-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Missing 403 error response for Static Website #69
Comments
Great first issue! This has been merged in :) |
Released in 0.2.15 https://pypi.org/project/aws-prototyping-sdk.static-website/0.2.15/ |
I am going to have to revert this change as it can lead to the accidental leakage of information from the index.html page which otherwise would be blocked by WAF. Please re-implement your original workaround if using PDK v > 0.5 |
BREAKING CHANGE: Removing default error page for 403 as it can lead to the accidental leakage of information from the index.html page which otherwise would be blocked by WAF.
BREAKING CHANGE: Removing default error page for 403 as it can lead to the accidental leakage of information from the index.html page which otherwise would be blocked by WAF.
@agdimech Thanks for the heads up. Can you elaborate on the accidental leakage of information? Is there a better way to configure CloudFront or S3 to response with a 404 instead of a 403 for an object that doesn't exist? |
It actually is more of a problem when enabling WAF. For example if I restrict the website to only be accessible via certain CIDRs then WAF will BLOCK all resources from the server. With this said, WAF still interrogates Cloudfront to see if any error responses are defined for a 403 in which case the default root page (index.html) is returned which could potentially contain sensitive information. By reverting this change, the user takes on the onus of being explicit on how they want to handle these types of error scenarios by either relying on the default error page WAF displays or by configuring a custom error page. I did a quick google and found this in relation to the 403/404 being returned from Are you able to please test to see if adding the ListBucket permission to the OAI changes the behaviour to return a 404 instead of a 403? |
@agdimech I'd be happy to, but I don't know how to do that in the CDK, esp. with this construct. For context, I had to look up what WAF, CIDR, and OAI refer to. 😅 Can you point me in the right direction? Here's what I think is the relevant bit from my stack: dist_path = Path(__file__).parent / ".." / ".." / "frontend" / "dist"
self.website = static_website.StaticWebsite(
self,
"StaticWebsite",
website_content_path=str(dist_path.resolve()),
distribution_props=cloudfront.DistributionProps(
# Per the docs, default_behavior.origin is required, but ignored
default_behavior=cloudfront.BehaviorOptions(
origin=static_website.StaticWebsiteOrigin()
),
domain_names=[self.domain_name],
certificate=self.certificate,
),
)
|
Sorry for the delay. The permissions will need to be applied to the BucketPolicy of the S3 Bucket hosting your website. So to verify, please manually let me know if adding the s3:ListBucket to the Bucket Policy from the aws console. If it works for you then I can make a code change within this package to enable it by default. Here is what your updated policy should resemble:
|
@bhrutledge - any progress on this? |
I have tested this myself and confirm the s3 permissions change resolves this issue so now routes which do not exist in the bucket are returned as a 404 instead of a 403. Pushing a PR shortly to resolve this issue. |
This has been resolved. There is no longer to need a custom error responses for 403. |
Thank you! I haven't been working on the project where I use this, but I will be soon, and I'm looking forward to trying this out. |
Describe the bug
The Python
static_website
construct doesn't route 403AccessDenied
errors to the root object. This is with a Nuxt SPA built vianpm run generate
prior to runningcdk deploy
.Expected Behavior
Getting the Nuxt 404 page when accessing a route that doesn't exist.
Current Behavior
Getting an AWS error:
Reproduction Steps
Here's the CDK stack that I created:
Possible Solution
Add a 403 error response similar to the 404 response:
https://github.com/aws/aws-prototyping-sdk/blob/f5bc84ea236daef727b989d288c75fa4d5b33668/packages/static-website/src/static-website.ts#L169-L174
Change the configuration to avoid the
AccessDenied
errorAdditional Information/Context
I added a 403 response manually via the CloudFront console, and got the expected behavior (i.e. the Nuxt 404 page).
I was able to accomplish the same thing by overriding
error_responses
:PDK version used
aws-prototyping-sdk.static-website==0.2.10
What languages are you seeing this issue on?
Python
Environment details (OS name and version, etc.)
macOS 12.4
The text was updated successfully, but these errors were encountered: