From 3de7ad5223a84e8621ddfb10363ad46b4df745b5 Mon Sep 17 00:00:00 2001 From: Nick Craig-Wood Date: Fri, 14 Dec 2018 10:10:13 +0000 Subject: [PATCH] b2: for a bucket limited application key check the bucket name Before this fix rclone would just use the authorised bucket regardless of what bucket you put on the command line. This uses the new `bucketName` response in the API and checks that the user is using the correct bucket name to avoid accidents. Fixes #2839 --- backend/b2/api/types.go | 1 + backend/b2/b2.go | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/backend/b2/api/types.go b/backend/b2/api/types.go index 501647ee3..feeede569 100644 --- a/backend/b2/api/types.go +++ b/backend/b2/api/types.go @@ -136,6 +136,7 @@ type AuthorizeAccountResponse struct { AccountID string `json:"accountId"` // The identifier for the account. Allowed struct { // An object (see below) containing the capabilities of this auth token, and any restrictions on using it. BucketID string `json:"bucketId"` // When present, access is restricted to one bucket. + BucketName string `json:"bucketName"` // When present, name of bucket - may be empty Capabilities []string `json:"capabilities"` // A list of strings, each one naming a capability the key has. NamePrefix interface{} `json:"namePrefix"` // When present, access is restricted to files whose names start with the prefix } `json:"allowed"` diff --git a/backend/b2/b2.go b/backend/b2/b2.go index 048f6b804..f5c3f7a2c 100644 --- a/backend/b2/b2.go +++ b/backend/b2/b2.go @@ -368,6 +368,13 @@ func NewFs(name, root string, m configmap.Mapper) (fs.Fs, error) { } // If this is a key limited to a single bucket, it must exist already if f.bucket != "" && f.info.Allowed.BucketID != "" { + allowedBucket := f.info.Allowed.BucketName + if allowedBucket == "" { + return nil, errors.New("bucket that application key is restricted to no longer exists") + } + if allowedBucket != f.bucket { + return nil, errors.Errorf("you must use bucket %q with this application key", allowedBucket) + } f.markBucketOK() f.setBucketID(f.info.Allowed.BucketID) }