From 937367caaff71cb8e2843739ae34d37248369406 Mon Sep 17 00:00:00 2001
From: Denis Kirillov <d.kirillov@yadro.com>
Date: Wed, 21 Feb 2024 17:34:51 +0300
Subject: [PATCH] [#318] Fix panic on invalid multipart form

Previously, simple 'curl -X POST http://localhost:8084/test' leads to panic because of wrong handle matching

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
---
 api/handler/put.go | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/api/handler/put.go b/api/handler/put.go
index bd7b388..72794c6 100644
--- a/api/handler/put.go
+++ b/api/handler/put.go
@@ -7,6 +7,7 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"encoding/xml"
+	stderrors "errors"
 	"fmt"
 	"io"
 	"net"
@@ -628,11 +629,21 @@ func checkPostPolicy(r *http.Request, reqInfo *middleware.ReqInfo, metadata map[
 		policy.empty = false
 	}
 
+	if r.MultipartForm == nil {
+		return nil, stderrors.New("empty multipart form")
+	}
+
 	for key, v := range r.MultipartForm.Value {
-		value := v[0]
 		if key == "file" || key == "policy" || key == "x-amz-signature" || strings.HasPrefix(key, "x-ignore-") {
 			continue
 		}
+
+		if len(v) != 1 {
+			return nil, fmt.Errorf("empty multipart value for key '%s'", key)
+		}
+
+		value := v[0]
+
 		if err := policy.CheckField(key, value); err != nil {
 			return nil, fmt.Errorf("'%s' form field doesn't match the policy: %w", key, err)
 		}