gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

s3tables: Add upper bound validation for MaxBuckets parameter

Browse Source 
MaxBuckets is user-controlled and used in uint32(maxBuckets*2) for ListEntries.
Very large values can overflow uint32 or trigger overly expensive scans. Cap
MaxBuckets to 1000 and reject out-of-range values, consistent with MaxTables
handling and S3 MaxKeys validation elsewhere in the codebase.
This commit is contained in:
Chris Lu
2026-01-28 16:20:36 -08:00
parent e0da63fd0a
commit b1d7f3d6e8
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
weed/s3api/s3tables/handler_bucket_get_list_delete.go
View File

@@ -101,6 +101,12 @@ func (h *S3TablesHandler) handleListTableBuckets(w http.ResponseWriter, r *http.
if maxBuckets <= 0 {
maxBuckets = 100
}
// Cap to prevent uint32 overflow when used in uint32(maxBuckets*2)
const maxBucketsLimit = 1000
if maxBuckets > maxBucketsLimit {
h.writeError(w, http.StatusBadRequest, ErrCodeInvalidRequest, "MaxBuckets exceeds maximum allowed value")
return fmt.Errorf("invalid maxBuckets value: %d", maxBuckets)
}
var buckets []TableBucketSummary