add missing validate access keys after being extracted from AuthHeader

pkg/api/api_generic_handlers.go

@@ -23,6 +23,7 @@ import (
 	"time"
 
 	"github.com/minio/minio/pkg/api/config"
+	"github.com/minio/minio/pkg/utils/crypto/keys"
 )
 
 type contentTypeHandler struct {
@@ -78,6 +79,9 @@ func stripAuth(r *http.Request) (*auth, error) {
 	a.signedheaders = strings.Split(signedheaders, "=")[1]
 	a.signature = strings.Split(signature, "=")[1]
 	a.accessKey = strings.Split(a.credential, "/")[0]
+	if !keys.IsValidAccessKey(a.accessKey) {
+		return nil, errors.New("Invalid access key")
+	}
 	return a, nil
 }
 

pkg/utils/crypto/keys/common.go

@@ -16,6 +16,8 @@
 
 package keys
 
+import "regexp"
+
 // AccessID and SecretID length in bytes
 const (
 	MinioAccessID = 20
@@ -24,26 +26,20 @@ const (
 
 /// helpers
 
-// Is alphanumeric?
+// IsValidSecretKey - validate secret key
-func isalnum(c byte) bool {
+func IsValidSecretKey(secretAccessKey string) bool {
-	return '0' <= c && c <= '9' || 'A' <= c && c <= 'Z' || 'a' <= c && c <= 'z'
+	if secretAccessKey == "" {
+		return true
+	}
+	regex := regexp.MustCompile("^.{40}$")
+	return regex.MatchString(secretAccessKey)
 }
 
-// IsValidAccessKey - validate access key for only alphanumeric characters
+// IsValidAccessKey - validate access key
-func IsValidAccessKey(key []byte) bool {
+func IsValidAccessKey(accessKeyID string) bool {
-	for _, char := range key {
+	if accessKeyID == "" {
-		if isalnum(char) {
-			continue
-		}
-		switch char {
-		case '-':
-		case '.':
-		case '_':
-		case '~':
-			continue
-		default:
-			return false
-		}
-	}
 		return true
+	}
+	regex := regexp.MustCompile("^[A-Z0-9\\-\\.\\_\\~]{20}$")
+	return regex.MatchString(accessKeyID)
 }