From 8dad1700ef73c9b234a8b5708e96106f979436d5 Mon Sep 17 00:00:00 2001 From: Pitos Date: Sat, 27 Apr 2024 04:14:15 +0200 Subject: [PATCH 01/10] Add S3_SERVICE_REMOVE_X_AMZ_HEADERS header flag for use case where you want to have x-amz headers in nginx proxy --- common/etc/nginx/include/s3gateway.js | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/common/etc/nginx/include/s3gateway.js b/common/etc/nginx/include/s3gateway.js index d9e016a8..ce7815f0 100644 --- a/common/etc/nginx/include/s3gateway.js +++ b/common/etc/nginx/include/s3gateway.js @@ -40,7 +40,7 @@ _requireEnvVars('S3_REGION'); _requireEnvVars('AWS_SIGS_VERSION'); _requireEnvVars('S3_STYLE'); _requireEnvVars('S3_SERVICE'); - +_requireEnvVars('S3_SERVICE_REMOVE_X_AMZ_HEADERS'); /** * Flag indicating debug mode operation. If true, additional information @@ -89,6 +89,12 @@ const INDEX_PAGE = "index.html"; */ const SERVICE = process.env['S3_SERVICE'] || "s3"; +/** + * Indicate whether you want to delete the x-maz headers. + * @type {boolean} + */ +const S3_SERVICE_REMOVE_X_AMZ_HEADERS = utils.parseBoolean(process.env['S3_SERVICE_REMOVE_X_AMZ_HEADERS'] || 'true'); + /** * Transform the headers returned from S3 such that there isn't information * leakage about S3 and do other tasks needed for appropriate gateway output. @@ -131,7 +137,7 @@ function editHeaders(r) { * @returns {boolean} true if header should be removed */ function _isHeaderToBeStripped(headerName, additionalHeadersToStrip) { - if (headerName.indexOf('x-amz-', 0) >= 0) { + if (S3_SERVICE_REMOVE_X_AMZ_HEADERS && headerName.indexOf('x-amz-', 0) >= 0) { return true; } From 9ffe12e5b8840837d7c75dce99e4488e380ef625 Mon Sep 17 00:00:00 2001 From: Pitos Date: Sat, 27 Apr 2024 04:21:42 +0200 Subject: [PATCH 02/10] Update docs --- common/etc/nginx/include/s3gateway.js | 2 +- docs/getting_started.md | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/common/etc/nginx/include/s3gateway.js b/common/etc/nginx/include/s3gateway.js index ce7815f0..57dc7f89 100644 --- a/common/etc/nginx/include/s3gateway.js +++ b/common/etc/nginx/include/s3gateway.js @@ -90,7 +90,7 @@ const INDEX_PAGE = "index.html"; const SERVICE = process.env['S3_SERVICE'] || "s3"; /** - * Indicate whether you want to delete the x-maz headers. + * Indicate whether you want to delete the x-amz headers. Default remove x-amz for security reasons. * @type {boolean} */ const S3_SERVICE_REMOVE_X_AMZ_HEADERS = utils.parseBoolean(process.env['S3_SERVICE_REMOVE_X_AMZ_HEADERS'] || 'true'); diff --git a/docs/getting_started.md b/docs/getting_started.md index e1e6d072..57a637eb 100644 --- a/docs/getting_started.md +++ b/docs/getting_started.md @@ -44,6 +44,8 @@ running as a Container or as a Systemd service. | `CORS_ALLOWED_ORIGIN` | No | | | value to set to be returned from the CORS `Access-Control-Allow-Origin` header. This value is only used if CORS is enabled. (default: \*) | | `STRIP_LEADING_DIRECTORY_PATH` | No | | | Removes a portion of the path in the requested URL (if configured). Useful when deploying to an ALB under a folder (eg. www.mysite.com/somepath). | | `PREFIX_LEADING_DIRECTORY_PATH` | No | | | Prefix to prepend to all S3 object paths. Useful to serve only a subset of an S3 bucket. When used in combination with `STRIP_LEADING_DIRECTORY_PATH`, this allows the leading path to be replaced, rather than just removed. | +|`S3_SERVICE_REMOVE_X_AMZ_HEADERS` | No | `true`, `false` | `true` | Indicate whether you want to delete the x-amz headers. Default remove x-amz for security reasons. +| If you are using [AWS instance profile credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html), you will need to omit the `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and `AWS_SESSION_TOKEN` variables from From 0adbe911fbcd6ee7e7e7b6a036d648580cbec60d Mon Sep 17 00:00:00 2001 From: Pitos Date: Sat, 27 Apr 2024 04:24:00 +0200 Subject: [PATCH 03/10] Update docs --- docs/getting_started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting_started.md b/docs/getting_started.md index 57a637eb..227c37c1 100644 --- a/docs/getting_started.md +++ b/docs/getting_started.md @@ -45,7 +45,7 @@ running as a Container or as a Systemd service. | `STRIP_LEADING_DIRECTORY_PATH` | No | | | Removes a portion of the path in the requested URL (if configured). Useful when deploying to an ALB under a folder (eg. www.mysite.com/somepath). | | `PREFIX_LEADING_DIRECTORY_PATH` | No | | | Prefix to prepend to all S3 object paths. Useful to serve only a subset of an S3 bucket. When used in combination with `STRIP_LEADING_DIRECTORY_PATH`, this allows the leading path to be replaced, rather than just removed. | |`S3_SERVICE_REMOVE_X_AMZ_HEADERS` | No | `true`, `false` | `true` | Indicate whether you want to delete the x-amz headers. Default remove x-amz for security reasons. -| + If you are using [AWS instance profile credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html), you will need to omit the `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and `AWS_SESSION_TOKEN` variables from From 35bcbba6aa5d2014ac2fd0da23196ffd40f71396 Mon Sep 17 00:00:00 2001 From: Pitos Date: Sat, 27 Apr 2024 04:24:37 +0200 Subject: [PATCH 04/10] Update docs --- docs/getting_started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting_started.md b/docs/getting_started.md index 227c37c1..a28deda7 100644 --- a/docs/getting_started.md +++ b/docs/getting_started.md @@ -44,7 +44,7 @@ running as a Container or as a Systemd service. | `CORS_ALLOWED_ORIGIN` | No | | | value to set to be returned from the CORS `Access-Control-Allow-Origin` header. This value is only used if CORS is enabled. (default: \*) | | `STRIP_LEADING_DIRECTORY_PATH` | No | | | Removes a portion of the path in the requested URL (if configured). Useful when deploying to an ALB under a folder (eg. www.mysite.com/somepath). | | `PREFIX_LEADING_DIRECTORY_PATH` | No | | | Prefix to prepend to all S3 object paths. Useful to serve only a subset of an S3 bucket. When used in combination with `STRIP_LEADING_DIRECTORY_PATH`, this allows the leading path to be replaced, rather than just removed. | -|`S3_SERVICE_REMOVE_X_AMZ_HEADERS` | No | `true`, `false` | `true` | Indicate whether you want to delete the x-amz headers. Default remove x-amz for security reasons. +|`S3_SERVICE_REMOVE_X_AMZ_HEADERS` | No | `true`, `false` | `true` | Indicate whether you want to delete the x-amz headers. Default remove all x-amz-* for security reasons. If you are using [AWS instance profile credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html), From 91de535513c4083506096300de2232929e99eac5 Mon Sep 17 00:00:00 2001 From: Pitos Date: Mon, 29 Apr 2024 16:15:37 +0200 Subject: [PATCH 05/10] set S3_SERVICE_REMOVE_X_AMZ_HEADERS as not required --- common/etc/nginx/include/s3gateway.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/etc/nginx/include/s3gateway.js b/common/etc/nginx/include/s3gateway.js index 57dc7f89..7af61028 100644 --- a/common/etc/nginx/include/s3gateway.js +++ b/common/etc/nginx/include/s3gateway.js @@ -40,7 +40,7 @@ _requireEnvVars('S3_REGION'); _requireEnvVars('AWS_SIGS_VERSION'); _requireEnvVars('S3_STYLE'); _requireEnvVars('S3_SERVICE'); -_requireEnvVars('S3_SERVICE_REMOVE_X_AMZ_HEADERS'); + /** * Flag indicating debug mode operation. If true, additional information From b791c7c76738e604935f2fbab1541e98cf17871d Mon Sep 17 00:00:00 2001 From: Pitos Date: Tue, 30 Apr 2024 13:55:17 +0200 Subject: [PATCH 06/10] Add header HEADER_PREFIXES_ALLOWED for force allow some headers from client responses --- common/etc/nginx/include/s3gateway.js | 43 +++++++++++++++++++++------ docs/getting_started.md | 5 ++-- 2 files changed, 37 insertions(+), 11 deletions(-) diff --git a/common/etc/nginx/include/s3gateway.js