gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

s3tables: Fix parseTableFromARN() namespace and table name validation

Browse Source 
- Remove dead URL unescape for namespace (regex [a-z0-9_]+ cannot contain
  percent-escapes)
- Add URL decoding and validation of extracted table name via
  validateTableName() to prevent callers from bypassing request validation
  done in other paths
This commit is contained in:
Chris Lu
2026-01-28 16:20:58 -08:00
parent fb4fb8b082
commit 191a858e72
1 changed files with 12 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
weed/s3api/s3tables/utils.go
View File

@@ -46,18 +46,22 @@ func parseTableFromARN(arn string) (bucketName, namespace, tableName string, err
return "", "", "", fmt.Errorf("invalid table ARN: %s", arn) return "", "", "", fmt.Errorf("invalid table ARN: %s", arn)
} }
// URL decode the namespace from the ARN path component // Namespace is already constrained by the regex; validate it directly.
namespaceUnescaped, err := url.PathUnescape(matches[2]) namespace = matches[2]
if err != nil { _, err = validateNamespace([]string{namespace})
return "", "", "", fmt.Errorf("invalid namespace encoding in ARN: %v", err)
}
_, err = validateNamespace([]string{namespaceUnescaped})
if err != nil { if err != nil {
return "", "", "", fmt.Errorf("invalid namespace in ARN: %v", err) return "", "", "", fmt.Errorf("invalid namespace in ARN: %v", err)
} }
return matches[1], namespaceUnescaped, matches[3], nil // URL decode and validate the table name from the ARN path component
tableNameUnescaped, err := url.PathUnescape(matches[3])
if err != nil {
return "", "", "", fmt.Errorf("invalid table name encoding in ARN: %v", err)
}
if _, err := validateTableName(tableNameUnescaped); err != nil {
return "", "", "", fmt.Errorf("invalid table name in ARN: %v", err)
}
return matches[1], namespace, tableNameUnescaped, nil
} }
// Path helpers // Path helpers