Verify if request date is 5minutes late, reject such a request as

it could be a possible replay attack.

This commit also fixes #505, by returning MethodNotAllowed instead of NotImplemented
This commit is contained in:
Harshavardhana 2015-04-27 03:54:49 -07:00
parent 1531802b73
commit ade803a923
5 changed files with 73 additions and 16 deletions

View File

@ -17,18 +17,24 @@
package api package api
import ( import (
"errors"
"net/http" "net/http"
"strings" "strings"
"time"
"github.com/minio-io/minio/pkg/api/config" "github.com/minio-io/minio/pkg/api/config"
) )
type vHandler struct { type timeHandler struct {
handler http.Handler
}
type validateHandler struct {
conf config.Config conf config.Config
handler http.Handler handler http.Handler
} }
type rHandler struct { type resourceHandler struct {
handler http.Handler handler http.Handler
} }
@ -45,17 +51,58 @@ func stripAccessKey(r *http.Request) string {
return splits[0] return splits[0]
} }
func getDate(req *http.Request) (time.Time, error) {
if req.Header.Get("x-amz-date") != "" {
return time.Parse(http.TimeFormat, req.Header.Get("x-amz-date"))
}
if req.Header.Get("Date") != "" {
return time.Parse(http.TimeFormat, req.Header.Get("Date"))
}
return time.Time{}, errors.New("invalid request")
}
func timeValidityHandler(h http.Handler) http.Handler {
return timeHandler{h}
}
func (h timeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
acceptsContentType := getContentType(r)
if acceptsContentType == unknownContentType {
writeErrorResponse(w, r, NotAcceptable, acceptsContentType, r.URL.Path)
return
}
// Verify if date headers are set, if not reject the request
if r.Header.Get("x-amz-date") == "" && r.Header.Get("Date") == "" {
// there is no way to knowing if this is a valid request, could be a attack reject such clients
writeErrorResponse(w, r, RequestTimeTooSkewed, acceptsContentType, r.URL.Path)
return
}
date, err := getDate(r)
if err != nil {
// there is no way to knowing if this is a valid request, could be a attack reject such clients
writeErrorResponse(w, r, RequestTimeTooSkewed, acceptsContentType, r.URL.Path)
return
}
duration := time.Since(date)
minutes := time.Duration(5) * time.Minute
if duration.Minutes() > minutes.Minutes() {
writeErrorResponse(w, r, RequestTimeTooSkewed, acceptsContentType, r.URL.Path)
return
}
h.handler.ServeHTTP(w, r)
}
// Validate handler is wrapper handler used for API request validation with authorization header. // Validate handler is wrapper handler used for API request validation with authorization header.
// Current authorization layer supports S3's standard HMAC based signature request. // Current authorization layer supports S3's standard HMAC based signature request.
func validateHandler(conf config.Config, h http.Handler) http.Handler { func validateRequestHandler(conf config.Config, h http.Handler) http.Handler {
return vHandler{ return validateHandler{
conf: conf, conf: conf,
handler: h, handler: h,
} }
} }
// Validate handler ServeHTTP() wrapper // Validate handler ServeHTTP() wrapper
func (h vHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { func (h validateHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
acceptsContentType := getContentType(r) acceptsContentType := getContentType(r)
if acceptsContentType == unknownContentType { if acceptsContentType == unknownContentType {
writeErrorResponse(w, r, NotAcceptable, acceptsContentType, r.URL.Path) writeErrorResponse(w, r, NotAcceptable, acceptsContentType, r.URL.Path)
@ -105,21 +152,25 @@ func (h vHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// Since we do not support all the S3 queries, it is necessary for us to throw back a // Since we do not support all the S3 queries, it is necessary for us to throw back a
// valid error message indicating such a feature to have been not implemented. // valid error message indicating such a feature to have been not implemented.
func ignoreResourcesHandler(h http.Handler) http.Handler { func ignoreResourcesHandler(h http.Handler) http.Handler {
return rHandler{h} return resourceHandler{h}
} }
// Resource handler ServeHTTP() wrapper // Resource handler ServeHTTP() wrapper
func (h rHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { func (h resourceHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
acceptsContentType := getContentType(r) acceptsContentType := getContentType(r)
if acceptsContentType == unknownContentType {
writeErrorResponse(w, r, NotAcceptable, acceptsContentType, r.URL.Path)
return
}
if ignoreUnImplementedObjectResources(r) || ignoreUnImplementedBucketResources(r) { if ignoreUnImplementedObjectResources(r) || ignoreUnImplementedBucketResources(r) {
error := getErrorCode(NotImplemented) error := getErrorCode(NotImplemented)
errorResponse := getErrorResponse(error, "") errorResponse := getErrorResponse(error, "")
setCommonHeaders(w, getContentTypeString(acceptsContentType)) setCommonHeaders(w, getContentTypeString(acceptsContentType))
w.WriteHeader(error.HTTPStatusCode) w.WriteHeader(error.HTTPStatusCode)
w.Write(encodeErrorResponse(errorResponse, acceptsContentType)) w.Write(encodeErrorResponse(errorResponse, acceptsContentType))
} else { return
h.handler.ServeHTTP(w, r)
} }
h.handler.ServeHTTP(w, r)
} }
//// helpers //// helpers

