-
Notifications
You must be signed in to change notification settings - Fork 653
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
can't create presigned url with canned acl, can't limit content type #1692
Comments
btw i solved this by using raw presign: httpSigner := v4.NewSigner()
uri := "xxx"
req, _ := http.NewRequest("PUT", uri, nil)
params := url.Values{
"X-Amz-Credential": {fmt.Sprintf("%s/%s/us-east-1/s3/aws4_request", AccessKeyID, time.Now().Format("20060102"))},
"X-Amz-Expires": {"3600"},
"x-id": {"PutObject"},
"x-amz-acl": {"public-read"},
}
req.Header.Set("Content-Type", mimeType)
req.URL.RawQuery = params.Encode()
auth, _ := s.auth.Retrieve(ctx)
u, _, e := httpSigner.PresignHTTP(ctx, auth, req, "UNSIGNED-PAYLOAD", "s3", "us-east-1", time.Now())
|
This works and is simpler than doing the whole thing raw: https://stackoverflow.com/a/74585074/13383986 |
Are there any updates on this? Without the ability to set Conditions so we can set content type and content length range, similar to JS SDK and Boto, there is a security issue. Meaning, anyone with a valid presigned URL can upload a large file of any content type. Why is this not being investigated? |
The workaround is to manually set the headers (and they are case sensitive) as shown here: https://stackoverflow.com/a/74585074/13383986 But it's still a bit ridiculous that this workaround is necessary at all considering it does seem like a tiny fix 🤷♂️ |
@tyliggity thanks for following up with a workaround! While this does address ACL and content type it doesn't address (unless i'm missing something of course) the ability to set conditions such as |
This issue has not received a response in 1 week. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled. |
|
Describe the bug
Expected Behavior
when using the presigned url, a file should be uploaded successfully.
Current Behavior
1.when I set
acl:types.ObjectCannedACLPublicRead
in PutObjectInput,the client should set x-amz-acl in header,which is not expected. it should be one of presigned url's query params.(I found this issue aws/aws-sdk-java-v2#1849 exactly the same as my confusion, but I don't know how to override it in go)2. set content type="image/png" in PutObjectInput that limit didn't appear in signedheaders, so the client can successfully upload a txt file with content type text/plain(it returns HTTP status 200)
3. got NotImplemented error, I found that I didn't set the content length. the "NotImplemented error" is misleading.
the same presigned URL can be used in go client, but in PostMan, it returns the SignatureDoesNotMatch error. Copy the curl code exported by postman,it works too. why?
Reproduction Steps
server-side code:
generate upload URL
client-side 1:
it works.
client-side 2:
use Postman
I copy that URL in postman, set the method to PUT, in the body, I choose binary and upload a file, then I get a SignatureDoesNotMatch error.
(when i set acl in putObjectInput and generate a presigned URL, i can use postman to upload a file with header X-Amz-acl)
client-side 3:
just use the curl code exported by postMan in client-side 2, it works. why?it both works with or without Content-Type header.
curl --location --request PUT 'https://<my-bucket>.s3.us-east-1.amazonaws.com/<my-key>?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=<xxx>%2F20220430%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220430T103611Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&x-id=PutObject&X-Amz-Signature=7f9a9a6fd1652ad483aadbe87fe7d20c564ddbb209bfccf8aaa92a2e5a4cb8fa ' \ --header 'Content-Type: image/png' \ --data-binary '@path/redis.png'
BTW: I don't know how to set that object's ACL in presigned URL, the options just contain a few like WithPresignExpires.
I searched in test.go, go examples, document in AWS, but they just told me how to generate a resigned URL, never told me how to use it.I see this issue: #1134 it seems not to work(if that means I should inclued headers that X-Amz-SignedHeaders provided when I use that presinged URL), that can't explain the failure in postman.
Possible Solution
No response
Additional Information/Context
No response
AWS Go SDK V2 Module Versions Used
github.com/aws/aws-sdk-go-v2 v1.16.3
github.com/aws/aws-sdk-go-v2/credentials v1.12.0
github.com/aws/aws-sdk-go-v2/service/s3 v1.26.7
Compiler and Version used
1.18
Operating System and version
macOs monterey
The text was updated successfully, but these errors were encountered: