Allowlist bucket owner header #2358

RanVaknin · 2023-11-08T21:01:41Z

Previous behavior: x-amz-expected-bucket-owner was not signed as a header, instead it was signed as a query parameter which was not the intended behavior.

Current behavior: x-amz-expected-bucket-owner is signed as a header and the bucket owner is enforced.

Example:

func main(){
	cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion("us-east-1"), config.WithClientLogMode(aws.LogRequestWithBody))
	if err != nil {
		panic(err)
	}

	client := s3.NewFromConfig(cfg)

	presigner := s3.NewPresignClient(client)

	input := &s3.GetObjectInput{
		Bucket:              aws.String(bucket),
		Key:                 aws.String("hey.txt"),
		ExpectedBucketOwner: aws.String("123456789012"),

	}

	signedRequest, err := presigner.PresignGetObject(context.TODO(), input, func(options *s3.PresignOptions) {
		options.ClientOptions = append(options.ClientOptions, func(op2 *s3.Options) {
			op2.ClientLogMode = aws.LogSigning | op2.ClientLogMode
		})
	})

	if err != nil {
		panic(err)
	}

	req, err := http.NewRequest("GET", signedRequest.URL, nil)
	if err != nil {
		panic(err)
	}

	for k, vs := range signedRequest.SignedHeader {
		for _, v := range vs {
			req.Header.Add(k, v)
		}
	}

	c := &http.Client{}
	res, err := c.Do(req)
	if err != nil {
		panic(err)
	}
	defer res.Body.Close() 

	bod, err := io.ReadAll(res.Body)
	if err != nil {
		panic(err)
	}

	fmt.Println(res.Status, res.StatusCode)
	fmt.Printf("%s\n", bod)
}

Results and log:

SDK 2023/11/08 12:58:22 DEBUG Request Signature:
---[ CANONICAL STRING  ]-----------------------------
GET
/hey.txt
X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=REDACTED%2F20231108%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231108T205822Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host%3Bx-amz-expected-bucket-owner&x-id=GetObject
host:bucket.s3.us-east-1.amazonaws.com
x-amz-expected-bucket-owner:990724664260

host;x-amz-expected-bucket-owner
UNSIGNED-PAYLOAD
---[ STRING TO SIGN ]--------------------------------
AWS4-HMAC-SHA256
20231108T205822Z
20231108/us-east-1/s3/aws4_request
REDACTED
---[ SIGNED URL ]------------------------------------
https://bucket.s3.us-east-1.amazonaws.com/hey.txt?
X-Amz-Algorithm=AWS4-HMAC-SHA256&
X-Amz-Credential=REDACTED%2F20231108%2Fus-east-1%2Fs3%2Faws4_request&
X-Amz-Date=20231108T205822Z&
X-Amz-Expires=900&
X-Amz-SignedHeaders=host%3Bx-amz-expected-bucket-owner&
x-id=GetObject&
X-Amz-Signature=ac0f5386d33b9dc34cc52e50ba35341afX-Amz-Expires=900&
X-Amz-SignedHeaders=host%3Bx-amz-expected-bucket-owner&
x-id=GetObject&
X-Amz-Signature=REDACTED
-----------------------------------------------------
200 OK 200
hello

Ran Vaknin added 2 commits November 8, 2023 11:35

Add expected bucket owner to allowlisted signable headers

f335fc9

Added changelog

04a95c0

RanVaknin requested a review from a team as a code owner November 8, 2023 21:01

lucix-aws approved these changes Nov 8, 2023

View reviewed changes

lucix-aws merged commit efa5486 into aws:main Nov 8, 2023
11 of 12 checks passed

lucix-aws mentioned this pull request Feb 13, 2024

Presigned URLs should use Query parameters for Additional request parameters (instead of headers) #2484

Closed

2 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Allowlist bucket owner header #2358

Allowlist bucket owner header #2358

RanVaknin commented Nov 8, 2023 •

edited

Loading

Allowlist bucket owner header #2358

Allowlist bucket owner header #2358

Conversation

RanVaknin commented Nov 8, 2023 • edited Loading

RanVaknin commented Nov 8, 2023 •

edited

Loading