mirror of https://github.com/minio/minio.git
Check for value > 7 days in X-Amz-Expires header. (#5163)
Add a check to see if the X-Amz-Expires header in the presigned URL is less than 7 days. Fixes #5162
This commit is contained in:
kannappanr
Dee Koder
parent
d10679866c
commit
f460eceb6d
|
|
@ -120,6 +120,7 @@ const (
|
||||||
ErrBucketAlreadyExists
|
ErrBucketAlreadyExists
|
||||||
ErrMetadataTooLarge
|
ErrMetadataTooLarge
|
||||||
ErrUnsupportedMetadata
|
ErrUnsupportedMetadata
|
||||||
|
ErrMaximumExpires
|
||||||
// Add new error codes here.
|
// Add new error codes here.
|
||||||
|
|
||||||
// Server-Side-Encryption (with Customer provided key) related API errors.
|
// Server-Side-Encryption (with Customer provided key) related API errors.
|
||||||
|
|
@ -725,6 +726,11 @@ var errorCodeResponse = map[APIErrorCode]APIError{
|
||||||
Description: errObjectTampered.Error(),
|
Description: errObjectTampered.Error(),
|
||||||
HTTPStatusCode: http.StatusPartialContent,
|
HTTPStatusCode: http.StatusPartialContent,
|
||||||
},
|
},
|
||||||
|
ErrMaximumExpires: {
|
||||||
|
Code: "AuthorizationQueryParametersError",
|
||||||
|
Description: "X-Amz-Expires must be less than a week (in seconds); that is, the given X-Amz-Expires must be less than 604800 seconds",
|
||||||
|
HTTPStatusCode: http.StatusBadRequest,
|
||||||
|
},
|
||||||
// Add your error structure here.
|
// Add your error structure here.
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -188,6 +188,11 @@ func parsePreSignV4(query url.Values) (psv preSignValues, aec APIErrorCode) {
|
||||||
if preSignV4Values.Expires < 0 {
|
if preSignV4Values.Expires < 0 {
|
||||||
return psv, ErrNegativeExpires
|
return psv, ErrNegativeExpires
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check if Expiry time is less than 7 days (value in seconds).
|
||||||
|
if preSignV4Values.Expires.Seconds() > 604800 {
|
||||||
|
return psv, ErrMaximumExpires
|
||||||
|
}
|
||||||
// Save signed headers.
|
// Save signed headers.
|
||||||
preSignV4Values.SignedHeaders, err = parseSignedHeader("SignedHeaders=" + query.Get("X-Amz-SignedHeaders"))
|
preSignV4Values.SignedHeaders, err = parseSignedHeader("SignedHeaders=" + query.Get("X-Amz-SignedHeaders"))
|
||||||
if err != ErrNone {
|
if err != ErrNone {
|
||||||
|
|
|
||||||
|
|
@ -750,6 +750,30 @@ func TestParsePreSignV4(t *testing.T) {
|
||||||
},
|
},
|
||||||
expectedErrCode: ErrNone,
|
expectedErrCode: ErrNone,
|
||||||
},
|
},
|
||||||
|
|
||||||
|
// Test case - 9.
|
||||||
|
// Test case with value greater than 604800 in X-Amz-Expires header.
|
||||||
|
{
|
||||||
|
inputQueryKeyVals: []string{
|
||||||
|
// valid "X-Amz-Algorithm" header.
|
||||||
|
"X-Amz-Algorithm", signV4Algorithm,
|
||||||
|
// valid "X-Amz-Credential" header.
|
||||||
|
"X-Amz-Credential", joinWithSlash(
|
||||||
|
"Z7IXGOO6BZ0REAN1Q26I",
|
||||||
|
sampleTimeStr,
|
||||||
|
"us-west-1",
|
||||||
|
"s3",
|
||||||
|
"aws4_request"),
|
||||||
|
// valid "X-Amz-Date" query.
|
||||||
|
"X-Amz-Date", queryTime.UTC().Format(iso8601Format),
|
||||||
|
// Invalid Expiry time greater than 7 days (604800 in seconds).
|
||||||
|
"X-Amz-Expires", getDurationStr(605000),
|
||||||
|
"X-Amz-Signature", "abcd",
|
||||||
|
"X-Amz-SignedHeaders", "host;x-amz-content-sha256;x-amz-date",
|
||||||
|
},
|
||||||
|
expectedPreSignValues: preSignValues{},
|
||||||
|
expectedErrCode: ErrMaximumExpires,
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
for i, testCase := range testCases {
|
for i, testCase := range testCases {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue