refactor: backend-authoritative team scope and config/input hardening

This commit is contained in:
zhom
2026-07-07 22:45:07 +04:00
parent 8162ad5a82
commit 78803ab289
6 changed files with 196 additions and 110 deletions
+14 -4
View File
@@ -1,5 +1,6 @@
import { timingSafeEqual } from "node:crypto";
import {
BadRequestException,
Body,
Controller,
Headers,
@@ -38,9 +39,18 @@ export class InternalController {
throw new UnauthorizedException("Invalid internal key");
}
return this.syncService.cleanupExcessProfiles(
body.userId,
body.maxProfiles,
);
// The userId is interpolated into a destructive S3 delete prefix
// (users/{userId}/profiles/), so constrain it to a plain id — no empty
// value, no slashes/dots that could widen or redirect the prefix.
const userId = body?.userId;
if (typeof userId !== "string" || !/^[A-Za-z0-9_-]{1,128}$/.test(userId)) {
throw new BadRequestException("Invalid userId");
}
const maxProfiles = body?.maxProfiles;
if (!Number.isInteger(maxProfiles) || maxProfiles < 0) {
throw new BadRequestException("Invalid maxProfiles");
}
return this.syncService.cleanupExcessProfiles(userId, maxProfiles);
}
}
+59 -76
View File
@@ -13,6 +13,7 @@ import {
} from "@aws-sdk/client-s3";
import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
import {
BadRequestException,
ForbiddenException,
Injectable,
Logger,
@@ -82,23 +83,34 @@ export class SyncService implements OnModuleInit {
private readonly logger = new Logger(SyncService.name);
private s3Client: S3Client;
private bucket: string;
// Upper bound on presign batch array length (DoS guard).
private static readonly MAX_BATCH_ITEMS = 1000;
private changeSubject = new Subject<SubscribeEventDto>();
private s3Ready = false;
private backendInternalUrl: string | undefined;
private backendInternalKey: string | undefined;
constructor(private configService: ConfigService) {
const endpoint =
this.configService.get<string>("S3_ENDPOINT") || "http://localhost:8987";
// Fail fast instead of silently falling back to insecure local dev defaults
// (localhost / minioadmin) — a misconfigured server must not start pointed
// at an unintended or public-default S3 backend.
const requireEnv = (name: string): string => {
const value = this.configService.get<string>(name);
if (!value) {
throw new Error(`Required environment variable ${name} is not set`);
}
return value;
};
const endpoint = requireEnv("S3_ENDPOINT");
const region = this.configService.get<string>("S3_REGION") || "us-east-1";
const accessKeyId =
this.configService.get<string>("S3_ACCESS_KEY_ID") || "minioadmin";
const secretAccessKey =
this.configService.get<string>("S3_SECRET_ACCESS_KEY") || "minioadmin";
const accessKeyId = requireEnv("S3_ACCESS_KEY_ID");
const secretAccessKey = requireEnv("S3_SECRET_ACCESS_KEY");
const forcePathStyle =
this.configService.get<string>("S3_FORCE_PATH_STYLE") !== "false";
this.bucket = this.configService.get<string>("S3_BUCKET") || "donut-sync";
this.bucket = requireEnv("S3_BUCKET");
this.s3Client = new S3Client({
endpoint,
@@ -181,7 +193,6 @@ export class SyncService implements OnModuleInit {
*/
private scopeKey(ctx: UserContext, key: string): string {
if (ctx.mode === "self-hosted") return key;
if (ctx.teamPrefix && key.startsWith(ctx.teamPrefix)) return key;
return `${ctx.prefix}${key}`;
}
@@ -192,9 +203,7 @@ export class SyncService implements OnModuleInit {
*/
private scopesFor(ctx: UserContext): string[] {
if (ctx.mode === "self-hosted") return [""];
