mirror of
https://github.com/minio/minio.git
synced 2024-12-25 06:35:56 -05:00
Verify if request date is 5minutes late, reject such a request as
it could be a possible replay attack. This commit also fixes #505, by returning MethodNotAllowed instead of NotImplemented
This commit is contained in:
parent
1531802b73
commit
ade803a923
@ -17,18 +17,24 @@
|
|||||||
package api
|
package api
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"errors"
|
||||||
"net/http"
|
"net/http"
|
||||||
"strings"
|
"strings"
|
||||||
|
"time"
|
||||||
|
|
||||||
"github.com/minio-io/minio/pkg/api/config"
|
"github.com/minio-io/minio/pkg/api/config"
|
||||||
)
|
)
|
||||||
|
|
||||||
type vHandler struct {
|
type timeHandler struct {
|
||||||
|
handler http.Handler
|
||||||
|
}
|
||||||
|
|
||||||
|
type validateHandler struct {
|
||||||
conf config.Config
|
conf config.Config
|
||||||
handler http.Handler
|
handler http.Handler
|
||||||
}
|
}
|
||||||
|
|
||||||
type rHandler struct {
|
type resourceHandler struct {
|
||||||
handler http.Handler
|
handler http.Handler
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -45,17 +51,58 @@ func stripAccessKey(r *http.Request) string {
|
|||||||
return splits[0]
|
return splits[0]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func getDate(req *http.Request) (time.Time, error) {
|
||||||
|
if req.Header.Get("x-amz-date") != "" {
|
||||||
|
return time.Parse(http.TimeFormat, req.Header.Get("x-amz-date"))
|
||||||
|
}
|
||||||
|
if req.Header.Get("Date") != "" {
|
||||||
|
return time.Parse(http.TimeFormat, req.Header.Get("Date"))
|
||||||
|
}
|
||||||
|
return time.Time{}, errors.New("invalid request")
|
||||||
|
}
|
||||||
|
|
||||||
|
func timeValidityHandler(h http.Handler) http.Handler {
|
||||||
|
return timeHandler{h}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (h timeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||||
|
acceptsContentType := getContentType(r)
|
||||||
|
if acceptsContentType == unknownContentType {
|
||||||
|
writeErrorResponse(w, r, NotAcceptable, acceptsContentType, r.URL.Path)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
// Verify if date headers are set, if not reject the request
|
||||||
|
if r.Header.Get("x-amz-date") == "" && r.Header.Get("Date") == "" {
|
||||||
|
// there is no way to knowing if this is a valid request, could be a attack reject such clients
|
||||||
|
writeErrorResponse(w, r, RequestTimeTooSkewed, acceptsContentType, r.URL.Path)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
date, err := getDate(r)
|
||||||
|
if err != nil {
|
||||||
|
// there is no way to knowing if this is a valid request, could be a attack reject such clients
|
||||||
|
writeErrorResponse(w, r, RequestTimeTooSkewed, acceptsContentType, r.URL.Path)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
duration := time.Since(date)
|
||||||
|
minutes := time.Duration(5) * time.Minute
|
||||||
|
if duration.Minutes() > minutes.Minutes() {
|
||||||
|
writeErrorResponse(w, r, RequestTimeTooSkewed, acceptsContentType, r.URL.Path)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
h.handler.ServeHTTP(w, r)
|
||||||
|
}
|
||||||
|
|
||||||
// Validate handler is wrapper handler used for API request validation with authorization header.
|
// Validate handler is wrapper handler used for API request validation with authorization header.
|
||||||
// Current authorization layer supports S3's standard HMAC based signature request.
|
// Current authorization layer supports S3's standard HMAC based signature request.
|
||||||
func validateHandler(conf config.Config, h http.Handler) http.Handler {
|
func validateRequestHandler(conf config.Config, h http.Handler) http.Handler {
|
||||||
return vHandler{
|
return validateHandler{
|
||||||
conf: conf,
|
conf: conf,
|
||||||
handler: h,
|
handler: h,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Validate handler ServeHTTP() wrapper
|
// Validate handler ServeHTTP() wrapper
|
||||||
func (h vHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
func (h validateHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||||
acceptsContentType := getContentType(r)
|
acceptsContentType := getContentType(r)
|
||||||
if acceptsContentType == unknownContentType {
|
if acceptsContentType == unknownContentType {
|
||||||
writeErrorResponse(w, r, NotAcceptable, acceptsContentType, r.URL.Path)
|
writeErrorResponse(w, r, NotAcceptable, acceptsContentType, r.URL.Path)
|
||||||
@ -105,21 +152,25 @@ func (h vHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|||||||
// Since we do not support all the S3 queries, it is necessary for us to throw back a
|
// Since we do not support all the S3 queries, it is necessary for us to throw back a
|
||||||
// valid error message indicating such a feature to have been not implemented.
|
// valid error message indicating such a feature to have been not implemented.
|
||||||
func ignoreResourcesHandler(h http.Handler) http.Handler {
|
func ignoreResourcesHandler(h http.Handler) http.Handler {
|
||||||
return rHandler{h}
|
return resourceHandler{h}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Resource handler ServeHTTP() wrapper
|
// Resource handler ServeHTTP() wrapper
|
||||||
func (h rHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
func (h resourceHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||||
acceptsContentType := getContentType(r)
|
acceptsContentType := getContentType(r)
|
||||||
|
if acceptsContentType == unknownContentType {
|
||||||
|
writeErrorResponse(w, r, NotAcceptable, acceptsContentType, r.URL.Path)
|
||||||
|
return
|
||||||
|
}
|
||||||
if ignoreUnImplementedObjectResources(r) || ignoreUnImplementedBucketResources(r) {
|
if ignoreUnImplementedObjectResources(r) || ignoreUnImplementedBucketResources(r) {
|
||||||
error := getErrorCode(NotImplemented)
|
error := getErrorCode(NotImplemented)
|
||||||
errorResponse := getErrorResponse(error, "")
|
errorResponse := getErrorResponse(error, "")
|
||||||
setCommonHeaders(w, getContentTypeString(acceptsContentType))
|
setCommonHeaders(w, getContentTypeString(acceptsContentType))
|
||||||
w.WriteHeader(error.HTTPStatusCode)
|
w.WriteHeader(error.HTTPStatusCode)
|
||||||
w.Write(encodeErrorResponse(errorResponse, acceptsContentType))
|
w.Write(encodeErrorResponse(errorResponse, acceptsContentType))
|
||||||
} else {
|
return
|
||||||
h.handler.ServeHTTP(w, r)
|
|
||||||
}
|
}
|
||||||
|
h.handler.ServeHTTP(w, r)
|
||||||
}
|
}
|
||||||
|
|
||||||
//// helpers
|
//// helpers
|
||||||
|
@ -163,11 +163,7 @@ func (server *minioAPI) putObjectHandler(w http.ResponseWriter, req *http.Reques
|
|||||||
w.WriteHeader(http.StatusOK)
|
w.WriteHeader(http.StatusOK)
|
||||||
case drivers.ObjectExists:
|
case drivers.ObjectExists:
|
||||||
{
|
{
|
||||||
// we need to debate about this, if this is the right message to send back
|
writeErrorResponse(w, req, MethodNotAllowed, acceptsContentType, req.URL.Path)
|
||||||
// https://github.com/minio-io/minio/issues/505
|
|
||||||
|
|
||||||
// Ideally we can use 405 Method No Allowed
