MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-04-06 12:50:34 -04:00
Code Issues Packages Projects Releases Wiki Activity

Validate and reject unusual requests (#7258)

Browse Source
This commit is contained in:
Krishna Srinivas 2019-02-19 21:02:41 -08:00 committed by Harshavardhana
parent 755e675d5c
commit ce960565b1
2 changed files with 23 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
cmd/generic-handlers.go
View File

@ -550,14 +550,14 @@ func (h httpStatsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
globalHTTPStats.updateStats(r, ww, durationSecs) globalHTTPStats.updateStats(r, ww, durationSecs)
} }
// pathValidityHandler validates all the incoming paths for // requestValidityHandler validates all the incoming paths for
// any bad components and rejects them. // any malicious requests.
type pathValidityHandler struct { type requestValidityHandler struct {
handler http.Handler handler http.Handler
} }
func setPathValidityHandler(h http.Handler) http.Handler { func setRequestValidityHandler(h http.Handler) http.Handler {
return pathValidityHandler{handler: h} return requestValidityHandler{handler: h}
} }
// Bad path components to be rejected by the path validity handler. // Bad path components to be rejected by the path validity handler.
@ -581,7 +581,18 @@ func hasBadPathComponent(path string) bool {
return false return false
} }
func (h pathValidityHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { // Check if client is sending a malicious request.
func hasMultipleAuth(r *http.Request) bool {
authTypeCount := 0
for _, hasValidAuth := range []func(*http.Request) bool{isRequestSignatureV2, isRequestPresignedSignatureV2, isRequestSignatureV4, isRequestPresignedSignatureV4, isRequestJWT, isRequestPostPolicySignatureV4} {
if hasValidAuth(r) {
authTypeCount++
}
}
return authTypeCount > 1
}
func (h requestValidityHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// Check for bad components in URL path. // Check for bad components in URL path.
if hasBadPathComponent(r.URL.Path) { if hasBadPathComponent(r.URL.Path) {
writeErrorResponse(context.Background(), w, errorCodes.ToAPIErr(ErrInvalidResourceName), r.URL, guessIsBrowserReq(r)) writeErrorResponse(context.Background(), w, errorCodes.ToAPIErr(ErrInvalidResourceName), r.URL, guessIsBrowserReq(r))
@ -596,6 +607,10 @@ func (h pathValidityHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
} }
} }
} }
if hasMultipleAuth(r) {
writeErrorResponse(context.Background(), w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL, guessIsBrowserReq(r))
return
}
h.handler.ServeHTTP(w, r) h.handler.ServeHTTP(w, r)
} }

4
cmd/routers.go
View File

@ -55,8 +55,8 @@ var globalHandlers = []HandlerFunc{
setBucketForwardingHandler, setBucketForwardingHandler,
// Ratelimit the incoming requests using a token bucket algorithm // Ratelimit the incoming requests using a token bucket algorithm
setRateLimitHandler, setRateLimitHandler,
// Validate all the incoming paths. // Validate all the incoming requests.
setPathValidityHandler, setRequestValidityHandler,
// Network statistics // Network statistics
setHTTPStatsHandler, setHTTPStatsHandler,
// Limits all requests size to a maximum fixed limit // Limits all requests size to a maximum fixed limit