added 20kb limit for put bucket policy

Issue : CLDSRV-700

Author: SylvainSenechal

config.json

@@ -142,5 +142,9 @@
     },
     "kmip": {
         "providerName": "thales"
+    },
+    "apiBodySizeLimits": {
+        "multiObjectDelete": 2097152,
+        "bucketPutPolicy": 20480
     }
 }

constants.js

@@ -96,11 +96,14 @@ const constants = {
     oneMegaBytes: 1024 * 1024,
     halfMegaBytes: 512 * 1024,
 
-    // Some apis may need a custom body length limit :
-    apisLengthLimits: {
+    // Some apis may need a custom body length limit
+    defaultApiBodySizeLimits: {
         // Multi Objects Delete request can be large : up to 1000 keys of 1024 bytes is
         // already 1mb, with the other fields it could reach 2mb
         'multiObjectDelete': 2 * 1024 * 1024,
+        // AWS sets the maximum size for bucket policies to 20 KB
+        // https://docs.aws.amazon.com/AmazonS3/latest/userguide/add-bucket-policy.html
+        'bucketPutPolicy': 20 * 1024,
     },
 
     // hex digest of sha256 hash of empty string:
@@ -266,5 +269,4 @@ const constants = {
     onlyOwnerAllowed: ['bucketDeletePolicy', 'bucketGetPolicy', 'bucketPutPolicy'],
 };
 
-
 module.exports = constants;

lib/Config.js

@@ -1730,6 +1730,21 @@ class Config extends EventEmitter {
         }
 
         this.supportedLifecycleRules = parseSupportedLifecycleRules(config.supportedLifecycleRules);
+
+        this.apiBodySizeLimits = { ...constants.defaultApiBodySizeLimits };
+        if (config.apiBodySizeLimits) {
+            assert(typeof config.apiBodySizeLimits === 'object' &&
+                config.apiBodySizeLimits !== null &&
+                !Array.isArray(config.apiBodySizeLimits),
+                'bad config: apiBodySizeLimits must be an object');
+
+            for (const [apiKey, limit] of Object.entries(config.apiBodySizeLimits)) {
+                assert(Number.isInteger(limit) && limit > 0,
+                    `bad config: apiBodySizeLimits for "${apiKey}" must be a positive integer`);
+                this.apiBodySizeLimits[apiKey] = limit;
+            }
+        }
+
         return config;
     }
 

lib/api/api.js

@@ -75,6 +75,7 @@ const { tagConditionKeyAuth } = require('./apiUtils/authorization/tagConditionKe
 const { isRequesterASessionUser } = require('./apiUtils/authorization/permissionChecks');
 const checkHttpHeadersSize = require('./apiUtils/object/checkHttpHeadersSize');
 const constants = require('../../constants');
+const { config } = require('../Config.js');
 
 const monitoringMap = policies.actionMaps.actionMonitoringMapS3;
 
@@ -223,7 +224,7 @@ const api = {
 
                 const defaultMaxPostLength = request.method === 'POST' ?
                       constants.oneMegaBytes : constants.halfMegaBytes;
-                const MAX_POST_LENGTH = constants.apisLengthLimits[apiMethod] || defaultMaxPostLength;
+                const MAX_POST_LENGTH = config.apiBodySizeLimits[apiMethod] || defaultMaxPostLength;
                 const post = [];
                 let postLength = 0;
                 request.on('data', chunk => {

