Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PROD-30208] - add check on s3 url for @ after domain to prevent security risks #336

Merged
merged 1 commit into from
Sep 21, 2023
Merged

[PROD-30208] - add check on s3 url for @ after domain to prevent security risks #336

merged 1 commit into from
Sep 21, 2023

Conversation

CharisVrettos
Copy link
Contributor

No description provided.

@CharisVrettos CharisVrettos added the bug Something isn't working label Sep 20, 2023
@CharisVrettos CharisVrettos self-assigned this Sep 20, 2023
klesgidis
klesgidis approved these changes Sep 21, 2023
View reviewed changes
src/initializers/joi.ts
Comment on lines +193 to +194
const { hostname, protocol, pathname} = new URL(value);
if (!isOwnS3Path(bucket, `${protocol}//${hostname}${pathname}`)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clever! 💯
I think we could also simplify it by doing

Suggested change
const { hostname, protocol, pathname} = new URL(value);
if (!isOwnS3Path(bucket, `${protocol}//${hostname}${pathname}`)) {
const { origin } = new URL(value);
if (!isOwnS3Path(bucket, origin)) {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As talked offline we need the path name also to make the validation because s3 can have the bucket in the path after domain

@CharisVrettos CharisVrettos merged commit 85fcb4b into master Sep 21, 2023
6 checks passed
@CharisVrettos CharisVrettos deleted the PROD-30208_fix-porssible-ssrf-attack-on-s3-url branch September 21, 2023 08:41
@tomtoump
Copy link

@CharisVrettos Wouldn't it be better to update isOwnS3Path's definition? This would also solve the same issue for cases like this, that import the specific function.

@tomtoump
Copy link

I was trying to say that the url parsing could take place in the function's definition here, instead of inside the validate() function of the urlInOwnS3 joi extension.

@CharisVrettos
Copy link
Contributor Author

Sure, will move the destructuring in isOwnS3Path

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@klesgidis klesgidis klesgidis approved these changes

@jgerbe jgerbe Awaiting requested review from jgerbe jgerbe is a code owner

@kzacharakis kzacharakis Awaiting requested review from kzacharakis kzacharakis is a code owner

@nikosd23 nikosd23 Awaiting requested review from nikosd23 nikosd23 is a code owner

@nikostoulas nikostoulas Awaiting requested review from nikostoulas nikostoulas is a code owner

@stavros-wb stavros-wb Awaiting requested review from stavros-wb stavros-wb is a code owner

Assignees

@CharisVrettos CharisVrettos

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@CharisVrettos @tomtoump @klesgidis