b/common/etc/nginx/include/s3gateway.js index 7af61028..a3775ca7 100644 --- a/common/etc/nginx/include/s3gateway.js +++ b/common/etc/nginx/include/s3gateway.js @@ -77,6 +77,14 @@ const S3_STYLE = process.env['S3_STYLE']; * @type {Array} * */ const ADDITIONAL_HEADER_PREFIXES_TO_STRIP = utils.parseArray(process.env['HEADER_PREFIXES_TO_STRIP']); + +/** + * Additional header prefixes to allow from the response before sending to the + * client. This is opposite to HEADER_PREFIXES_TO_STRIP. + * @type {Array} + * */ +const ADDITIONAL_HEADER_PREFIXES_ALLOWED = utils.parseArray(process.env['HEADER_PREFIXES_ALLOWED']); + /** * Default filename for index pages to be read off of the backing object store. * @type {string} @@ -89,12 +97,6 @@ const INDEX_PAGE = "index.html"; */ const SERVICE = process.env['S3_SERVICE'] || "s3"; -/** - * Indicate whether you want to delete the x-amz headers. Default remove x-amz for security reasons. - * @type {boolean} - */ -const S3_SERVICE_REMOVE_X_AMZ_HEADERS = utils.parseBoolean(process.env['S3_SERVICE_REMOVE_X_AMZ_HEADERS'] || 'true'); - /** * Transform the headers returned from S3 such that there isn't information * leakage about S3 and do other tasks needed for appropriate gateway output. @@ -106,15 +108,19 @@ function editHeaders(r) { r.method === 'HEAD' && _isDirectory(decodeURIComponent(r.variables.uri_path)); - /* Strips all x-amz- headers from the output HTTP headers so that the + /* Strips all x-amz- (if x-amz- is not in ADDITIONAL_HEADER_PREFIXES_ALLOWED) headers from the output HTTP headers so that the * requesters to the gateway will not know you are proxying S3. */ if ('headersOut' in r) { for (const key in r.headersOut) { + const headerName = key.toLowerCase() /* We delete all headers when it is a directory head request because * none of the information is relevant for passing on via a gateway. */ if (isDirectoryHeadRequest) { delete r.headersOut[key]; - } else if (_isHeaderToBeStripped(key.toLowerCase(), ADDITIONAL_HEADER_PREFIXES_TO_STRIP)) { + } else if ( + !_isHeaderToBeAlloweed(headerName, ADDITIONAL_HEADER_PREFIXES_ALLOWED) + && _isHeaderToBeStripped(headerName, ADDITIONAL_HEADER_PREFIXES_TO_STRIP) + ) { delete r.headersOut[key]; } } @@ -134,10 +140,11 @@ function editHeaders(r) { * sent on to the requesting client. * @param headerName {string} Lowercase HTTP header name * @param additionalHeadersToStrip {Array} array of additional headers to remove + * @param additionalHeadersToAllow {Array} array of additional headers to allow * @returns {boolean} true if header should be removed */ function _isHeaderToBeStripped(headerName, additionalHeadersToStrip) { - if (S3_SERVICE_REMOVE_X_AMZ_HEADERS && headerName.indexOf('x-amz-', 0) >= 0) { + if (headerName.indexOf('x-amz-', 0) >= 0) { return true; } @@ -151,6 +158,24 @@ function _isHeaderToBeStripped(headerName, additionalHeadersToStrip) { return false; } +/** + * Determines if a given HTTP header should be force alloweed from requesting client. + * @param headerName {string} Lowercase HTTP header name + * @param additionalHeadersToAllow {Array} array of additional headers to allow + * @returns {boolean} true if header should be removed + */ +function _isHeaderToBeAlloweed(headerName, additionalHeadersToAllow) { + + for (let i = 0; i < additionalHeadersToAllow.length; i++) { + const headerToAllow = additionalHeadersToAllow[i]; + if (headerName.indexOf(headerToAllow, 0) >= 0) { + return true; + } + } + + return false; +} + /** * Outputs the timestamp used to sign the request, so that it can be added to * the 'Date' header and sent by NGINX. diff --git a/docs/getting_started.md b/docs/getting_started.md index a28deda7..4911a366 100644 --- a/docs/getting_started.md +++ b/docs/getting_started.md @@ -39,12 +39,13 @@ running as a Container or as a Systemd service. | `PROXY_CACHE_VALID_FORBIDDEN` | No | | `30s` | Sets caching time for response code 403 | | `PROVIDE_INDEX_PAGE` | No | `true`, `false` | `false` | Flag which returns the index page if there is one when requesting a directory. | | `JS_TRUSTED_CERT_PATH` | No | | | Enables the `js_fetch_trusted_certificate` directive when retrieving AWS credentials and sets the path (on the container) to the specified path | -| `HEADER_PREFIXES_TO_STRIP` | No | | | A list of HTTP header prefixes that exclude headers client responses. List should be specified in lower-case and a semicolon (;) should be used to as a deliminator between values. For example: `x-goog-;x-something-` | +| `HEADER_PREFIXES_TO_STRIP` | No | | | A list of HTTP header prefixes that exclude headers client responses. List should be specified in lower-case and a semicolon (;) should be used to as a deliminator between values. For example: `x-goog-;x-something-` | +| `HEADER_PREFIXES_ALLOWED` | No | | | A list of HTTP header allowed prefixes from headers client responses. List should be specified in lower-case and a semicolon (;) should be used to as a deliminator between values. For example: `x-amz-;x-something-` | | `CORS_ENABLED` | No | `true`, `false` | `false` | Flag that enables CORS headers on GET requests and enables pre-flight OPTIONS requests. If enabled, this will add CORS headers for "fully open" cross domain requests by default, meaning all domains are allowed, similar to the settings show in [this example](https://enable-cors.org/server_nginx.html). CORS settings can be fine-tuned by overwriting the [`cors.conf.template`](/common/etc/nginx/templates/gateway/cors.conf.template) file. | | `CORS_ALLOWED_ORIGIN` | No | | | value to set to be returned from the CORS `Access-Control-Allow-Origin` header. This value is only used if CORS is enabled. (default: \*) | | `STRIP_LEADING_DIRECTORY_PATH` | No | | | Removes a portion of the path in the requested URL (if configured). Useful when deploying to an ALB under a folder (eg. www.mysite.com/somepath). | | `PREFIX_LEADING_DIRECTORY_PATH` | No | | | Prefix to prepend to all S3 object paths. Useful to serve only a subset of an S3 bucket. When used in combination with `STRIP_LEADING_DIRECTORY_PATH`, this allows the leading path to be replaced, rather than just removed. | -|`S3_SERVICE_REMOVE_X_AMZ_HEADERS` | No | `true`, `false` | `true` | Indicate whether you want to delete the x-amz headers. Default remove all x-amz-* for security reasons. +| If you are using [AWS instance profile credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html), From 713da5fe7533f05958af5b34c294a559eb5892a9 Mon Sep 17 00:00:00 2001 From: Pitos Date: Tue, 30 Apr 2024 13:56:52 +0200 Subject: [PATCH 07/10] Type correction --- common/etc/nginx/include/s3gateway.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/common/etc/nginx/include/s3gateway.js b/common/etc/nginx/include/s3gateway.js index a3775ca7..f5668b23 100644 --- a/common/etc/nginx/include/s3gateway.js +++ b/common/etc/nginx/include/s3gateway.js @@ -118,7 +118,7 @@ function editHeaders(r) { if (isDirectoryHeadRequest) { delete r.headersOut[key]; } else if ( - !_isHeaderToBeAlloweed(headerName, ADDITIONAL_HEADER_PREFIXES_ALLOWED) + !_isHeaderToBeAllowed(headerName, ADDITIONAL_HEADER_PREFIXES_ALLOWED) && _isHeaderToBeStripped(headerName, ADDITIONAL_HEADER_PREFIXES_TO_STRIP) ) { delete r.headersOut[key]; @@ -159,12 +159,12 @@ function _isHeaderToBeStripped(headerName, additionalHeadersToStrip) { } /** - * Determines if a given HTTP header should be force alloweed from requesting client. + * Determines if a given HTTP header should be force allowed from requesting client. * @param headerName {string} Lowercase HTTP header name * @param additionalHeadersToAllow {Array} array of additional headers to allow * @returns {boolean} true if header should be removed */ -function _isHeaderToBeAlloweed(headerName, additionalHeadersToAllow) { +function _isHeaderToBeAllowed(headerName, additionalHeadersToAllow) { for (let i = 0; i < additionalHeadersToAllow.length; i++) { const headerToAllow = additionalHeadersToAllow[i]; From 817050944c709262cb576fafaa53e6c0f0fa5e9d Mon Sep 17 00:00:00 2001 From: Pitos Date: Wed, 1 May 2024 02:10:00 +0200 Subject: [PATCH 08/10] - Fix Readme docs about HEADER_PREFIXES_ALLOWED - Fix comments in s3_gateway_test - Add unit test testIsHeaderToBeAllowed --- common/etc/nginx/include/s3gateway.js | 1 - docs/getting_started.md | 4 ++-- test/unit/s3gateway_test.js | 15 ++++++++++++++- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/common/etc/nginx/include/s3gateway.js b/common/etc/nginx/include/s3gateway.js index f5668b23..2c3e6771 100644 --- a/common/etc/nginx/include/s3gateway.js +++ b/common/etc/nginx/include/s3gateway.js @@ -140,7 +140,6 @@ function editHeaders(r) { * sent on to the requesting client. * @param headerName {string} Lowercase HTTP header name * @param additionalHeadersToStrip {Array} array of additional headers to remove - * @param additionalHeadersToAllow {Array} array of additional headers to allow * @returns {boolean} true if header should be removed */ function _isHeaderToBeStripped(headerName, additionalHeadersToStrip) { diff --git a/docs/getting_started.md b/docs/getting_started.md index 4911a366..e7554123 100644 --- a/docs/getting_started.md +++ b/docs/getting_started.md @@ -39,8 +39,8 @@ running as a Container or as a Systemd service. | `PROXY_CACHE_VALID_FORBIDDEN` | No | | `30s` | Sets caching time for response code 403 | | `PROVIDE_INDEX_PAGE` | No | `true`, `false` | `false` | Flag which returns the index page if there is one when requesting a directory. | | `JS_TRUSTED_CERT_PATH` | No | | | Enables the `js_fetch_trusted_certificate` directive when retrieving AWS credentials and sets the path (on the container) to the specified path | -| `HEADER_PREFIXES_TO_STRIP` | No | | | A list of HTTP header prefixes that exclude headers client responses. List should be specified in lower-case and a semicolon (;) should be used to as a deliminator between values. For example: `x-goog-;x-something-` | -| `HEADER_PREFIXES_ALLOWED` | No | | | A list of HTTP header allowed prefixes from headers client responses. List should be specified in lower-case and a semicolon (;) should be used to as a deliminator between values. For example: `x-amz-;x-something-` | +| `HEADER_PREFIXES_TO_STRIP` | No | | | A list of HTTP header prefixes that exclude headers from client responses. List should be specified in lower-case and a semicolon (;) should be used to as a deliminator between values. For example: x-goog-;x-something-. Headers starting with x-amz- will be stripped by default for security reasons unless explicitly added in HEADER_PREFIXES_ALLOWED. | +| `HEADER_PREFIXES_ALLOWED` | No | | | A list of allowed prefixes for HTTP headers that are returned to the client in responses. List should be specified in lower-case and a semicolon (;) should be used to as a deliminator between values. For example: x-amz-;x-something-. It is NOT recommended to return x-amz- headers for security reasons. Think carefully about what is allowed here. | | `CORS_ENABLED` | No | `true`, `false` | `false` | Flag that enables CORS headers on GET requests and enables pre-flight OPTIONS requests. If enabled, this will add CORS headers for "fully open" cross domain requests by default, meaning all domains are allowed, similar to the settings show in [this example](https://enable-cors.org/server_nginx.html). CORS settings can be fine-tuned by overwriting the [`cors.conf.template`](/common/etc/nginx/templates/gateway/cors.conf.template) file. | | `CORS_ALLOWED_ORIGIN` | No | | | value to set to be returned from the CORS `Access-Control-Allow-Origin` header. This value is only used if CORS is