lib/metadata/mpu-bug.js

@@ -0,0 +1,244 @@
+#!/usr/bin/env node
+
+// Suppress AWS SDK v2 maintenance mode warnings
+process.env.AWS_SDK_JS_SUPPRESS_MAINTENANCE_MODE_MESSAGE = '1';
+
+const AWS = require('aws-sdk');
+const crypto = require('crypto');
+
+const CONFIG = {
+    endpoint: 'http://localhost:8000',
+    accessKeyId: 'accessKey1',
+    secretAccessKey: 'verySecretKey1',
+    region: 'us-east-1',
+    bucketName: 'mpu-bug',
+    partSize: 5 * 1024 * 1024,
+    HTTP: 'http',
+};
+
+AWS.config.update({
+    accessKeyId: CONFIG.accessKeyId,
+    secretAccessKey: CONFIG.secretAccessKey,
+    region: CONFIG.region,
+    sslEnabled: true,
+    s3ForcePathStyle: true,
+    httpOptions: {
+        timeout: 30000,
+        agent: require('http').Agent({
+            rejectUnauthorized: false,
+            keepAlive: true,
+            maxSockets: 50
+        })
+    }
+});
+const s3 = new AWS.S3({ endpoint: CONFIG.endpoint });
+
+class SimpleMPURaceTester {
+    constructor() {
+        this.templateObjectKey = `template-object-${Date.now()}`;
+        this.templateObjectSize = 15 * 1024 * 1024; // 15MB for 3 parts of 5MB each
+    }
+
+    generateTestData(size = CONFIG.partSize) {
+        return crypto.randomBytes(size);
+    }
+
+    async checkBucket() {
+        try {
+            await s3.headBucket({ Bucket: CONFIG.bucketName }).promise();
+            console.log(`✅ Bucket accessible: ${CONFIG.bucketName}`);
+            return true;
+        } catch (error) {
+            console.error(`❌ Cannot access bucket: ${error.message}`);
+            return false;
+        }
+    }
+
+    async createTemplateObject() {
+        console.log(`📄 Creating template object (${Math.round(this.templateObjectSize / 1024 / 1024)}MB)...`);
+        try {
+            const templateData = this.generateTestData(this.templateObjectSize);
+            await s3.putObject({
+                Bucket: CONFIG.bucketName,
+                Key: this.templateObjectKey,
+                Body: templateData,
+        ContentType: 'application/octet-stream'
+            }).promise();
+            
+            await s3.headObject({
+                Bucket: CONFIG.bucketName,
+                Key: this.templateObjectKey
+            }).promise();
+            
+            console.log(`✅ Template object ready: ${this.templateObjectKey}`);
+            return true;
+        } catch (error) {
+            console.error(`❌ Template creation failed: ${error.message}`);
+            return false;
+        }
+    }
+
+    async uploadPartCopy(key, uploadId, partNumber, startByte, endByte) {
+        const params = {
+            Bucket: CONFIG.bucketName,
+            Key: key,
+        UploadId: uploadId,
+        PartNumber: partNumber,
+            CopySource: `${CONFIG.bucketName}/${this.templateObjectKey}`,
+            CopySourceRange: `bytes=${startByte}-${endByte}`
+        };
+        
+        try {
+            const result = await s3.uploadPartCopy(params).promise();
+            return { ETag: result.ETag, PartNumber: partNumber };
+        } catch (error) {
+            console.error(`❌ uploadPartCopy failed for part ${partNumber}: ${error.message}`);
+            console.error(`   Copy source: ${CONFIG.bucketName}/${this.templateObjectKey}`);
+            console.error(`   Range: bytes=${startByte}-${endByte}`);
+            throw error;
+        }
+    }
+
+    // Enhanced vulnerability detection
+    async detectVulnerability(objectKey) {
+        const versions = await s3.listObjectVersions({
+            Bucket: CONFIG.bucketName,
+            Prefix: objectKey
+        }).promise();
+
+        
+        const objectVersions = versions.Versions?.filter(v => v.Key === objectKey) || [];
+        console.log("VERSIONS ", objectVersions)
+        console.log(`📊 Check: ${objectVersions.length} versions`);
+            
+        if (objectVersions.length >= 2) {
+            console.log(`🎯 MULTIPLE VERSIONS DETECTED! Preserving immediately...`);
+            objectVersions.forEach((v, i) => {
+                console.log(`   Version ${i+1}: ${v.VersionId} - ETag: ${v.ETag} - Modified: ${v.LastModified}`);
+            });
+        }
+
+        return objectVersions
+    }
+
+    async createMPU(testId) {
+        const objectKey = `race-test-${testId}`;
+        
+        const createResult = await s3.createMultipartUpload({
+            Bucket: CONFIG.bucketName,
+            Key: objectKey,
+            ContentType: 'application/octet-stream'
+        }).promise();
+        
+        const uploadId = createResult.UploadId;
+        
+        const numParts = 3;
+        const partPromises = [];
+        
+        for (let partNum = 1; partNum <= numParts; partNum++) {
+            const startByte = (partNum - 1) * CONFIG.partSize;
+            const endByte = startByte + CONFIG.partSize - 1;
+            const copyPromise = this.uploadPartCopy(objectKey, uploadId, partNum, startByte, endByte);
+            partPromises.push(copyPromise);
+        }
+
+        const parts = await Promise.all(partPromises);
+        const partsList = parts.map(part => ({
+            ETag: part.ETag,
+            PartNumber: part.PartNumber
+        }));
+        
+        return { objectKey, uploadId, partsList };
+    }
+
+    async completeMultipartUpload(objectKey, uploadId, partsList) {
+        try {
+            console.log(`📦 Completing multipart upload for ${objectKey}...`);
+            return await s3.completeMultipartUpload({
+            Bucket: CONFIG.bucketName,
+            Key: objectKey,
+            UploadId: uploadId,
+            MultipartUpload: { Parts: partsList }
+        }).promise();
+        } catch (error) {
+            console.error(`❌ Error during completion: ${error.message}`);
+        }
+    }
+
+    async createVersionedBucket(bucketName) {
+        try {
+            console.log(`📦 Creating versioned bucket: ${bucketName}...`);
+            await s3.createBucket({ Bucket: bucketName }).promise();
+            await s3.putBucketVersioning({
+                Bucket: bucketName,
+                VersioningConfiguration: {
+                    Status: 'Enabled'
+                }
+            }).promise();
+            console.log(`✅ Versioned bucket created: ${bucketName}`);
+        } catch (error) {
+            console.error(`❌ Error creating versioned bucket: ${error}`);
+        }
+    }
+
+    async deleteObjectByVersionID(objectKey, versionId) {
+            await s3.deleteObject({
+            Bucket: CONFIG.bucketName,
+            Key: objectKey,
+            VersionId: versionId
+        }).promise();
+    }
+
+    async getObjectByVersionID(objectKey, versionId) {
+        try {
+            const result = await s3.getObject({
+                Bucket: CONFIG.bucketName,
+                Key: objectKey,
+                VersionId: versionId
+            }).promise();
+            return result.Body;
+        } catch (error) {
+            console.error(`❌ Error getting object by version ID: ${error.message}`);
+            throw error;
+        }
+    }
+}
+
+async function main() {
+    const tester = new SimpleMPURaceTester();
+    console.log('🔄 Starting testing...');
+
+    await tester.createVersionedBucket(CONFIG.bucketName);
+        
+    if (!(await tester.checkBucket())) {
+        throw new Error('Cannot access bucket');
+    }
+
+    await tester.createTemplateObject();
+    const testId = `test-${Date.now()}-${Math.random().toString(36).substr(2, 9)}`;
+        
+    const { objectKey, uploadId, partsList } = await tester.createMPU(testId);
+    console.log('objectkey:', objectKey);
+    console.log('uploadid:', uploadId);
+    console.log('partlist:', partsList);
+    const [result1, result2] = await Promise.all([
+        tester.completeMultipartUpload(objectKey, uploadId, partsList),
+        tester.completeMultipartUpload(objectKey, uploadId, partsList),
+    ]);
+
+    // await tester.completeMultipartUpload(objectKey, uploadId, partsList)
+
+    console.log(`✅ Multipart upload completed: ${result1} and ${result2}`);
+    console.log("✅ Multipart upload completed:", result1);
+    console.log("✅ Multipart upload completed:", result2);
+            
+    // const objectVersions = await tester.detectVulnerability(objectKey);
+    // await tester.deleteObjectByVersionID(objectKey, objectVersions[0].VersionId)
+    
+    // // console.log("2ND DETECTION")
+    // await tester.detectVulnerability(objectKey);
+
+    // await tester.getObjectByVersionID(objectKey, objectVersions[1].VersionId)
+}
+
+main();

