Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Align SDK presigning behavior of expected bucket owner to match S3's #2508

Open
RanVaknin opened this issue Feb 20, 2024 · 0 comments
Open

Align SDK presigning behavior of expected bucket owner to match S3's #2508

RanVaknin opened this issue Feb 20, 2024 · 0 comments
Labels
bug This issue is a bug. p2 This is a standard priority issue queued This issues is on the AWS team's backlog

Comments

@RanVaknin
Copy link
Contributor

Describe the bug

The S3 API will only enforce the expected bucket owner parameter of a presigned URL if it's provided either as a signed header, or hoisted into the query string but only in lower case (x-amz-expected-bucket-owner)

Reference #2484

Expected Behavior

Presigning requests with expected bucket owner should contain the header in the query parameter, in lower case.

Example request:

https://testbucket.s3.us-east-1.amazonaws.com/foo.txt?
X-Amz-Algorithm=AWS4-HMAC-SHA256&
X-Amz-Credential=REDACTED/20240217/us-east-1/s3/aws4_request&
X-Amz-Date=20240217T003121Z&
X-Amz-Expires=900&
X-Amz-SignedHeaders=host&
x-amz-expected-bucket-owner=REDACTED&
x-id=GetObject&
X-Amz-Signature=REDACTED

OK 200

Current Behavior

the header value is presigned as a signedHeader (works)

https://testbucket.s3.us-east-1.amazonaws.com/foo.txt?
X-Amz-Algorithm=AWS4-HMAC-SHA256&
X-Amz-Credential=REDACTED/20240217/us-east-1/s3/aws4_request&
X-Amz-Date=20240217T003338Z&
X-Amz-Expires=900&
X-Amz-SignedHeaders=host;x-amz-expected-bucket-owner&
x-id=GetObject&
X-Amz-Signature=REDACTED

OK 200

Reproduction Steps

Create a presigned get request with an expected bucket owner

func presignGet() {
	cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion("us-east-1"))
	if err != nil {
		panic(err)
	}

	client := s3.NewFromConfig(cfg)

	presigner := s3.NewPresignClient(client)

	input := &s3.GetObjectInput{
		Bucket:              aws.String("testbucket"),
		Key:                 aws.String("foo"),
		ExpectedBucketOwner: aws.String("123456789012"),
	}
	signedRequest, err := presigner.PresignGetObject(context.TODO(),
		input,
		s3.WithPresignExpires(time.Minute*15),
	)

	fmt.Printf("%v", signedRequest.URL)
}

Possible Solution

No response

Additional Information/Context

No response

AWS Go SDK V2 Module Versions Used

github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.0

Compiler and Version used

1.20

Operating System and version

MacOS
@RanVaknin RanVaknin added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. p2 This is a standard priority issue queued This issues is on the AWS team's backlog and removed needs-triage This issue or PR still needs to be triaged. labels Feb 20, 2024
@RanVaknin RanVaknin mentioned this issue Feb 20, 2024
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. p2 This is a standard priority issue queued This issues is on the AWS team's backlog
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@RanVaknin