enabled. (default: \*) | | `STRIP_LEADING_DIRECTORY_PATH` | No | | | Removes a portion of the path in the requested URL (if configured). Useful when deploying to an ALB under a folder (eg. www.mysite.com/somepath). | diff --git a/test/unit/s3gateway_test.js b/test/unit/s3gateway_test.js index bb23fa15..20ffe63b 100755 --- a/test/unit/s3gateway_test.js +++ b/test/unit/s3gateway_test.js @@ -142,7 +142,7 @@ function testEditHeaders() { } s3gateway.editHeaders(r); - + for (const key in r.headersOut) { if (key.toLowerCase().indexOf("x-amz", 0) >= 0) { throw "x-amz header not stripped from headers correctly"; @@ -150,6 +150,7 @@ function testEditHeaders() { } } + function testEditHeadersHeadDirectory() { printHeader('testEditHeadersHeadDirectory'); let r = { @@ -192,6 +193,18 @@ function testIsHeaderToBeStripped() { } } +function testIsHeaderToBeAllowed() { + printHeader('testIsHeaderToBeAllowed'); + + if (!s3gateway._isHeaderToBeAllowed('x-amz-abc', ['x-amz-'])) { + throw "x-amz-abc header should be allowed"; + } + + if (s3gateway._isHeaderToBeAllowed('x-amz-xyz',['x-amz-abc'])) { + throw "x-amz-xyz header should be stripped"; + } +} + function testEscapeURIPathPreservesDoubleSlashes() { printHeader('testEscapeURIPathPreservesDoubleSlashes'); var doubleSlashed = '/testbucketer2/foo3//bar3/somedir/license'; From 8690f15ca2b96edb59ae0456ca00f75342796eb6 Mon Sep 17 00:00:00 2001 From: Pitos Date: Wed, 1 May 2024 02:20:21 +0200 Subject: [PATCH 09/10] Add unit test testEditHeadersWithAllowedPrefixes --- test/unit/s3gateway_test.js | 39 +++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/test/unit/s3gateway_test.js b/test/unit/s3gateway_test.js index 20ffe63b..45c0e44e 100755 --- a/test/unit/s3gateway_test.js +++ b/test/unit/s3gateway_test.js @@ -150,6 +150,45 @@ function testEditHeaders() { } } +function testEditHeadersWithAllowedPrefixes() { + printHeader('testEditHeadersWithAllowedPrefixes'); + + process.env['HEADER_PREFIXES_ALLOWED'] = 'x-amz-' + const r = { + "headersOut": { + "Accept-Ranges": "bytes", + "Content-Length": 42, + "Content-Security-Policy": "block-all-mixed-content", + "Content-Type": "text/plain", + "X-Amz-Bucket-Region": "us-east-1", + "X-Amz-Request-Id": "166539E18A46500A", + "X-Xss-Protection": "1; mode=block" + }, + "variables": { + "uri_path": "/a/c/ramen.jpg" + }, + } + + r.log = function(msg) { + console.log(msg); + } + + s3gateway.editHeaders(r); + + let found_headers_x_amz_ = 0 + for (const key in r.headersOut) { + if (key.toLowerCase().indexOf("x-amz", 0) == 0) { + found_headers_x_amz_++; + } + } + + if (found_headers_x_amz_ != 2) + throw "x-amz header stripped from headers, should allow those 2 headers"; + + delete process.env['HEADER_PREFIXES_ALLOWED'] + +} + function testEditHeadersHeadDirectory() { printHeader('testEditHeadersHeadDirectory'); From 8691f0357873efad28689f1a438060de6229876e Mon Sep 17 00:00:00 2001 From: Pitos Date: Thu, 2 May 2024 00:28:49 +0200 Subject: [PATCH 10/10] Add Header_prefixes_alloweed to docker-entrypoint --- common/docker-entrypoint.d/00-check-for-required-env.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/common/docker-entrypoint.d/00-check-for-required-env.sh b/common/docker-entrypoint.d/00-check-for-required-env.sh index a09a76a1..31b1947f 100755 --- a/common/docker-entrypoint.d/00-check-for-required-env.sh +++ b/common/docker-entrypoint.d/00-check-for-required-env.sh @@ -134,4 +134,5 @@ echo "Directory Listing Path Prefix: ${DIRECTORY_LISTING_PATH_PREFIX}" echo "Provide Index Pages Enabled: ${PROVIDE_INDEX_PAGE}" echo "Append slash for directory enabled: ${APPEND_SLASH_FOR_POSSIBLE_DIRECTORY}" echo "Stripping the following headers from responses: x-amz-;${HEADER_PREFIXES_TO_STRIP}" +echo "Allow the following headers from responses (these take precendence over the above): ${HEADER_PREFIXES_ALLOWED}" echo "CORS Enabled: ${CORS_ENABLED}"