const out = [ctx.prefix];
if (ctx.teamPrefix) out.push(ctx.teamPrefix);
return out;
return [ctx.prefix];
}
/**
@@ -243,9 +252,6 @@ export class SyncService implements OnModuleInit {
*/
private scopeForKey(ctx: UserContext, scopedKey: string): string | null {
if (ctx.mode === "self-hosted") return "";
if (ctx.teamPrefix && scopedKey.startsWith(ctx.teamPrefix)) {
return ctx.teamPrefix;
}
if (scopedKey.startsWith(ctx.prefix)) return ctx.prefix;
return null;
}
@@ -258,7 +264,6 @@ export class SyncService implements OnModuleInit {
if (ctx.mode === "self-hosted") return;
if (key.startsWith(ctx.prefix)) return;
if (ctx.teamPrefix && key.startsWith(ctx.teamPrefix)) return;
throw new ForbiddenException("Access denied to this key");
}
@@ -422,6 +427,9 @@ export class SyncService implements OnModuleInit {
async list(dto: ListRequestDto, ctx?: UserContext): Promise<ListResponseDto> {
const prefix = ctx ? this.scopeKey(ctx, dto.prefix) : dto.prefix;
// Enforce scope on the read side too, so a crafted absolute prefix can't
// enumerate another tenant's objects.
if (ctx) this.validateKeyAccess(ctx, prefix);
const response = await this.s3Client.send(
new ListObjectsV2Command({
@@ -433,15 +441,12 @@ export class SyncService implements OnModuleInit {
);
const userPrefix = ctx?.prefix || "";
const teamPrefix = ctx?.teamPrefix || "";
const objects = (response.Contents || [])
// Don't leak donut-sync's internal manifest object to clients.
.filter((obj) => !(obj.Key || "").endsWith(MANIFEST_KEY))
.map((obj) => {
let key = obj.Key || "";
if (teamPrefix && key.startsWith(teamPrefix)) {
key = key.substring(teamPrefix.length);
} else if (userPrefix && key.startsWith(userPrefix)) {
if (userPrefix && key.startsWith(userPrefix)) {
key = key.substring(userPrefix.length);
}
return {
@@ -462,6 +467,16 @@ export class SyncService implements OnModuleInit {
dto: PresignUploadBatchRequestDto,
ctx: UserContext,
): Promise<PresignUploadBatchResponseDto> {
// Cap batch size: each item triggers a signing operation, so an unbounded
// array is a CPU/memory amplification vector for an authenticated caller.
if (
!Array.isArray(dto.items) ||
dto.items.length > SyncService.MAX_BATCH_ITEMS
) {
throw new BadRequestException(
`items must be an array of at most ${SyncService.MAX_BATCH_ITEMS} entries`,
);
}
// Check profile limit for cloud users
if (ctx.mode === "cloud" && ctx.profileLimit > 0) {
await this.checkProfileLimit(ctx);
@@ -520,6 +535,14 @@ export class SyncService implements OnModuleInit {
dto: PresignDownloadBatchRequestDto,
ctx: UserContext,
): Promise<PresignDownloadBatchResponseDto> {
if (
!Array.isArray(dto.keys) ||
dto.keys.length > SyncService.MAX_BATCH_ITEMS
) {
throw new BadRequestException(
`keys must be an array of at most ${SyncService.MAX_BATCH_ITEMS} entries`,
);
}
const expiresIn = clampExpiresIn(dto.expiresIn);
const expiresAt = new Date(Date.now() + expiresIn * 1000);
@@ -551,6 +574,15 @@ export class SyncService implements OnModuleInit {
ctx: UserContext,
): Promise<DeletePrefixResponseDto> {
const prefix = this.scopeKey(ctx, dto.prefix);
// Bulk delete is the highest-blast-radius op, yet it was the only mutating
// path that skipped this check — so a client passing an absolute prefix
// (one already starting with its own/team scope, which scopeKey returns
// verbatim) could wipe an entire shared namespace. Enforce scope, and
// refuse an empty scoped prefix (which would match the whole scope).
