Check for s3zip content offset (#15924)

This commit is contained in:
Klaus Post 2022-10-22 00:37:48 +02:00 committed by GitHub
parent e4e90b53c1
commit 86d543d0f6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 31 additions and 8 deletions

View File

@ -29,6 +29,7 @@ import (
"strings" "strings"
"github.com/minio/minio/internal/crypto" "github.com/minio/minio/internal/crypto"
xhttp "github.com/minio/minio/internal/http"
xioutil "github.com/minio/minio/internal/ioutil" xioutil "github.com/minio/minio/internal/ioutil"
"github.com/minio/minio/internal/logger" "github.com/minio/minio/internal/logger"
"github.com/minio/pkg/bucket/policy" "github.com/minio/pkg/bucket/policy"
@ -122,6 +123,17 @@ func (api objectAPIHandlers) getObjectInArchiveFileHandler(ctx context.Context,
return return
} }
// We do not allow offsetting into extracted files.
if opts.PartNumber != 0 {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidPartNumber), r.URL)
return
}
if r.Header.Get(xhttp.Range) != "" {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidRange), r.URL)
return
}
// Validate pre-conditions if any. // Validate pre-conditions if any.
opts.CheckPrecondFn = func(oi ObjectInfo) bool { opts.CheckPrecondFn = func(oi ObjectInfo) bool {
if objectAPI.IsEncryptionSupported() { if objectAPI.IsEncryptionSupported() {
@ -192,6 +204,8 @@ func (api objectAPIHandlers) getObjectInArchiveFileHandler(ctx context.Context,
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL) writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
return return
} }
// s3zip does not allow ranges
w.Header().Del(xhttp.AcceptRanges)
setHeadGetRespHeaders(w, r.Form) setHeadGetRespHeaders(w, r.Form)
@ -410,13 +424,22 @@ func (api objectAPIHandlers) headObjectInArchiveFileHandler(ctx context.Context,
return return
} }
var rs *HTTPRangeSpec
// Validate pre-conditions if any. // Validate pre-conditions if any.
opts.CheckPrecondFn = func(oi ObjectInfo) bool { opts.CheckPrecondFn = func(oi ObjectInfo) bool {
return checkPreconditions(ctx, w, r, oi, opts) return checkPreconditions(ctx, w, r, oi, opts)
} }
// We do not allow offsetting into extracted files.
if opts.PartNumber != 0 {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidPartNumber), r.URL)
return
}
if r.Header.Get(xhttp.Range) != "" {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidRange), r.URL)
return
}
zipObjInfo, err := getObjectInfo(ctx, bucket, zipPath, opts) zipObjInfo, err := getObjectInfo(ctx, bucket, zipPath, opts)
if err != nil { if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL) writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
@ -455,15 +478,14 @@ func (api objectAPIHandlers) headObjectInArchiveFileHandler(ctx context.Context,
return return
} }
// s3zip does not allow ranges.
w.Header().Del(xhttp.AcceptRanges)
// Set any additional requested response headers. // Set any additional requested response headers.
setHeadGetRespHeaders(w, r.Form) setHeadGetRespHeaders(w, r.Form)
// Successful response. // Successful response.
if rs != nil { w.WriteHeader(http.StatusOK)
w.WriteHeader(http.StatusPartialContent)
} else {
w.WriteHeader(http.StatusOK)
}
} }
// Update the passed zip object metadata with the zip contents info, file name, modtime, size, etc.. // Update the passed zip object metadata with the zip contents info, file name, modtime, size, etc..

View File

@ -31,10 +31,11 @@ All properties except the file size are tied to the zip file. This means that mo
- ListObjectsV2 can only list the most recent ZIP archive version of your object, applicable only for versioned buckets. - ListObjectsV2 can only list the most recent ZIP archive version of your object, applicable only for versioned buckets.
- ListObjectsV2 API calls must be used to list zip file content. - ListObjectsV2 API calls must be used to list zip file content.
- Range requests for GetObject/HeadObject for individual files from zip is not supported.
- Names inside ZIP files are kept unmodified, but some may lead to invalid paths. See [Object key naming guidelines](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html) on safe names. - Names inside ZIP files are kept unmodified, but some may lead to invalid paths. See [Object key naming guidelines](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html) on safe names.
- This API behavior is limited for following **read** operations on files inside a zip archive: - This API behavior is limited for following **read** operations on files inside a zip archive:
- `HeadObject` - `HeadObject`
- `GetObject` - `GetObject`
- `ListObjectsV2` - `ListObjectsV2`
- A maximum of 100,000 files inside a single ZIP archive is recommended for best performance and memory usage trade-off.
- If the ZIP file directory isn't located within the last 100MB the file will not be parsed. - If the ZIP file directory isn't located within the last 100MB the file will not be parsed.
- A maximum of 100M inside a single zip is allowed. However, a reasonable limit of 100,000 files inside a single ZIP archive is recommended for best performance and memory usage trade-off.