasureTestStr, fsDirs, t)
|
objTest(objLayer, ErasureTestStr, fsDirs, t)
|
||||||
defer removeRoots(fsDirs)
|
|
||||||
|
objLayer.Shutdown(context.Background())
|
||||||
|
if localMetacacheMgr != nil {
|
||||||
|
localMetacacheMgr.deleteAll()
|
||||||
|
}
|
||||||
|
setObjectLayer(newObjectLayerFn())
|
||||||
|
cancel()
|
||||||
|
removeRoots(fsDirs)
|
||||||
}
|
}
|
||||||
|
|
||||||
// ExecObjectLayerDiskAlteredTest - executes object layer tests while altering
|
// ExecObjectLayerDiskAlteredTest - executes object layer tests while altering
|
||||||
|
@ -189,7 +189,7 @@ func Lookup(s config.Config, rootCAs *x509.CertPool) (l Config, err error) {
|
|||||||
SRVRecordName: getCfgVal(SRVRecordName),
|
SRVRecordName: getCfgVal(SRVRecordName),
|
||||||
}
|
}
|
||||||
|
|
||||||
// Parse explicity enable=on/off flag. If not set, defaults to `true`
|
// Parse explicitly enable=on/off flag. If not set, defaults to `true`
|
||||||
// because ServerAddr is set.
|
// because ServerAddr is set.
|
||||||
if v := getCfgVal(config.Enable); v != "" {
|
if v := getCfgVal(config.Enable); v != "" {
|
||||||
l.LDAP.Enabled, err = config.ParseBool(v)
|
l.LDAP.Enabled, err = config.ParseBool(v)
|
||||||
|
Loading…
Reference in New Issue
Block a user