tests/unit/Config.js

@@ -13,6 +13,7 @@ const {
 const {
     LOCATION_NAME_DMF,
 } = require('../constants');
+const constants = require('../../constants');
 
 const { ValidLifecycleRules: supportedLifecycleRules } = require('arsenal').models;
 
@@ -893,4 +894,34 @@ describe('Config', () => {
             assert.strictEqual(config.instanceId.length, 6);
         });
     });
+
+    describe('apisLengthLimits configuration', () => {
+        let sandbox;
+        let readFileStub;
+
+        beforeEach(() => {
+            sandbox = sinon.createSandbox();
+            readFileStub = sandbox.stub(fs, 'readFileSync');
+            readFileStub.callThrough();
+        });
+
+        afterEach(() => {
+            sandbox.restore();
+        });
+
+        it('should use default API and overwrite when config is provided', () => {
+            const multiObjectDeleteSize = 42;
+            const modifiedConfig = {
+                ...defaultConfig,
+                apiBodySizeLimits: { 'multiObjectDelete': multiObjectDeleteSize },
+            };
+            readFileStub.withArgs(sinon.match(/config.json$/)).returns(JSON.stringify(modifiedConfig));
+            const config = new ConfigObject();
+
+            assert.deepStrictEqual(config.apiBodySizeLimits, {
+                'multiObjectDelete': multiObjectDeleteSize, // Configured: overwrites default
+                'bucketPutPolicy': constants.defaultApiBodySizeLimits['bucketPutPolicy'], // Not configured: default
+            });
+        });
+    });
 });