From c97ba49702d70a1cc3537723f5c33234558cc3df Mon Sep 17 00:00:00 2001
From: Stojan Dimitrovski <sdimitrovski@gmail.com>
Date: Sun, 14 Jul 2024 18:16:29 +0200
Subject: [PATCH] feat: prevent passing in `role` claim in presigned URL JWTs

---
 src/storage/object.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/storage/object.ts b/src/storage/object.ts
index 6a239ffa..f3daea62 100644
--- a/src/storage/object.ts
+++ b/src/storage/object.ts
@@ -540,6 +540,10 @@ export class ObjectStorage {
       return all
     }, metadata || {})
 
+    // security-in-depth: as signObjectUrl could be used as a signing oracle,
+    // make sure it's never able to specify a role JWT claim
+    delete metadata['role']
+
     const urlParts = url.split('/')
     const urlToSign = decodeURI(urlParts.splice(3).join('/'))
     const { secret: jwtSecret } = await getJwtSecret(this.db.tenantId)