|
|
||||||
writeErrorResponse(w, req, NotImplemented, acceptsContentType, req.URL.Path)
|
|
||||||
}
|
}
|
||||||
case drivers.BadDigest:
|
case drivers.BadDigest:
|
||||||
{
|
{
|
||||||
|
@ -92,7 +92,9 @@ func HTTPHandler(domain string, driver drivers.Driver) http.Handler {
|
|||||||
log.Fatal(iodine.New(err, map[string]string{"domain": domain}))
|
log.Fatal(iodine.New(err, map[string]string{"domain": domain}))
|
||||||
}
|
}
|
||||||
|
|
||||||
h := validateHandler(conf, ignoreResourcesHandler(mux))
|
h := timeValidityHandler(mux)
|
||||||
|
h = ignoreResourcesHandler(h)
|
||||||
|
h = validateRequestHandler(conf, h)
|
||||||
h = quota.BandwidthCap(h, 25*1024*1024, time.Duration(30*time.Minute))
|
h = quota.BandwidthCap(h, 25*1024*1024, time.Duration(30*time.Minute))
|
||||||
h = quota.BandwidthCap(h, 100*1024*1024, time.Duration(24*time.Hour))
|
h = quota.BandwidthCap(h, 100*1024*1024, time.Duration(24*time.Hour))
|
||||||
h = quota.RequestLimit(h, 100, time.Duration(30*time.Minute))
|
h = quota.RequestLimit(h, 100, time.Duration(30*time.Minute))
|
||||||
|
@ -123,6 +123,7 @@ func setAuthHeader(req *http.Request) {
|
|||||||
encoder.Write(hm.Sum(nil))
|
encoder.Write(hm.Sum(nil))
|
||||||
encoder.Close()
|
encoder.Close()
|
||||||
req.Header.Set("Authorization", authHeader.String())
|
req.Header.Set("Authorization", authHeader.String())
|
||||||
|
req.Header.Set("Date", time.Now().UTC().Format(http.TimeFormat))
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *MySuite) TestNonExistantBucket(c *C) {
|
func (s *MySuite) TestNonExistantBucket(c *C) {
|
||||||
|
@ -51,6 +51,7 @@ const (
|
|||||||
InvalidBucketName
|
InvalidBucketName
|
||||||
InvalidDigest
|
InvalidDigest
|
||||||
InvalidRange
|
InvalidRange
|
||||||
|
InvalidRequest
|
||||||
MalformedXML
|
MalformedXML
|
||||||
MissingContentLength
|
MissingContentLength
|
||||||
MissingRequestBodyError
|
MissingRequestBodyError
|
||||||
@ -61,11 +62,12 @@ const (
|
|||||||
RequestTimeTooSkewed
|
RequestTimeTooSkewed
|
||||||
SignatureDoesNotMatch
|
SignatureDoesNotMatch
|
||||||
TooManyBuckets
|
TooManyBuckets
|
||||||
|
MethodNotAllowed
|
||||||
)
|
)
|
||||||
|
|
||||||
// Error codes, non exhaustive list - standard HTTP errors
|
// Error codes, non exhaustive list - standard HTTP errors
|
||||||
const (
|
const (
|
||||||
NotAcceptable = iota + 21
|
NotAcceptable = iota + 23
|
||||||
)
|
)
|
||||||
|
|
||||||
// Error code to Error structure map
|
// Error code to Error structure map
|
||||||
@ -175,6 +177,11 @@ var errorCodeResponse = map[int]Error{
|
|||||||
Description: "You have attempted to create more buckets than allowed.",
|
Description: "You have attempted to create more buckets than allowed.",
|
||||||
HTTPStatusCode: http.StatusBadRequest,
|
HTTPStatusCode: http.StatusBadRequest,
|
||||||
},
|
},
|
||||||
|
MethodNotAllowed: {
|
||||||
|
Code: "MethodNotAllowed",
|
||||||
|
Description: "The specified method is not allowed against this resource.",
|
||||||
|
HTTPStatusCode: http.StatusMethodNotAllowed,
|
||||||
|
},
|
||||||
NotAcceptable: {
|
NotAcceptable: {
|
||||||
Code: "NotAcceptable",
|
Code: "NotAcceptable",
|
||||||
Description: "The requested resource is only capable of generating content not acceptable according to the Accept headers sent in the request.",
|
Description: "The requested resource is only capable of generating content not acceptable according to the Accept headers sent in the request.",
|
||||||
|
Loading…
Reference in New Issue
Block a user