Check for value > 7 days in X-Amz-Expires header. (#5163)

Add a check to see if the X-Amz-Expires header in the presigned URL is less than 7 days. Fixes #5162
2017-11-13 12:54:03 -08:00 · 2017-11-13 12:54:03 -08:00 · f460eceb6d
parent d10679866c
commit f460eceb6d
3 changed files with 35 additions and 0 deletions
--- a/cmd/api-errors.go
+++ b/cmd/api-errors.go
@ -120,6 +120,7 @@ const (
 	ErrBucketAlreadyExists
 	ErrMetadataTooLarge
 	ErrUnsupportedMetadata
+	ErrMaximumExpires
 	// Add new error codes here.

 	// Server-Side-Encryption (with Customer provided key) related API errors.
@ -725,6 +726,11 @@ var errorCodeResponse = map[APIErrorCode]APIError{
 		Description:    errObjectTampered.Error(),
 		HTTPStatusCode: http.StatusPartialContent,
 	},
+	ErrMaximumExpires: {
+		Code:           "AuthorizationQueryParametersError",
+		Description:    "X-Amz-Expires must be less than a week (in seconds); that is, the given X-Amz-Expires must be less than 604800 seconds",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
 	// Add your error structure here.
 }

--- a/cmd/signature-v4-parser.go
+++ b/cmd/signature-v4-parser.go
@ -188,6 +188,11 @@ func parsePreSignV4(query url.Values) (psv preSignValues, aec APIErrorCode) {
 	if preSignV4Values.Expires < 0 {
 		return psv, ErrNegativeExpires
 	}
+
+	// Check if Expiry time is less than 7 days (value in seconds).
+	if preSignV4Values.Expires.Seconds() > 604800 {
+		return psv, ErrMaximumExpires
+	}
 	// Save signed headers.
 	preSignV4Values.SignedHeaders, err = parseSignedHeader("SignedHeaders=" + query.Get("X-Amz-SignedHeaders"))
 	if err != ErrNone {
--- a/cmd/signature-v4-parser_test.go
+++ b/cmd/signature-v4-parser_test.go
@ -750,6 +750,30 @@ func TestParsePreSignV4(t *testing.T) {
 			},
 			expectedErrCode: ErrNone,
 		},
+
+		// Test case - 9.
+		// Test case with value greater than 604800 in X-Amz-Expires header.
+		{
+			inputQueryKeyVals: []string{
+				// valid  "X-Amz-Algorithm" header.
+				"X-Amz-Algorithm", signV4Algorithm,
+				// valid  "X-Amz-Credential" header.
+				"X-Amz-Credential", joinWithSlash(
+					"Z7IXGOO6BZ0REAN1Q26I",
+					sampleTimeStr,
+					"us-west-1",
+					"s3",
+					"aws4_request"),
+				// valid "X-Amz-Date" query.
+				"X-Amz-Date", queryTime.UTC().Format(iso8601Format),
+				// Invalid Expiry time greater than 7 days (604800 in seconds).
+				"X-Amz-Expires", getDurationStr(605000),
+				"X-Amz-Signature", "abcd",
+				"X-Amz-SignedHeaders", "host;x-amz-content-sha256;x-amz-date",
+			},
+			expectedPreSignValues: preSignValues{},
+			expectedErrCode:       ErrMaximumExpires,
+		},
 	}

 	for i, testCase := range testCases {