From 94348831bc52dd708ef9be289f894d908d6246c4 Mon Sep 17 00:00:00 2001 From: Trinity Pointard Date: Mon, 17 Jan 2022 19:39:50 +0100 Subject: [PATCH] verify date of presigned urls properly --- src/api/signature/payload.rs | 54 ++++++++++++++++++++++++++---------- 1 file changed, 40 insertions(+), 14 deletions(-) diff --git a/src/api/signature/payload.rs b/src/api/signature/payload.rs index b13819a8..4b13387a 100644 --- a/src/api/signature/payload.rs +++ b/src/api/signature/payload.rs @@ -38,20 +38,9 @@ pub async fn check_payload_signature( parse_query_authorization(&headers)? }; - let date = headers - .get("x-amz-date") - .ok_or_bad_request("Missing X-Amz-Date field")?; - let date: NaiveDateTime = - NaiveDateTime::parse_from_str(date, LONG_DATETIME).ok_or_bad_request("Invalid date")?; - let date: DateTime = DateTime::from_utc(date, Utc); - - if Utc::now() - date > Duration::hours(24) { - return Err(Error::BadRequest("Date is too old".to_string())); - } - let scope = format!( "{}/{}/s3/aws4_request", - date.format(SHORT_DATE), + authorization.date.format(SHORT_DATE), garage.config.s3_api.s3_region ); if authorization.scope != scope { @@ -74,10 +63,10 @@ pub async fn check_payload_signature( &authorization.signed_headers, &authorization.content_sha256, ); - let string_to_sign = string_to_sign(&date, &scope, &canonical_request); + let string_to_sign = string_to_sign(&authorization.date, &scope, &canonical_request); let mut hmac = signing_hmac( - &date, + &authorization.date, &key_p.secret_key, &garage.config.s3_api.s3_region, "s3", @@ -113,6 +102,7 @@ struct Authorization { signed_headers: String, signature: String, content_sha256: String, + date: DateTime, } fn parse_authorization( @@ -147,6 +137,17 @@ fn parse_authorization( .get("x-amz-content-sha256") .ok_or_bad_request("Missing X-Amz-Content-Sha256 field")?; + let date = headers + .get("x-amz-date") + .ok_or_bad_request("Missing X-Amz-Date field")?; + let date: NaiveDateTime = + NaiveDateTime::parse_from_str(date, LONG_DATETIME).ok_or_bad_request("Invalid date")?; + let date: DateTime = DateTime::from_utc(date, Utc); + + if Utc::now() - date > Duration::hours(24) { + return Err(Error::BadRequest("Date is too old".to_string())); + } + let auth = Authorization { key_id, scope, @@ -159,6 +160,7 @@ fn parse_authorization( .ok_or_bad_request("Could not find Signature in Authorization field")? .to_string(), content_sha256: content_sha256.to_string(), + date, }; Ok(auth) } @@ -188,12 +190,36 @@ fn parse_query_authorization(headers: &HashMap) -> Result 7 * 24 * 3600 { + return Err(Error::BadRequest( + "X-Amz-Exprires may not exceed a week".to_string(), + )); + } + + let date = headers + .get("x-amz-date") + .ok_or_bad_request("Missing X-Amz-Date field")?; + let date: NaiveDateTime = + NaiveDateTime::parse_from_str(date, LONG_DATETIME).ok_or_bad_request("Invalid date")?; + let date: DateTime = DateTime::from_utc(date, Utc); + + if Utc::now() - date > Duration::seconds(duration) { + return Err(Error::BadRequest("Date is too old".to_string())); + } + Ok(Authorization { key_id, scope, signed_headers: signed_headers.to_string(), signature: signature.to_string(), content_sha256: content_sha256.to_string(), + date, }) }