[MCG] Using put-bucket-policy with wrong syntax under Resource result…

…s in InternalError instead of MalformedPolicy The malformed syntax should give malformed systax error. Issue: Square brackets ([ ]) in resource_bucket_part were misinterpreted in regex. Fix: Escape all regex special characters before inserting into RegExp(). Fixes: https://issues.redhat.com/browse/DFBUGS-1517 Signed-off-by: Vinayakswami Hariharmath <[email protected]>
noobaa · Feb 12, 2025 · 2280c6f · 2280c6f
1 parent 23aec8d
commit 2280c6f
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/endpoint/s3/s3_bucket_policy_utils.js b/src/endpoint/s3/s3_bucket_policy_utils.js
@@ -269,7 +269,12 @@ async function validate_s3_policy(policy, bucket_name, get_account_handler) {
         }
         for (const resource of _.flatten([statement.Resource || statement.NotResource])) {
             const resource_bucket_part = resource.split('/')[0];
-            const resource_regex = RegExp(`^${resource_bucket_part.replace(qm_regex, '.?').replace(ar_regex, '.*')}$`);
+            const resource_regex = RegExp(
+                `^${resource_bucket_part
+                .replace(/[-/^$+?.()|[\]{}]/g, '\\$&')
+                .replace(qm_regex, '.?')
+                .replace(ar_regex, '.*')}$`
+            );
             if (!resource_regex.test('arn:aws:s3:::' + bucket_name)) {
                 throw new RpcError('MALFORMED_POLICY', 'Policy has invalid resource', { detail: resource });
             }