search

oxyno-zeta / s3-proxy

S3 Reverse Proxy with GET, PUT and DELETE methods and authentication (OpenID Connect and Basic Auth)
https://oxyno-zeta.github.io/s3-proxy/
Apache License 2.0
303 stars 34 forks source link

folder-list page leads to Internal server error #310

Closed j0nm1 closed 2 years ago

j0nm1 commented 2 years ago

Hi, I'm trying to disable the folder list page (index). But as there is no direct way, I'm overriding the template as described here: https://github.com/oxyno-zeta/s3-proxy/issues/237. But this seems not to work as expected.

Describe the bug When using an access token that only has the permissions "s3:GetObject" it seems to be impossible to disable the folder-list page without overriding the internal-server-error template as well. The proxy application will receive a 403 when trying to receive the list of folders (even if the template does not require it). This leads to the internal server error page even when replacing the folder-list template.

To Reproduce Steps to reproduce the behavior:

  1. Configure the proxy application with an access key with the policy: 
    {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
}
]
}
  2. Change the config to use the 403 template for the list-folder page (as I want to disable the access to the folders): 
      templates:
    helpers:
      - templates/_helpers.tpl
    folderList:
      path: templates/forbidden-error.tpl
      headers:
        Content-Type: '{{ template "main.headers.contentType" . }}'
      status: "403"
  3. When accessing the folder-list page you will receive an internal server error page instead of the expected access-denied page.

Expected behavior The folder-list page returns the access-denied template (or there is a way to disable the listing entirely).

oxyno-zeta commented 2 years ago

Hello,

I see the missunderstood here. The behaviour is "normal". I will explain why:

The folder list template is used only when the listing is performed with success.

A solution to make it works is to change your policy to add the s3:ListBucket action and you will have to create a new template for your 403 error. The default one you are trying to use have an error field as required parameter and this won't be present. You can copy paste the forbidden template without the ".Error" part.

Regards,

Oxyno-zeta

j0nm1 commented 2 years ago

Wouldn't it be possible to disable the listing functionality entirely? I think adding ListBucketpermissions isn't that great because the application shouldn't be able to perform this operation.

oxyno-zeta commented 2 years ago

Hello @j0nm1 ,

I'm afraid that no for the moment. The solution listed above is the required one to have it working like you expect. Maybe in the future. By the way, if I make a "disable listing" flag, this will probably fallback on file stream which will respond with a 404 not found. Will this be ok ?

Edit: that will completely disable the index document feature

Regards,

github-actions[bot] commented 2 years ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days