added 20kb limit for put bucket policy

SylvainSenechal · SylvainSenechal · commit cfecc63b5a8c · 2025-07-30T14:52:46.000+02:00
Issue : CLDSRV-700
diff --git a/config.json b/config.json
@@ -142,5 +142,9 @@
     },
     "kmip": {
         "providerName": "thales"
+    },
+    "apiBodySizeLimits": {
+        "multiObjectDelete": 2097152,
+        "bucketPutPolicy": 20480
     }
 }
diff --git a/constants.js b/constants.js
@@ -96,11 +96,14 @@ const constants = {
     oneMegaBytes: 1024 * 1024,
     halfMegaBytes: 512 * 1024,
 
-    // Some apis may need a custom body length limit :
-    apisLengthLimits: {
+    // Some apis may need a custom body length limit
+    defaultApiBodySizeLimits: {
         // Multi Objects Delete request can be large : up to 1000 keys of 1024 bytes is
         // already 1mb, with the other fields it could reach 2mb
         'multiObjectDelete': 2 * 1024 * 1024,
+        // AWS sets the maximum size for bucket policies to 20 KB
+        // https://docs.aws.amazon.com/AmazonS3/latest/userguide/add-bucket-policy.html
+        'bucketPutPolicy': 20 * 1024,
     },
 
     // hex digest of sha256 hash of empty string:
@@ -266,5 +269,4 @@ const constants = {
     onlyOwnerAllowed: ['bucketDeletePolicy', 'bucketGetPolicy', 'bucketPutPolicy'],
 };
 
-
 module.exports = constants;
diff --git a/lib/Config.js b/lib/Config.js
@@ -1730,6 +1730,21 @@ class Config extends EventEmitter {
         }
 
         this.supportedLifecycleRules = parseSupportedLifecycleRules(config.supportedLifecycleRules);
+
+        this.apiBodySizeLimits = { ...constants.defaultApiBodySizeLimits };
+        if (config.apiBodySizeLimits) {
+            assert(typeof config.apiBodySizeLimits === 'object' &&
+                config.apiBodySizeLimits !== null &&
+                !Array.isArray(config.apiBodySizeLimits),
+                'bad config: apiBodySizeLimits must be an object');
+
+            for (const [apiKey, limit] of Object.entries(config.apiBodySizeLimits)) {
+                assert(Number.isInteger(limit) && limit > 0,
+                    `bad config: apiBodySizeLimits for "${apiKey}" must be a positive integer`);
+                this.apiBodySizeLimits[apiKey] = limit;
+            }
+        }
+
         return config;
     }
 
diff --git a/lib/api/api.js b/lib/api/api.js
@@ -75,6 +75,7 @@ const { tagConditionKeyAuth } = require('./apiUtils/authorization/tagConditionKe
 const { isRequesterASessionUser } = require('./apiUtils/authorization/permissionChecks');
 const checkHttpHeadersSize = require('./apiUtils/object/checkHttpHeadersSize');
 const constants = require('../../constants');
+const { config } = require('../Config.js');
 
 const monitoringMap = policies.actionMaps.actionMonitoringMapS3;
 
@@ -223,7 +224,7 @@ const api = {
                
                 const defaultMaxPostLength = request.method === 'POST' ?
                       constants.oneMegaBytes : constants.halfMegaBytes;
-                const MAX_POST_LENGTH = constants.apisLengthLimits[apiMethod] || defaultMaxPostLength;
+                const MAX_POST_LENGTH = config.apiBodySizeLimits[apiMethod] || defaultMaxPostLength;
                 const post = [];
                 let postLength = 0;
                 request.on('data', chunk => {
diff --git a/tests/unit/Config.js b/tests/unit/Config.js
@@ -13,6 +13,7 @@ const {
 const {
     LOCATION_NAME_DMF,
 } = require('../constants');
+const constants = require('../../constants');
 
 const { ValidLifecycleRules: supportedLifecycleRules } = require('arsenal').models;
 
@@ -893,4 +894,34 @@ describe('Config', () => {
             assert.strictEqual(config.instanceId.length, 6);
         });
     });
+
+    describe('apisLengthLimits configuration', () => {
+        let sandbox;
+        let readFileStub;
+
+        beforeEach(() => {
+            sandbox = sinon.createSandbox();
+            readFileStub = sandbox.stub(fs, 'readFileSync');
+            readFileStub.callThrough();
+        });
+
+        afterEach(() => {
+            sandbox.restore();
+        });
+
+        it('should use default API and overwrite when config is provided', () => {
+            const multiObjectDeleteSize = 42;
+            const modifiedConfig = {
+                ...defaultConfig,
+                apiBodySizeLimits: { 'multiObjectDelete': multiObjectDeleteSize },
+            };
+            readFileStub.withArgs(sinon.match(/config.json$/)).returns(JSON.stringify(modifiedConfig));
+            const config = new ConfigObject();
+
+            assert.deepStrictEqual(config.apiBodySizeLimits, {
+                'multiObjectDelete': multiObjectDeleteSize, // Configured: overwrites default
+                'bucketPutPolicy': constants.defaultApiBodySizeLimits['bucketPutPolicy'], // Not configured: default
+            });
+        });
+    });
 });

Original file line number	Diff line number	Diff line change
`@@ -142,5 +142,9 @@`
`142`	`142`	`},`
`143`	`143`	`"kmip": {`
`144`	`144`	`"providerName": "thales"`
	`145`	`+ },`
	`146`	`+ "apiBodySizeLimits": {`
	`147`	`+ "multiObjectDelete": 2097152,`
	`148`	`+ "bucketPutPolicy": 20480`
`145`	`149`	`}`
`146`	`150`	`}`