aws-sdk-go-v2 icon indicating copy to clipboard operation
aws-sdk-go-v2 copied to clipboard

Published 20 hours ago verified publisher icon aws

Align SDK presigning behavior of expected bucket owner to match S3's

Open RanVaknin opened this issue 6 months ago • 0 comments

Describe the bug

The S3 API will only enforce the expected bucket owner parameter of a presigned URL if it's provided either as a signed header, or hoisted into the query string but only in lower case (x-amz-expected-bucket-owner)

Reference https://github.com/aws/aws-sdk-go-v2/issues/2484

Expected Behavior

Presigning requests with expected bucket owner should contain the header in the query parameter, in lower case.

Example request:

https://testbucket.s3.us-east-1.amazonaws.com/foo.txt?
X-Amz-Algorithm=AWS4-HMAC-SHA256&
X-Amz-Credential=REDACTED/20240217/us-east-1/s3/aws4_request&
X-Amz-Date=20240217T003121Z&
X-Amz-Expires=900&
X-Amz-SignedHeaders=host&
x-amz-expected-bucket-owner=REDACTED&
x-id=GetObject&
X-Amz-Signature=REDACTED

OK 200

Current Behavior

the header value is presigned as a signedHeader (works)

https://testbucket.s3.us-east-1.amazonaws.com/foo.txt?
X-Amz-Algorithm=AWS4-HMAC-SHA256&
X-Amz-Credential=REDACTED/20240217/us-east-1/s3/aws4_request&
X-Amz-Date=20240217T003338Z&
X-Amz-Expires=900&
X-Amz-SignedHeaders=host;x-amz-expected-bucket-owner&
x-id=GetObject&
X-Amz-Signature=REDACTED

OK 200

Reproduction Steps

Create a presigned get request with an expected bucket owner

func presignGet() {
	cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion("us-east-1"))
	if err != nil {
		panic(err)
	}

	client := s3.NewFromConfig(cfg)

	presigner := s3.NewPresignClient(client)

	input := &s3.GetObjectInput{
		Bucket:              aws.String("testbucket"),
		Key:                 aws.String("foo"),
		ExpectedBucketOwner: aws.String("123456789012"),
	}
	signedRequest, err := presigner.PresignGetObject(context.TODO(),
		input,
		s3.WithPresignExpires(time.Minute*15),
	)

	fmt.Printf("%v", signedRequest.URL)
}

Possible Solution

No response

Additional Information/Context

No response

AWS Go SDK V2 Module Versions Used

github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.0

Compiler and Version used

1.20

Operating System and version

MacOS

RanVaknin avatar Feb 20 '24 21:02 RanVaknin