[MCG] Using put-bucket-policy with wrong syntax under Resource results in InternalError instead of MalformedPolicy

vh05 · vh05 · commit e40494ab874c · 2025-02-27T15:55:22.000+05:30
The malformed syntax should give malformed systax error. Issue: Square brackets ([ ]) in resource_bucket_part were misinterpreted in regex. Fix: Escape all regex special characters before inserting into RegExp(). Fixes: https://issues.redhat.com/browse/DFBUGS-1517 Signed-off-by: Vinayakswami Hariharmath <vharihar@redhat.com>
diff --git a/src/endpoint/s3/s3_bucket_policy_utils.js b/src/endpoint/s3/s3_bucket_policy_utils.js
@@ -91,6 +91,7 @@ const OP_NAME_TO_ACTION = Object.freeze({
 
 const qm_regex = /\?/g;
 const ar_regex = /\*/g;
+const esc_regex = /[-/^$+?.()|[\]{}]/g;
 
 const predicate_map = {
     'StringEquals': (request_value, policy_value) => request_value === policy_value,
@@ -277,8 +278,14 @@ async function validate_s3_policy(policy, bucket_name, get_account_handler) {
             throw new RpcError('MALFORMED_POLICY', 'Invalid principal in policy', { detail: statement.Principal });
         }
         for (const resource of _.flatten([statement.Resource || statement.NotResource])) {
+            console.log(`************* VINAYAK RESOURCE = ${resource}`);
             const resource_bucket_part = resource.split('/')[0];
-            const resource_regex = RegExp(`^${resource_bucket_part.replace(qm_regex, '.?').replace(ar_regex, '.*')}$`);
+            const resource_regex = RegExp(
+                `^${resource_bucket_part
+                .replace(esc_regex, '\\$&')
+                .replace(qm_regex, '.?')
+                .replace(ar_regex, '.*')}$`
+            );
             if (!resource_regex.test('arn:aws:s3:::' + bucket_name)) {
                 throw new RpcError('MALFORMED_POLICY', 'Policy has invalid resource', { detail: resource });
             }
diff --git a/src/test/unit_tests/test_bucketspace_fs.js b/src/test/unit_tests/test_bucketspace_fs.js
@@ -857,6 +857,27 @@ mocha.describe('bucketspace_fs', function() {
             }
         });
 
+        mocha.it('put_bucket_policy, Wrong Resouce list syntax', async function() {
+            const policy = {
+                Version: '2012-10-17',
+                Statement: [{
+                    Sid: 'id-22',
+                    Effect: 'Allow',
+                    Principal: { AWS: 'user10' },
+                    Action: ['s3:*'],
+                    Resource: "['arn:aws:s3:::*']"
+                }]
+            };
+            const param = { name: test_bucket, policy: policy };
+            try {
+                await bucketspace_fs.put_bucket_policy(param);
+                assert.fail('should have failed with invalid principal in policy');
+            } catch (err) {
+                assert.equal(err.rpc_code, 'MALFORMED_POLICY');
+                assert.equal(err.message, 'Invalid principal in policy');
+            }
+        });
+
         mocha.it('put_bucket_policy other account array', async function() {
             const policy = {
                 Version: '2012-10-17',
