From de9b391db3127e1a63faae7b4a9ed6946f3727b6 Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Sun, 17 May 2020 23:38:52 -0700
Subject: [PATCH] fix: Disable presigned without appropriate policy (#9621)

Fixes #9590
---
 cmd/jwt.go          |  1 +
 cmd/web-handlers.go | 14 ++++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/cmd/jwt.go b/cmd/jwt.go
index 4b4555cbb..63af66cc4 100644
--- a/cmd/jwt.go
+++ b/cmd/jwt.go
@@ -47,6 +47,7 @@ var (
 	errAuthentication       = errors.New("Authentication failed, check your access credentials")
 	errNoAuthToken          = errors.New("JWT token missing")
 	errIncorrectCreds       = errors.New("Current access key or secret key is incorrect")
+	errPresignedNotAllowed  = errors.New("Unable to generate shareable URL due to lack of read permissions")
 )
 
 func authenticateJWTUsers(accessKey, secretKey string, expiry time.Duration) (string, error) {
diff --git a/cmd/web-handlers.go b/cmd/web-handlers.go
index be422f76b..d485267c1 100644
--- a/cmd/web-handlers.go
+++ b/cmd/web-handlers.go
@@ -1966,6 +1966,20 @@ func (web *webAPIHandlers) PresignedGet(r *http.Request, args *PresignedGetArgs,
 		return toJSONError(ctx, errInvalidBucketName)
 	}
 
+	// Check if the user indeed has GetObject access,
+	// if not we do not need to generate presigned URLs
+	if !globalIAMSys.IsAllowed(iampolicy.Args{
+		AccountName:     claims.AccessKey,
+		Action:          iampolicy.GetObjectAction,
+		BucketName:      args.BucketName,
+		ConditionValues: getConditionValues(r, "", claims.AccessKey, claims.Map()),
+		IsOwner:         owner,
+		ObjectName:      args.ObjectName,
+		Claims:          claims.Map(),
+	}) {
+		return toJSONError(ctx, errPresignedNotAllowed)
+	}
+
 	reply.UIVersion = browser.UIVersion
 	reply.URL = presignedGet(args.HostName, args.BucketName, args.ObjectName, args.Expiry, creds, region)
 	return nil