From 008a35fce0d22706c56341b00093fa2726e1bbf3 Mon Sep 17 00:00:00 2001 From: Evgenii Baidakov Date: Wed, 20 Sep 2023 12:59:23 +0400 Subject: [PATCH] bearer: Deny some content-type uploads Signed-off-by: Evgenii Baidakov --- bearer/bearer.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/bearer/bearer.go b/bearer/bearer.go index 3323bbd..c414d8d 100644 --- a/bearer/bearer.go +++ b/bearer/bearer.go @@ -10,6 +10,7 @@ import ( cid "github.com/nspcc-dev/neofs-sdk-go/container/id" neofsecdsa "github.com/nspcc-dev/neofs-sdk-go/crypto/ecdsa" "github.com/nspcc-dev/neofs-sdk-go/eacl" + "github.com/nspcc-dev/neofs-sdk-go/object" "github.com/nspcc-dev/neofs-sdk-go/user" ) @@ -40,6 +41,12 @@ func (b *Generator) NewBearer(email string, currentEpoch uint64) (string, string // order of rec is important rec := eacl.CreateRecord(eacl.ActionAllow, eacl.OperationPut) rec.AddObjectAttributeFilter(eacl.MatchStringEqual, b.config.EmailAttr, hashedEmail) + rec.AddFilter(eacl.HeaderFromObject, eacl.MatchStringNotEqual, object.AttributeContentType, "application/javascript") + rec.AddFilter(eacl.HeaderFromObject, eacl.MatchStringNotEqual, object.AttributeContentType, "text/javascript") + rec.AddFilter(eacl.HeaderFromObject, eacl.MatchStringNotEqual, object.AttributeContentType, "application/xhtml+xml") + rec.AddFilter(eacl.HeaderFromObject, eacl.MatchStringNotEqual, object.AttributeContentType, "text/html") + rec.AddFilter(eacl.HeaderFromObject, eacl.MatchStringNotEqual, object.AttributeContentType, "text/htmlh") + rec.AddFilter(eacl.HeaderFromObject, eacl.MatchStringNotEqual, object.AttributeContentType, "") eacl.AddFormedTarget(rec, eacl.RoleOthers) t.AddRecord(rec) rec2 := eacl.CreateRecord(eacl.ActionDeny, eacl.OperationPut)