mirror of
https://github.com/zhom/donutbrowser.git
synced 2026-07-11 15:16:34 +02:00
refactor: backend-authoritative team scope and config/input hardening
This commit is contained in:
@@ -1,5 +1,6 @@
|
||||
import { timingSafeEqual } from "node:crypto";
|
||||
import {
|
||||
BadRequestException,
|
||||
Body,
|
||||
Controller,
|
||||
Headers,
|
||||
@@ -38,9 +39,18 @@ export class InternalController {
|
||||
throw new UnauthorizedException("Invalid internal key");
|
||||
}
|
||||
|
||||
return this.syncService.cleanupExcessProfiles(
|
||||
body.userId,
|
||||
body.maxProfiles,
|
||||
);
|
||||
// The userId is interpolated into a destructive S3 delete prefix
|
||||
// (users/{userId}/profiles/), so constrain it to a plain id — no empty
|
||||
// value, no slashes/dots that could widen or redirect the prefix.
|
||||
const userId = body?.userId;
|
||||
if (typeof userId !== "string" || !/^[A-Za-z0-9_-]{1,128}$/.test(userId)) {
|
||||
throw new BadRequestException("Invalid userId");
|
||||
}
|
||||
const maxProfiles = body?.maxProfiles;
|
||||
if (!Number.isInteger(maxProfiles) || maxProfiles < 0) {
|
||||
throw new BadRequestException("Invalid maxProfiles");
|
||||
}
|
||||
|
||||
return this.syncService.cleanupExcessProfiles(userId, maxProfiles);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -13,6 +13,7 @@ import {
|
||||
} from "@aws-sdk/client-s3";
|
||||
import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
|
||||
import {
|
||||
BadRequestException,
|
||||
ForbiddenException,
|
||||
Injectable,
|
||||
Logger,
|
||||
@@ -82,23 +83,34 @@ export class SyncService implements OnModuleInit {
|
||||
private readonly logger = new Logger(SyncService.name);
|
||||
private s3Client: S3Client;
|
||||
private bucket: string;
|
||||
// Upper bound on presign batch array length (DoS guard).
|
||||
private static readonly MAX_BATCH_ITEMS = 1000;
|
||||
|
||||
private changeSubject = new Subject<SubscribeEventDto>();
|
||||
private s3Ready = false;
|
||||
private backendInternalUrl: string | undefined;
|
||||
private backendInternalKey: string | undefined;
|
||||
|
||||
constructor(private configService: ConfigService) {
|
||||
const endpoint =
|
||||
this.configService.get<string>("S3_ENDPOINT") || "http://localhost:8987";
|
||||
// Fail fast instead of silently falling back to insecure local dev defaults
|
||||
// (localhost / minioadmin) — a misconfigured server must not start pointed
|
||||
// at an unintended or public-default S3 backend.
|
||||
const requireEnv = (name: string): string => {
|
||||
const value = this.configService.get<string>(name);
|
||||
if (!value) {
|
||||
throw new Error(`Required environment variable ${name} is not set`);
|
||||
}
|
||||
return value;
|
||||
};
|
||||
|
||||
const endpoint = requireEnv("S3_ENDPOINT");
|
||||
const region = this.configService.get<string>("S3_REGION") || "us-east-1";
|
||||
const accessKeyId =
|
||||
this.configService.get<string>("S3_ACCESS_KEY_ID") || "minioadmin";
|
||||
const secretAccessKey =
|
||||
this.configService.get<string>("S3_SECRET_ACCESS_KEY") || "minioadmin";
|
||||
const accessKeyId = requireEnv("S3_ACCESS_KEY_ID");
|
||||
const secretAccessKey = requireEnv("S3_SECRET_ACCESS_KEY");
|
||||
const forcePathStyle =
|
||||
this.configService.get<string>("S3_FORCE_PATH_STYLE") !== "false";
|
||||
|
||||
this.bucket = this.configService.get<string>("S3_BUCKET") || "donut-sync";
|
||||
this.bucket = requireEnv("S3_BUCKET");
|
||||
|
||||
this.s3Client = new S3Client({
|
||||
endpoint,
|
||||
@@ -181,7 +193,6 @@ export class SyncService implements OnModuleInit {
|
||||
*/
|
||||
private scopeKey(ctx: UserContext, key: string): string {
|
||||
if (ctx.mode === "self-hosted") return key;
|
||||
if (ctx.teamPrefix && key.startsWith(ctx.teamPrefix)) return key;
|
||||
return `${ctx.prefix}${key}`;
|
||||
}
|
||||
|
||||
@@ -192,9 +203,7 @@ export class SyncService implements OnModuleInit {
|
||||
*/
|
||||
private scopesFor(ctx: UserContext): string[] {
|
||||
if (ctx.mode === "self-hosted") return [""];
|
||||
const out = [ctx.prefix];
|
||||
if (ctx.teamPrefix) out.push(ctx.teamPrefix);
|
||||
return out;
|
||||
return [ctx.prefix];
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -243,9 +252,6 @@ export class SyncService implements OnModuleInit {
|
||||
*/
|
||||
private scopeForKey(ctx: UserContext, scopedKey: string): string | null {
|
||||
if (ctx.mode === "self-hosted") return "";
|
||||
if (ctx.teamPrefix && scopedKey.startsWith(ctx.teamPrefix)) {
|
||||
return ctx.teamPrefix;
|
||||
}
|
||||
if (scopedKey.startsWith(ctx.prefix)) return ctx.prefix;
|
||||
return null;
|
||||
}
|
||||
@@ -258,7 +264,6 @@ export class SyncService implements OnModuleInit {
|
||||
if (ctx.mode === "self-hosted") return;
|
||||
|
||||
if (key.startsWith(ctx.prefix)) return;
|
||||
if (ctx.teamPrefix && key.startsWith(ctx.teamPrefix)) return;
|
||||
|
||||
throw new ForbiddenException("Access denied to this key");
|
||||
}
|
||||
@@ -422,6 +427,9 @@ export class SyncService implements OnModuleInit {
|
||||
|
||||
async list(dto: ListRequestDto, ctx?: UserContext): Promise<ListResponseDto> {
|
||||
const prefix = ctx ? this.scopeKey(ctx, dto.prefix) : dto.prefix;
|
||||
// Enforce scope on the read side too, so a crafted absolute prefix can't
|
||||
// enumerate another tenant's objects.
