oyd
/
minio
6
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Validate and reject unusual requests (#7258)

Browse Source
master
Krishna Srinivas 6 years ago committed by Harshavardhana
parent 755e675d5c
commit ce960565b1
2 changed files with 23 additions and 8 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 27
      cmd/generic-handlers.go
  2. 4
      cmd/routers.go

27
cmd/generic-handlers.go
Unescape View File

@ -550,14 +550,14 @@ func (h httpStatsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
globalHTTPStats.updateStats(r, ww, durationSecs) globalHTTPStats.updateStats(r, ww, durationSecs)
} }
// pathValidityHandler validates all the incoming paths for // requestValidityHandler validates all the incoming paths for
// any bad components and rejects them. // any malicious requests.
type pathValidityHandler struct { type requestValidityHandler struct {
handler http.Handler handler http.Handler
} }
func setPathValidityHandler(h http.Handler) http.Handler { func setRequestValidityHandler(h http.Handler) http.Handler {
return pathValidityHandler{handler: h} return requestValidityHandler{handler: h}
} }
// Bad path components to be rejected by the path validity handler. // Bad path components to be rejected by the path validity handler.
@ -581,7 +581,18 @@ func hasBadPathComponent(path string) bool {
return false return false
} }
func (h pathValidityHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { // Check if client is sending a malicious request.
func hasMultipleAuth(r *http.Request) bool {
authTypeCount := 0
for _, hasValidAuth := range []func(*http.Request) bool{isRequestSignatureV2, isRequestPresignedSignatureV2, isRequestSignatureV4, isRequestPresignedSignatureV4, isRequestJWT, isRequestPostPolicySignatureV4} {
if hasValidAuth(r) {
authTypeCount++
}
}
return authTypeCount > 1
}
func (h requestValidityHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// Check for bad components in URL path. // Check for bad components in URL path.
if hasBadPathComponent(r.URL.Path) { if hasBadPathComponent(r.URL.Path) {
writeErrorResponse(context.Background(), w, errorCodes.ToAPIErr(ErrInvalidResourceName), r.URL, guessIsBrowserReq(r)) writeErrorResponse(context.Background(), w, errorCodes.ToAPIErr(ErrInvalidResourceName), r.URL, guessIsBrowserReq(r))
@ -596,6 +607,10 @@ func (h pathValidityHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
} }
} }
} }
if hasMultipleAuth(r) {
writeErrorResponse(context.Background(), w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL, guessIsBrowserReq(r))
return
}
h.handler.ServeHTTP(w, r) h.handler.ServeHTTP(w, r)
} }

4
cmd/routers.go
Unescape View File

@ -55,8 +55,8 @@ var globalHandlers = []HandlerFunc{
setBucketForwardingHandler, setBucketForwardingHandler,
// Ratelimit the incoming requests using a token bucket algorithm // Ratelimit the incoming requests using a token bucket algorithm
setRateLimitHandler, setRateLimitHandler,
// Validate all the incoming paths. // Validate all the incoming requests.
setPathValidityHandler, setRequestValidityHandler,
// Network statistics // Network statistics
setHTTPStatsHandler, setHTTPStatsHandler,
// Limits all requests size to a maximum fixed limit // Limits all requests size to a maximum fixed limit

Write Preview
Loading…
Cancel
Save