this.validateKeyAccess(ctx, prefix);
if (ctx.mode === "cloud" && prefix.length === 0) {
throw new ForbiddenException("Refusing to delete an empty prefix");
}
let deletedCount = 0;
let tombstoneCreated = false;
let continuationToken: string | undefined;
@@ -593,6 +625,7 @@ export class SyncService implements OnModuleInit {
// Create tombstone if requested
if (dto.tombstoneKey && deletedCount > 0) {
const scopedTombstoneKey = this.scopeKey(ctx, dto.tombstoneKey);
this.validateKeyAccess(ctx, scopedTombstoneKey);
const tombstoneData = JSON.stringify({
prefix: dto.prefix,
deleted_at: dto.deletedAt || new Date().toISOString(),
@@ -929,22 +962,9 @@ export class SyncService implements OnModuleInit {
);
count += userResult.CommonPrefixes?.length || 0;
if (ctx.teamPrefix && ctx.teamProfileLimit && ctx.teamProfileLimit > 0) {
const teamResult = await this.s3Client.send(
new ListObjectsV2Command({
Bucket: this.bucket,
Prefix: `${ctx.teamPrefix}profiles/`,
Delimiter: "/",
}),
);
const teamCount = teamResult.CommonPrefixes?.length || 0;
if (teamCount >= ctx.teamProfileLimit) {
throw new ForbiddenException(
`Team profile limit reached (${ctx.teamProfileLimit}). Ask the team owner to upgrade.`,
);
}
}
// ctx.prefix is already the effective namespace (the team owner's, for a
// team member) and ctx.profileLimit the effective (team) limit, so this
// single check covers both personal and team accounts.
if (count >= ctx.profileLimit) {
throw new ForbiddenException(
`Profile limit reached (${ctx.profileLimit}). Upgrade your plan for more profiles.`,
@@ -985,37 +1005,10 @@ export class SyncService implements OnModuleInit {
return match ? match[1] : null;
}
private async countTeamProfiles(ctx: UserContext): Promise<number> {
if (!ctx.teamPrefix) return 0;
const profilePrefix = `${ctx.teamPrefix}profiles/`;
let count = 0;
let continuationToken: string | undefined;
do {
const result = await this.s3Client.send(
new ListObjectsV2Command({
Bucket: this.bucket,
Prefix: profilePrefix,
Delimiter: "/",
MaxKeys: 1000,
ContinuationToken: continuationToken,
}),
);
count += result.CommonPrefixes?.length || 0;
continuationToken = result.NextContinuationToken;
} while (continuationToken);
return count;
}
private extractTeamId(ctx: UserContext): string | null {
if (!ctx.teamPrefix) return null;
const match = ctx.teamPrefix.match(/^teams\/([^/]+)\/$/);
return match ? match[1] : null;
}
/**
* Fire-and-forget: count profiles and report to backend.
* Fire-and-forget: count profiles and report to backend. The count is for the
* effective namespace (the team owner's, for a team member), reported against
* that namespace's user id — i.e. the team account for teams.
*/
private reportProfileUsageAsync(ctx: UserContext): void {
if (!this.backendInternalUrl || !this.backendInternalKey) return;
@@ -1024,17 +1017,7 @@ export class SyncService implements OnModuleInit {
if (!userId) return;
this.countProfiles(ctx)
.then(async (count) => {
await this.reportProfileUsage(userId, count);
if (ctx.teamPrefix) {
const teamCount = await this.countTeamProfiles(ctx);
const teamId = this.extractTeamId(ctx);
if (teamId) {
await this.reportProfileUsage(teamId, teamCount);
}
}
})
.then((count) => this.reportProfileUsage(userId, count))
.catch((err) =>
this.logger.warn(`Failed to report profile usage: ${err.message}`),
);