Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OperationBlobSASPermission not requiring "r" permission for a number of operations #2299

Closed
qc00 opened this issue Nov 21, 2023 · 2 comments
Closed

OperationBlobSASPermission not requiring "r" permission for a number of operations #2299

qc00 opened this issue Nov 21, 2023 · 2 comments
Assignees
@blueww
Labels
blob-storage bug Something isn't working

Comments

@qc00
Copy link

qc00 commented Nov 21, 2023

Which service(blob, file, queue, table) does this issue concern?

blob (but others might also be wrong)

Which version of the Azurite was used?

master

Where do you get Azurite? (npm, DockerHub, NuGet, Visual Studio Code Extension)

npm

What's the Node.js version?

irrelevant

What problem was encountered?

Per Azure docs calling GET on a container requires the SAS token to have "r" permission; however, Azurite code does not enforce that:

Azurite/src/blob/authentication/OperationBlobSASPermission.ts

Lines 62 to 69 in caa3429

OPERATION_BLOB_SAS_BLOB_PERMISSIONS.set(
Operation.Container_GetProperties,
new OperationBlobSASPermission()
);
OPERATION_BLOB_SAS_BLOB_PERMISSIONS.set(
Operation.Container_GetPropertiesWithHead,
new OperationBlobSASPermission()
);

In fact, it's not enforcing the permission for a lot of operations.

Steps to reproduce the issue?

Have you found a mitigation/solution?

Patching the source code.
@qc00 qc00 mentioned this issue Nov 21, 2023
Merged
@blueww
Copy link
Member

blueww commented Nov 22, 2023
edited
Loading

@qc00

It looks this issue related with the code change in 4209080.
The above code you mentioned is for blob SAS, and Blob SAS is not allowed to do container Get properties (container SAS also not allowed, only account sas allowed, see link1, link2), so there are no permission set, which mean this operation is not allowed with blob SAS.
However, with the above code change, the operation without permission will pass authentication validation. We will check this and see how to fix it.

@blueww blueww self-assigned this Nov 22, 2023
@blueww blueww added blob-storage bug Something isn't working labels Nov 22, 2023
@blueww
Copy link
Member

blueww commented Nov 24, 2023

This issue is already fixed by #2305.
Close as the fix is already released in 3.28.0.

@blueww blueww closed this as completed Nov 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@blueww blueww

Labels
blob-storage bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@qc00 @blueww