From 597d147c7dddd5fe0d679138055df9cf8dc16b12 Mon Sep 17 00:00:00 2001 From: Vitaliy Potyarkin Date: Wed, 16 Oct 2024 17:16:35 +0300 Subject: [PATCH] frostfs: Reject tokens with slash character Current reverse proxy configs assume that token is a valid filename with no nesting levels. It's better to reject unsupported tokens early Signed-off-by: Vitaliy Potyarkin --- providers/http/frostfs/frostfs.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/providers/http/frostfs/frostfs.go b/providers/http/frostfs/frostfs.go index 81d79724..813fa455 100644 --- a/providers/http/frostfs/frostfs.go +++ b/providers/http/frostfs/frostfs.go @@ -8,6 +8,7 @@ import ( "errors" "fmt" "strconv" + "strings" "time" "github.com/go-acme/lego/v4/challenge" @@ -46,7 +47,9 @@ func NewHTTPProvider(endpoint, cid, walletPath, walletAccount, walletPassword st } func (w *HTTPProvider) Present(domain, token, keyAuth string) error { - var err error + if strings.Contains(token, "/") { + return fmt.Errorf("token with slash character is not supported: %s", token) + } if w.oid != "" { return fmt.Errorf("%T is not safe to re-enter: object was saved and not yet cleaned up: %s", w, w.oid) } @@ -54,6 +57,7 @@ func (w *HTTPProvider) Present(domain, token, keyAuth string) error { ctx, cancel := context.WithCancel(context.Background()) defer cancel() + var err error expires, err := w.frostfs.Epoch(ctx, time.Now().Add(tokenLifetime)) if err != nil { return fmt.Errorf("failed to calculate token expiration: %w", err)