s3api: reject invalid namespace query in REST table routes

12 hours ago · c340b7d824
2 changed files with 79 additions and 7 deletions
--- a/weed/s3api/s3api_tables.go
+++ b/weed/s3api/s3api_tables.go
@ -226,17 +226,16 @@ func parseOptionalIntParam(r *http.Request, name string) (int, error) {
 	return parsed, nil
 }
 func parseOptionalNamespace(r *http.Request, name string) []string {
 func parseOptionalNamespace(r *http.Request, name string) ([]string, error) {
 	value := r.URL.Query().Get(name)
 	if value == "" {
 		return nil
 		return nil, nil
 	}
 	parts, err := s3tables.ParseNamespace(value)
 	if err != nil {
 		glog.V(1).Infof("invalid namespace value for %s: %q: %v", name, value, err)
 		return nil
 		return nil, fmt.Errorf("invalid %s: %w", name, err)
 	}
 	return parts
 	return parts, nil
 }
 func parseRequiredNamespacePathParam(r *http.Request, name string) ([]string, error) {
@ -412,13 +411,17 @@ func buildListTablesRequest(r *http.Request) (interface{}, error) {
 	if err != nil {
 		return nil, err
 	}
 	namespace, err := parseOptionalNamespace(r, "namespace")
 	if err != nil {
 		return nil, err
 	}
 	maxTables, err := parseOptionalIntParam(r, "maxTables")
 	if err != nil {
 		return nil, err
 	}
 	return &s3tables.ListTablesRequest{
 		TableBucketARN:    tableBucketARN,
 		Namespace:         parseOptionalNamespace(r, "namespace"),
 		Namespace:         namespace,
 		Prefix:            r.URL.Query().Get("prefix"),
 		ContinuationToken: r.URL.Query().Get("continuationToken"),
 		MaxTables:         maxTables,
@ -433,7 +436,11 @@ func buildGetTableRequest(r *http.Request) (interface{}, error) {
 	}
 	if tableARN == "" {
 		req.TableBucketARN = query.Get("tableBucketARN")
 		req.Namespace = parseOptionalNamespace(r, "namespace")
 		namespace, err := parseOptionalNamespace(r, "namespace")
 		if err != nil {
 			return nil, err
 		}
 		req.Namespace = namespace
 		req.Name = query.Get("name")
 		if req.TableBucketARN == "" || len(req.Namespace) == 0 || req.Name == "" {
 			return nil, fmt.Errorf("either tableArn or (tableBucketARN, namespace, name) must be provided")
--- a/weed/s3api/s3api_tables_rest_validation_test.go
+++ b/weed/s3api/s3api_tables_rest_validation_test.go
@ -0,0 +1,65 @@
 package s3api
 import (
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"strings"
 	"testing"
 	"github.com/gorilla/mux"
 	"github.com/seaweedfs/seaweedfs/weed/s3api/s3tables"
 )
 const testTableBucketARN = "arn:aws:s3tables:us-east-1:123456789012:bucket/test-bucket"
 func TestBuildListTablesRequestRejectsInvalidNamespaceQuery(t *testing.T) {
 	req := httptest.NewRequest(http.MethodGet, "/tables?namespace=InvalidNamespace", nil)
 	req = mux.SetURLVars(req, map[string]string{"tableBucketARN": testTableBucketARN})
 	_, err := buildListTablesRequest(req)
 	if err == nil {
 		t.Fatalf("expected invalid namespace query to return an error")
 	}
 	if !strings.Contains(err.Error(), "invalid namespace") {
 		t.Fatalf("expected invalid namespace error, got %q", err.Error())
 	}
 }
 func TestBuildGetTableRequestRejectsInvalidNamespaceQuery(t *testing.T) {
 	req := httptest.NewRequest(http.MethodGet, "/get-table?tableBucketARN="+url.QueryEscape(testTableBucketARN)+"&namespace=InvalidNamespace&name=table1", nil)
 	_, err := buildGetTableRequest(req)
 	if err == nil {
 		t.Fatalf("expected invalid namespace query to return an error")
 	}
 	if !strings.Contains(err.Error(), "invalid namespace") {
 		t.Fatalf("expected invalid namespace error, got %q", err.Error())
 	}
 }
 func TestHandleRestOperationReturnsBadRequestForInvalidNamespaceQuery(t *testing.T) {
 	req := httptest.NewRequest(http.MethodGet, "/tables?namespace=InvalidNamespace", nil)
 	req = mux.SetURLVars(req, map[string]string{"tableBucketARN": testTableBucketARN})
 	rr := httptest.NewRecorder()
 	st := &S3TablesApiServer{}
 	st.handleRestOperation("ListTables", buildListTablesRequest).ServeHTTP(rr, req)
 	if rr.Code != http.StatusBadRequest {
 		t.Fatalf("expected status %d, got %d", http.StatusBadRequest, rr.Code)
 	}
 	var body map[string]string
 	if err := json.Unmarshal(rr.Body.Bytes(), &body); err != nil {
 		t.Fatalf("failed to decode error response: %v", err)
 	}
 	if got, want := body["__type"], s3tables.ErrCodeInvalidRequest; got != want {
 		t.Fatalf("expected __type=%q, got %q", want, got)
 	}
 	if !strings.Contains(body["message"], "invalid namespace") {
 		t.Fatalf("expected invalid namespace error message, got %q", body["message"])
 	}
 }