Restrict access keys for users and groups to not allow '=' or ',' (#19749)

* initial commit * Add UTF check --------- Co-authored-by: Harshavardhana <harsha@minio.io>
2025-11-07 12:52:58 -05:00 · 2024-05-28 13:14:16 -04:00
parent e5c83535af
commit 2d53854b19
6 changed files with 185 additions and 142 deletions
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -1273,6 +1273,10 @@ func (sys *IAMSys) CreateUser(ctx context.Context, accessKey string, ureq madmin
 		return updatedAt, auth.ErrInvalidAccessKeyLength
 	}

+	if auth.ContainsReservedChars(accessKey) {
+		return updatedAt, auth.ErrContainsReservedChars
+	}
+
 	if !auth.IsSecretKeyValid(ureq.SecretKey) {
 		return updatedAt, auth.ErrInvalidSecretKeyLength
 	}
@@ -1766,6 +1770,10 @@ func (sys *IAMSys) AddUsersToGroup(ctx context.Context, group string, members []
 		return updatedAt, errServerNotInitialized
 	}

+	if auth.ContainsReservedChars(group) {
+		return updatedAt, errGroupNameContainsReservedChars
+	}
+
 	updatedAt, err = sys.store.AddUsersToGroup(ctx, group, members)
 	if err != nil {
 		return updatedAt, err