From 7f814f8772ad414a15bdc1a78fe734033e77c37a Mon Sep 17 00:00:00 2001 From: chrislu Date: Thu, 20 Nov 2025 22:00:55 -0800 Subject: [PATCH] fix security vulnerability --- weed/s3api/s3api_bucket_handlers.go | 9 +++++++-- weed/s3api/s3api_bucket_handlers_test.go | 6 +++--- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go index f7a405cf3..73cbd5b00 100644 --- a/weed/s3api/s3api_bucket_handlers.go +++ b/weed/s3api/s3api_bucket_handlers.go @@ -122,8 +122,13 @@ func isBucketVisibleToIdentity(entry *filer_pb.Entry, identity *Identity) bool { return false } - // Unauthenticated or admin users bypass ownership check - if identity == nil || identity.isAdmin() { + // Unauthenticated users should not see any buckets (standard S3 behavior) + if identity == nil { + return false + } + + // Admin users bypass ownership check + if identity.isAdmin() { return true } diff --git a/weed/s3api/s3api_bucket_handlers_test.go b/weed/s3api/s3api_bucket_handlers_test.go index c26947c9c..40137412d 100644 --- a/weed/s3api/s3api_bucket_handlers_test.go +++ b/weed/s3api/s3api_bucket_handlers_test.go @@ -298,15 +298,15 @@ func TestListBucketsOwnershipFiltering(t *testing.T) { description: "Buckets without owner should be hidden from non-admin users", }, { - name: "empty identityId skips ownership check", + name: "unauthenticated user sees no buckets", buckets: []testBucket{ {name: "owned-bucket", ownerId: "user1"}, {name: "unowned-bucket", ownerId: ""}, }, requestIdentityId: "", requestIsAdmin: false, - expectedBucketNames: []string{"owned-bucket", "unowned-bucket"}, - description: "When identityId is empty, ownership check is skipped, all buckets visible", + expectedBucketNames: []string{}, + description: "Unauthenticated requests should not see any buckets", }, { name: "admin sees buckets regardless of ownership",