Closed cthulhu-rider closed 3 months ago
It works as expected in mainnet (0.40.1): https://rest.fs.neo.org/v1/objects/5fNrip1bbWxtvKTwUXGrVcPBVXB3FQZ9T6jYihzZi2q2/EW2fuWx6eSgNiXcGSyrTLmTccojyCN439HviJh3B2a4X
Either it's a regression or something more specific.
Either it's a regression
node version is the same, which REST is served in the mainnet?
The latest one, 0.8.3.
if in step 4. add deny head others
and/or deny getrange others
- object becomes unavailable
seems like REST is smart enough to make do with HEAD and GETRANGE even w/o GET
this turned out to be expected behavior for /objects/<cid>/<oid>
cuz it calls HEAD
and GETRANGE
separately. Instead, /get/<cid>/<oid>
calls GET
, which fails as expected
i was playing with NeoFS DevEnv and various access settings. I encountered situtation when private object is expectedly inacessible to anonymous subject incl. REST gateway, but can be downloaded throught REST gateway itself
Expected Behavior
Current Behavior
Possible Solution
1st i thought that maybe REST communicates with node that cached allowed access settings that hadnt expired yet. But then I polled all the storage nodes via CLI, and they all denied. And REST is still a success
seems like REST unintentionally found security loophole
Steps to Reproduce (for bugs)
Helper Go test
```go func TestDownload(t *testing.T) { const strCID = "FdFrW1Sv12yeWWVmYDP4kA9LBKS3xvz7MufgmWCUXyF3" const strOID = "CZxSG4keAyJqVAUa1ghBysryhZDKngEs7j3fxZ9ZsSG6" var cnr cid.ID require.NoError(t, cnr.DecodeString(strCID)) var obj oid.ID require.NoError(t, obj.DecodeString(strOID)) cl, err := client.New(client.PrmInit{}) require.NoError(t, err) var dialPrm client.PrmDial dialPrm.SetServerURI("s01.neofs.devenv:8080") require.NoError(t, cl.Dial(dialPrm)) t.Cleanup(func() { cl.Close() }) signer := user.NewSigner(test.RandomSigner(t), usertest.ID(t)) _, _, err = cl.ObjectGetInit(context.Background(), cnr, obj, signer, client.PrmObjectGet{}) require.Error(t, err) } ```
Regression
idk yet
Your Environment