From 7c3a0ed8747fafbf0f5bfb3ab3c9249d4a2115ea Mon Sep 17 00:00:00 2001
From: Tom Crasset <25140344+tcrasset@users.noreply.github.com>
Date: Tue, 28 Jan 2025 14:42:03 +0100
Subject: [PATCH] return error on invalid action in PutUserPolicy (#6482)

---
 weed/iamapi/iamapi_management_handlers.go     |  5 +++++
 .../iamapi/iamapi_management_handlers_test.go | 21 +++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/weed/iamapi/iamapi_management_handlers.go b/weed/iamapi/iamapi_management_handlers.go
index baa153cd6..094ca2332 100644
--- a/weed/iamapi/iamapi_management_handlers.go
+++ b/weed/iamapi/iamapi_management_handlers.go
@@ -343,6 +343,11 @@ func GetActions(policy *PolicyDocument) ([]string, error) {
 					continue
 				}
 				statementAction := MapToStatementAction(act[1])
+
+				if statementAction == "" {
+					return nil, fmt.Errorf("not a valid action: '%s'", act[1])
+				}
+
 				path := res[5]
 				if path == "*" {
 					actions = append(actions, statementAction)
diff --git a/weed/iamapi/iamapi_management_handlers_test.go b/weed/iamapi/iamapi_management_handlers_test.go
index 9b4a92c24..eac82caa7 100644
--- a/weed/iamapi/iamapi_management_handlers_test.go
+++ b/weed/iamapi/iamapi_management_handlers_test.go
@@ -69,3 +69,24 @@ func TestGetActionsWildcardPath(t *testing.T) {
 	}
 	assert.Equal(t, expectedActions, actions)
 }
+
+func TestGetActionsInvalidAction(t *testing.T) {
+	policyDocument := PolicyDocument{
+		Version: "2012-10-17",
+		Statement: []*Statement{
+			{
+				Effect: "Allow",
+				Action: []string{
+					"s3:InvalidAction",
+				},
+				Resource: []string{
+					"arn:aws:s3:::shared/user-Alice/*",
+				},
+			},
+		},
+	}
+
+	_, err := GetActions(&policyDocument)
+	assert.NotNil(t, err)
+	assert.Equal(t, "not a valid action: 'InvalidAction'", err.Error())
+}