|
||||
if (ctx) this.validateKeyAccess(ctx, prefix);
|
||||
|
||||
const response = await this.s3Client.send(
|
||||
new ListObjectsV2Command({
|
||||
@@ -433,15 +441,12 @@ export class SyncService implements OnModuleInit {
|
||||
);
|
||||
|
||||
const userPrefix = ctx?.prefix || "";
|
||||
const teamPrefix = ctx?.teamPrefix || "";
|
||||
const objects = (response.Contents || [])
|
||||
// Don't leak donut-sync's internal manifest object to clients.
|
||||
.filter((obj) => !(obj.Key || "").endsWith(MANIFEST_KEY))
|
||||
.map((obj) => {
|
||||
let key = obj.Key || "";
|
||||
if (teamPrefix && key.startsWith(teamPrefix)) {
|
||||
key = key.substring(teamPrefix.length);
|
||||
} else if (userPrefix && key.startsWith(userPrefix)) {
|
||||
if (userPrefix && key.startsWith(userPrefix)) {
|
||||
key = key.substring(userPrefix.length);
|
||||
}
|
||||
return {
|
||||
@@ -462,6 +467,16 @@ export class SyncService implements OnModuleInit {
|
||||
dto: PresignUploadBatchRequestDto,
|
||||
ctx: UserContext,
|
||||
): Promise<PresignUploadBatchResponseDto> {
|
||||
// Cap batch size: each item triggers a signing operation, so an unbounded
|
||||
// array is a CPU/memory amplification vector for an authenticated caller.
|
||||
if (
|
||||
!Array.isArray(dto.items) ||
|
||||
dto.items.length > SyncService.MAX_BATCH_ITEMS
|
||||
) {
|
||||
throw new BadRequestException(
|
||||
`items must be an array of at most ${SyncService.MAX_BATCH_ITEMS} entries`,
|
||||
);
|
||||
}
|
||||
// Check profile limit for cloud users
|
||||
if (ctx.mode === "cloud" && ctx.profileLimit > 0) {
|
||||
await this.checkProfileLimit(ctx);
|
||||
@@ -520,6 +535,14 @@ export class SyncService implements OnModuleInit {
|
||||
dto: PresignDownloadBatchRequestDto,
|
||||
ctx: UserContext,
|
||||
): Promise<PresignDownloadBatchResponseDto> {
|
||||
if (
|
||||
!Array.isArray(dto.keys) ||
|
||||
dto.keys.length > SyncService.MAX_BATCH_ITEMS
|
||||
) {
|
||||
throw new BadRequestException(
|
||||
`keys must be an array of at most ${SyncService.MAX_BATCH_ITEMS} entries`,
|
||||
);
|
||||
}
|
||||
const expiresIn = clampExpiresIn(dto.expiresIn);
|
||||
const expiresAt = new Date(Date.now() + expiresIn * 1000);
|
||||
|
||||
@@ -551,6 +574,15 @@ export class SyncService implements OnModuleInit {
|
||||
ctx: UserContext,
|
||||
): Promise<DeletePrefixResponseDto> {
|
||||
const prefix = this.scopeKey(ctx, dto.prefix);
|
||||
// Bulk delete is the highest-blast-radius op, yet it was the only mutating
|
||||
// path that skipped this check — so a client passing an absolute prefix
|
||||
// (one already starting with its own/team scope, which scopeKey returns
|
||||
// verbatim) could wipe an entire shared namespace. Enforce scope, and
|
||||
// refuse an empty scoped prefix (which would match the whole scope).
