frostfs: Reject tokens with slash character

Current reverse proxy configs assume that token is a valid filename with no nesting levels. It's better to reject unsupported tokens early Signed-off-by: Vitaliy Potyarkin <v.potyarkin@yadro.com>
2024-10-16 17:16:35 +03:00 · 2024-10-16 17:16:35 +03:00 · 597d147c7d
commit 597d147c7d
parent 61ce76f648
1 changed files with 5 additions and 1 deletions
--- a/providers/http/frostfs/frostfs.go
+++ b/providers/http/frostfs/frostfs.go
@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 	"strconv"
+	"strings"
 	"time"

 	"github.com/go-acme/lego/v4/challenge"
@ -46,7 +47,9 @@ func NewHTTPProvider(endpoint, cid, walletPath, walletAccount, walletPassword st
 }

 func (w *HTTPProvider) Present(domain, token, keyAuth string) error {
-	var err error
+	if strings.Contains(token, "/") {
+		return fmt.Errorf("token with slash character is not supported: %s", token)
+	}
 	if w.oid != "" {
 		return fmt.Errorf("%T is not safe to re-enter: object was saved and not yet cleaned up: %s", w, w.oid)
 	}
@ -54,6 +57,7 @@ func (w *HTTPProvider) Present(domain, token, keyAuth string) error {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()

+	var err error
 	expires, err := w.frostfs.Epoch(ctx, time.Now().Add(tokenLifetime))
 	if err != nil {
 		return fmt.Errorf("failed to calculate token expiration: %w", err)