View File

@ -163,11 +163,7 @@ func (server *minioAPI) putObjectHandler(w http.ResponseWriter, req *http.Reques
w.WriteHeader(http.StatusOK) w.WriteHeader(http.StatusOK)
case drivers.ObjectExists: case drivers.ObjectExists:
{ {
// we need to debate about this, if this is the right message to send back writeErrorResponse(w, req, MethodNotAllowed, acceptsContentType, req.URL.Path)
// https://github.com/minio-io/minio/issues/505
// Ideally we can use 405 Method No Allowed
writeErrorResponse(w, req, NotImplemented, acceptsContentType, req.URL.Path)
} }
case drivers.BadDigest: case drivers.BadDigest:
{ {

View File

@ -92,7 +92,9 @@ func HTTPHandler(domain string, driver drivers.Driver) http.Handler {
log.Fatal(iodine.New(err, map[string]string{"domain": domain})) log.Fatal(iodine.New(err, map[string]string{"domain": domain}))
} }
h := validateHandler(conf, ignoreResourcesHandler(mux)) h := timeValidityHandler(mux)
h = ignoreResourcesHandler(h)
h = validateRequestHandler(conf, h)
h = quota.BandwidthCap(h, 25*1024*1024, time.Duration(30*time.Minute)) h = quota.BandwidthCap(h, 25*1024*1024, time.Duration(30*time.Minute))
h = quota.BandwidthCap(h, 100*1024*1024, time.Duration(24*time.Hour)) h = quota.BandwidthCap(h, 100*1024*1024, time.Duration(24*time.Hour))
h = quota.RequestLimit(h, 100, time.Duration(30*time.Minute)) h = quota.RequestLimit(h, 100, time.Duration(30*time.Minute))

View File

@ -123,6 +123,7 @@ func setAuthHeader(req *http.Request) {
encoder.Write(hm.Sum(nil)) encoder.Write(hm.Sum(nil))
encoder.Close() encoder.Close()
req.Header.Set("Authorization", authHeader.String()) req.Header.Set("Authorization", authHeader.String())
req.Header.Set("Date", time.Now().UTC().Format(http.TimeFormat))
} }
func (s *MySuite) TestNonExistantBucket(c *C) { func (s *MySuite) TestNonExistantBucket(c *C) {

View File

@ -51,6 +51,7 @@ const (
InvalidBucketName InvalidBucketName
InvalidDigest InvalidDigest
InvalidRange InvalidRange
InvalidRequest
MalformedXML MalformedXML
MissingContentLength MissingContentLength
MissingRequestBodyError MissingRequestBodyError
@ -61,11 +62,12 @@ const (
RequestTimeTooSkewed RequestTimeTooSkewed
SignatureDoesNotMatch SignatureDoesNotMatch
TooManyBuckets TooManyBuckets
MethodNotAllowed
) )
// Error codes, non exhaustive list - standard HTTP errors // Error codes, non exhaustive list - standard HTTP errors
const ( const (
NotAcceptable = iota + 21 NotAcceptable = iota + 23
) )
// Error code to Error structure map // Error code to Error structure map
@ -175,6 +177,11 @@ var errorCodeResponse = map[int]Error{
Description: "You have attempted to create more buckets than allowed.", Description: "You have attempted to create more buckets than allowed.",
HTTPStatusCode: http.StatusBadRequest, HTTPStatusCode: http.StatusBadRequest,
}, },
MethodNotAllowed: {
Code: "MethodNotAllowed",
Description: "The specified method is not allowed against this resource.",
HTTPStatusCode: http.StatusMethodNotAllowed,
},
NotAcceptable: { NotAcceptable: {
Code: "NotAcceptable", Code: "NotAcceptable",
Description: "The requested resource is only capable of generating content not acceptable according to the Accept headers sent in the request.", Description: "The requested resource is only capable of generating content not acceptable according to the Accept headers sent in the request.",