|
||||
this.validateKeyAccess(ctx, prefix);
|
||||
if (ctx.mode === "cloud" && prefix.length === 0) {
|
||||
throw new ForbiddenException("Refusing to delete an empty prefix");
|
||||
}
|
||||
let deletedCount = 0;
|
||||
let tombstoneCreated = false;
|
||||
let continuationToken: string | undefined;
|
||||
@@ -593,6 +625,7 @@ export class SyncService implements OnModuleInit {
|
||||
// Create tombstone if requested
|
||||
if (dto.tombstoneKey && deletedCount > 0) {
|
||||
const scopedTombstoneKey = this.scopeKey(ctx, dto.tombstoneKey);
|
||||
this.validateKeyAccess(ctx, scopedTombstoneKey);
|
||||
const tombstoneData = JSON.stringify({
|
||||
prefix: dto.prefix,
|
||||
deleted_at: dto.deletedAt || new Date().toISOString(),
|
||||
@@ -929,22 +962,9 @@ export class SyncService implements OnModuleInit {
|
||||
);
|
||||
count += userResult.CommonPrefixes?.length || 0;
|
||||
|
||||
if (ctx.teamPrefix && ctx.teamProfileLimit && ctx.teamProfileLimit > 0) {
|
||||
const teamResult = await this.s3Client.send(
|
||||
new ListObjectsV2Command({
|
||||
Bucket: this.bucket,
|
||||
Prefix: `${ctx.teamPrefix}profiles/`,
|
||||
Delimiter: "/",
|
||||
}),
|
||||
);
|
||||
const teamCount = teamResult.CommonPrefixes?.length || 0;
|
||||
if (teamCount >= ctx.teamProfileLimit) {
|
||||
throw new ForbiddenException(
|
||||
`Team profile limit reached (${ctx.teamProfileLimit}). Ask the team owner to upgrade.`,
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
// ctx.prefix is already the effective namespace (the team owner's, for a
|
||||
// team member) and ctx.profileLimit the effective (team) limit, so this
|
||||
// single check covers both personal and team accounts.
|
||||
if (count >= ctx.profileLimit) {
|
||||
throw new ForbiddenException(
|
||||
`Profile limit reached (${ctx.profileLimit}). Upgrade your plan for more profiles.`,
|
||||
@@ -985,37 +1005,10 @@ export class SyncService implements OnModuleInit {
|
||||
return match ? match[1] : null;
|
||||
}
|
||||
|
||||
private async countTeamProfiles(ctx: UserContext): Promise<number> {
|
||||
if (!ctx.teamPrefix) return 0;
|
||||
const profilePrefix = `${ctx.teamPrefix}profiles/`;
|
||||
let count = 0;
|
||||
let continuationToken: string | undefined;
|
||||
|
||||
do {
|
||||
const result = await this.s3Client.send(
|
||||
new ListObjectsV2Command({
|
||||
Bucket: this.bucket,
|
||||
Prefix: profilePrefix,
|
||||
Delimiter: "/",
|
||||
MaxKeys: 1000,
|
||||
ContinuationToken: continuationToken,
|
||||
}),
|
||||
);
|
||||
count += result.CommonPrefixes?.length || 0;
|
||||
continuationToken = result.NextContinuationToken;
|
||||
} while (continuationToken);
|
||||
|
||||
return count;
|
||||
}
|
||||
|
||||
private extractTeamId(ctx: UserContext): string | null {
|
||||
if (!ctx.teamPrefix) return null;
|
||||
const match = ctx.teamPrefix.match(/^teams\/([^/]+)\/$/);
|
||||
return match ? match[1] : null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Fire-and-forget: count profiles and report to backend.
|
||||
* Fire-and-forget: count profiles and report to backend. The count is for the
|
||||
* effective namespace (the team owner's, for a team member), reported against
|
||||
* that namespace's user id — i.e. the team account for teams.
|
||||
*/
|
||||
private reportProfileUsageAsync(ctx: UserContext): void {
|
||||
if (!this.backendInternalUrl || !this.backendInternalKey) return;
|
||||
@@ -1024,17 +1017,7 @@ export class SyncService implements OnModuleInit {
|
||||
if (!userId) return;
|
||||
|
||||
this.countProfiles(ctx)
|
||||
.then(async (count) => {
|
||||
await this.reportProfileUsage(userId, count);
|
||||
|
||||
if (ctx.teamPrefix) {
|
||||
const teamCount = await this.countTeamProfiles(ctx);
|
||||
const teamId = this.extractTeamId(ctx);
|
||||
if (teamId) {
|
||||
await this.reportProfileUsage(teamId, teamCount);
|
||||
}
|
||||
}
|
||||
})
|
||||
.then((count) => this.reportProfileUsage(userId, count))
|
||||
.catch((err) =>
|
||||
this.logger.warn(`Failed to report profile usage: ${err.message}`),
|
||||
);
|
||||
|
||||
Reference in New Issue
Block a user