Saturday 5 December 2020

S3.createPresignedPost() condition error returns to user exact condition needed to upload content

When adding Conditions to a set of presigned post parameters, for example:

        const params: PresignedPost.Params = {
        Expires: 7200,
        Bucket: myBucket,
        Conditions: [
            ['eq', '$key', filename],
            ['content-length-range', 1, defaultUploadLimit],
        ],
    };

and using this presigned URL to then POST content to my bucket, if the user doesn't satisfy the condition on the first attempt, the error message returns the exact key the user needs to pass the condition:

    <?xml version="1.0" encoding="UTF-8"?>
<Error>
    <Code>AccessDenied</Code>
    <Message>Invalid according to Policy: Policy Condition failed: ["eq", "$key", "myfile.txt"]</Message>
    <RequestId>yaddayadda</RequestId>
    <HostId>yaddayadda</HostId>
</Error>

This is an enormous security violation for us, we cannot have sensitive filenames shown at any point of our ingestion/retrieval processes.

We also need to validate the file in some way or another that the user is uploading, since this cannot be done on content-type using presigned POST I see no other way of accomplishing this.

Does anyone know if there is a way to restrict S3 error messages? Or another way of validating what the user is uploading using the presigned post which doesn't leak sensitive information?



from S3.createPresignedPost() condition error returns to user exact condition needed to upload content

No comments:

Post a Comment