Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: unauthorized access in Alicloud OSS component #301

Closed
seeflood opened this issue Nov 2, 2021 · 4 comments
Closed

bug: unauthorized access in Alicloud OSS component #301

seeflood opened this issue Nov 2, 2021 · 4 comments
Assignees
@wenxuwan
Labels
bug Something isn't working

Comments

@seeflood
Copy link
Member

seeflood commented Nov 2, 2021
edited
Loading

What happened:
If an app pass a directoryName which is not configurated in the config file,it can access that bucket although it shouldn't.
Currently the code doesn't do the access control checking.
image

image

What you expected to happen:
Forbid unauthorized access

How to reproduce it (as minimally and precisely as possible):
@fengmk2 found it by code review

Anything else we need to know?:
@seeflood seeflood self-assigned this Nov 2, 2021
@seeflood seeflood added good first issue Good for newcomers help wanted Extra attention is needed labels Nov 2, 2021
@seeflood seeflood removed their assignment Nov 2, 2021
@ZLBer
Copy link
Member

ZLBer commented Nov 4, 2021

@seeflood alicloud/aws/minio components both have this problem. I'll fix this .
The meaning of the bukect field is not clearly stated in the fileAPI qucick start file, a little fuzzy,
image

_sidebar.md quick start lack fileAPI.

@seeflood
Copy link
Member Author

seeflood commented Nov 4, 2021
edited
Loading

@seeflood alicloud/aws/minio components both have this problem. I'll fix this .

Sorry for not explaining in advance, @wenxuwan just told me that he is working on it and decides to remove this bucket configuration and do some refactor for File API. So this issue will be assigned to him.
Actually the accessKeyID and accessKeySecret fields are enough to do access control,so the bucket field is redundant.
Hope he will add a quickstart for File API after the refactor :)

@seeflood seeflood added bug Something isn't working and removed good first issue Good for newcomers help wanted Extra attention is needed labels Nov 4, 2021
@ZLBer
Copy link
Member

ZLBer commented Nov 4, 2021

@seeflood Okay, I get it

@wenxuwan
Copy link
Member

wenxuwan commented Nov 4, 2021

@ZLBer Hi man, as the current file interface capabilities are not enough to support users,#98, I am redesigning the interface and modifying the implementation, you can help review it together.#305

@wenxuwan wenxuwan mentioned this issue Nov 8, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wenxuwan wenxuwan

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wenxuwan @ZLBer @seeflood