Skip to content

Commit

Permalink
- Fix Readme docs about HEADER_PREFIXES_ALLOWED
Browse files Browse the repository at this point in the history 
- Fix comments in s3_gateway_test
- Add unit test testIsHeaderToBeAllowed
  • Loading branch information
@gawsoftpl
gawsoftpl committed May 1, 2024
1 parent 713da5f commit 8170509
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 4 deletions.
1 change: 0 additions & 1 deletion common/etc/nginx/include/s3gateway.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,6 @@ function editHeaders(r) {
* sent on to the requesting client.
* @param headerName {string} Lowercase HTTP header name
* @param additionalHeadersToStrip {Array<string>} array of additional headers to remove
* @param additionalHeadersToAllow {Array<string>} array of additional headers to allow
* @returns {boolean} true if header should be removed
*/
function _isHeaderToBeStripped(headerName, additionalHeadersToStrip) {
Expand Down
4 changes: 2 additions & 2 deletions docs/getting_started.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,8 @@ running as a Container or as a Systemd service.
| `PROXY_CACHE_VALID_FORBIDDEN` | No | | `30s` | Sets caching time for response code 403 |
| `PROVIDE_INDEX_PAGE` | No | `true`, `false` | `false` | Flag which returns the index page if there is one when requesting a directory. |
| `JS_TRUSTED_CERT_PATH` | No | | | Enables the `js_fetch_trusted_certificate` directive when retrieving AWS credentials and sets the path (on the container) to the specified path |
| `HEADER_PREFIXES_TO_STRIP` | No | | | A list of HTTP header prefixes that exclude headers client responses. List should be specified in lower-case and a semicolon (;) should be used to as a deliminator between values. For example: `x-goog-;x-something-` |
| `HEADER_PREFIXES_ALLOWED` | No | | | A list of HTTP header allowed prefixes from headers client responses. List should be specified in lower-case and a semicolon (;) should be used to as a deliminator between values. For example: `x-amz-;x-something-` |
| `HEADER_PREFIXES_TO_STRIP` | No | | | A list of HTTP header prefixes that exclude headers from client responses. List should be specified in lower-case and a semicolon (;) should be used to as a deliminator between values. For example: x-goog-;x-something-. Headers starting with x-amz- will be stripped by default for security reasons unless explicitly added in HEADER_PREFIXES_ALLOWED. |
| `HEADER_PREFIXES_ALLOWED` | No | | | A list of allowed prefixes for HTTP headers that are returned to the client in responses. List should be specified in lower-case and a semicolon (;) should be used to as a deliminator between values. For example: x-amz-;x-something-. It is NOT recommended to return x-amz- headers for security reasons. Think carefully about what is allowed here. |
| `CORS_ENABLED` | No | `true`, `false` | `false` | Flag that enables CORS headers on GET requests and enables pre-flight OPTIONS requests. If enabled, this will add CORS headers for "fully open" cross domain requests by default, meaning all domains are allowed, similar to the settings show in [this example](https://enable-cors.org/server_nginx.html). CORS settings can be fine-tuned by overwriting the [`cors.conf.template`](/common/etc/nginx/templates/gateway/cors.conf.template) file. |
| `CORS_ALLOWED_ORIGIN` | No | | | value to set to be returned from the CORS `Access-Control-Allow-Origin` header. This value is only used if CORS is enabled. (default: \*) |
| `STRIP_LEADING_DIRECTORY_PATH` | No | | | Removes a portion of the path in the requested URL (if configured). Useful when deploying to an ALB under a folder (eg. www.mysite.com/somepath). |
Expand Down
15 changes: 14 additions & 1 deletion test/unit/s3gateway_test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -142,14 +142,15 @@ function testEditHeaders() {
}

s3gateway.editHeaders(r);

for (const key in r.headersOut) {
if (key.toLowerCase().indexOf("x-amz", 0) >= 0) {
throw "x-amz header not stripped from headers correctly";
}
}
}


function testEditHeadersHeadDirectory() {
printHeader('testEditHeadersHeadDirectory');
let r = {
Expand Down Expand Up @@ -192,6 +193,18 @@ function testIsHeaderToBeStripped() {
}
}

function testIsHeaderToBeAllowed() {
printHeader('testIsHeaderToBeAllowed');

if (!s3gateway._isHeaderToBeAllowed('x-amz-abc', ['x-amz-'])) {
throw "x-amz-abc header should be allowed";
}

if (s3gateway._isHeaderToBeAllowed('x-amz-xyz',['x-amz-abc'])) {
throw "x-amz-xyz header should be stripped";
}
}

function testEscapeURIPathPreservesDoubleSlashes() {
printHeader('testEscapeURIPathPreservesDoubleSlashes');
var doubleSlashed = '/testbucketer2/foo3//bar3/somedir/license';
Expand Down

0 comments on commit 8170509

Please sign in to comment.