From 817050944c709262cb576fafaa53e6c0f0fa5e9d Mon Sep 17 00:00:00 2001 From: Pitos Date: Wed, 1 May 2024 02:10:00 +0200 Subject: [PATCH] - Fix Readme docs about HEADER_PREFIXES_ALLOWED - Fix comments in s3_gateway_test - Add unit test testIsHeaderToBeAllowed --- common/etc/nginx/include/s3gateway.js | 1 - docs/getting_started.md | 4 ++-- test/unit/s3gateway_test.js | 15 ++++++++++++++- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/common/etc/nginx/include/s3gateway.js b/common/etc/nginx/include/s3gateway.js index f5668b23..2c3e6771 100644 --- a/common/etc/nginx/include/s3gateway.js +++ b/common/etc/nginx/include/s3gateway.js @@ -140,7 +140,6 @@ function editHeaders(r) { * sent on to the requesting client. * @param headerName {string} Lowercase HTTP header name * @param additionalHeadersToStrip {Array} array of additional headers to remove - * @param additionalHeadersToAllow {Array} array of additional headers to allow * @returns {boolean} true if header should be removed */ function _isHeaderToBeStripped(headerName, additionalHeadersToStrip) { diff --git a/docs/getting_started.md b/docs/getting_started.md index 4911a366..e7554123 100644 --- a/docs/getting_started.md +++ b/docs/getting_started.md @@ -39,8 +39,8 @@ running as a Container or as a Systemd service. | `PROXY_CACHE_VALID_FORBIDDEN` | No | | `30s` | Sets caching time for response code 403 | | `PROVIDE_INDEX_PAGE` | No | `true`, `false` | `false` | Flag which returns the index page if there is one when requesting a directory. | | `JS_TRUSTED_CERT_PATH` | No | | | Enables the `js_fetch_trusted_certificate` directive when retrieving AWS credentials and sets the path (on the container) to the specified path | -| `HEADER_PREFIXES_TO_STRIP` | No | | | A list of HTTP header prefixes that exclude headers client responses. List should be specified in lower-case and a semicolon (;) should be used to as a deliminator between values. For example: `x-goog-;x-something-` | -| `HEADER_PREFIXES_ALLOWED` | No | | | A list of HTTP header allowed prefixes from headers client responses. List should be specified in lower-case and a semicolon (;) should be used to as a deliminator between values. For example: `x-amz-;x-something-` | +| `HEADER_PREFIXES_TO_STRIP` | No | | | A list of HTTP header prefixes that exclude headers from client responses. List should be specified in lower-case and a semicolon (;) should be used to as a deliminator between values. For example: x-goog-;x-something-. Headers starting with x-amz- will be stripped by default for security reasons unless explicitly added in HEADER_PREFIXES_ALLOWED. | +| `HEADER_PREFIXES_ALLOWED` | No | | | A list of allowed prefixes for HTTP headers that are returned to the client in responses. List should be specified in lower-case and a semicolon (;) should be used to as a deliminator between values. For example: x-amz-;x-something-. It is NOT recommended to return x-amz- headers for security reasons. Think carefully about what is allowed here. | | `CORS_ENABLED` | No | `true`, `false` | `false` | Flag that enables CORS headers on GET requests and enables pre-flight OPTIONS requests. If enabled, this will add CORS headers for "fully open" cross domain requests by default, meaning all domains are allowed, similar to the settings show in [this example](https://enable-cors.org/server_nginx.html). CORS settings can be fine-tuned by overwriting the [`cors.conf.template`](/common/etc/nginx/templates/gateway/cors.conf.template) file. | | `CORS_ALLOWED_ORIGIN` | No | | | value to set to be returned from the CORS `Access-Control-Allow-Origin` header. This value is only used if CORS is enabled. (default: \*) | | `STRIP_LEADING_DIRECTORY_PATH` | No | | | Removes a portion of the path in the requested URL (if configured). Useful when deploying to an ALB under a folder (eg. www.mysite.com/somepath). | diff --git a/test/unit/s3gateway_test.js b/test/unit/s3gateway_test.js index bb23fa15..20ffe63b 100755 --- a/test/unit/s3gateway_test.js +++ b/test/unit/s3gateway_test.js @@ -142,7 +142,7 @@ function testEditHeaders() { } s3gateway.editHeaders(r); - + for (const key in r.headersOut) { if (key.toLowerCase().indexOf("x-amz", 0) >= 0) { throw "x-amz header not stripped from headers correctly"; @@ -150,6 +150,7 @@ function testEditHeaders() { } } + function testEditHeadersHeadDirectory() { printHeader('testEditHeadersHeadDirectory'); let r = { @@ -192,6 +193,18 @@ function testIsHeaderToBeStripped() { } } +function testIsHeaderToBeAllowed() { + printHeader('testIsHeaderToBeAllowed'); + + if (!s3gateway._isHeaderToBeAllowed('x-amz-abc', ['x-amz-'])) { + throw "x-amz-abc header should be allowed"; + } + + if (s3gateway._isHeaderToBeAllowed('x-amz-xyz',['x-amz-abc'])) { + throw "x-amz-xyz header should be stripped"; + } +} + function testEscapeURIPathPreservesDoubleSlashes() { printHeader('testEscapeURIPathPreservesDoubleSlashes'); var doubleSlashed = '/testbucketer2/foo3//bar3/somedir/license';