fix(s3): map ListDirectoryBuckets to s3express, not s3:ListBuckets#1929
Merged
Conversation
A directory-bucket listing (GET /?x-id=ListDirectoryBuckets) was detected by the auth action mapper as s3:ListBuckets, so under --iam a policy granting s3:ListBuckets wrongly permitted directory-bucket enumeration, and a policy granting only s3express:ListAllMyDirectoryBuckets was wrongly denied (the router already dispatched the request correctly; only the auth action string was wrong). s3_detect_action now returns ListAllMyDirectoryBuckets for that request and iam_action_for maps it to the s3express service prefix (bug-hunt 2026-06-24, 5.5).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary (5.5, auth-when-enabled)
A directory-bucket listing (
GET /?x-id=ListDirectoryBuckets) was detected by the auth action mapper ass3:ListBuckets. Under--iamthat meant a policy grantings3:ListBucketswrongly permitted directory-bucket enumeration, and a policy granting onlys3express:ListAllMyDirectoryBucketswas wrongly denied. (The router already dispatched the request correctly tolist_directory_buckets; only the auth action string was wrong.)s3_detect_actionnow returnsListAllMyDirectoryBucketsfor that request, andiam_action_formaps it to thes3expressservice prefix.Non-code surface
Auth action-mapping correctness; no new API surface. No SDK/docs/metadata change applies (checked).
Test plan
list_directory_buckets_is_distinct_from_list_buckets(directory listing →ListAllMyDirectoryBuckets; plainGET /→ListBuckets).cargo test -p fakecloud-s3 --libpasses; clippy clean.Summary by cubic
Fixes S3 auth mapping for directory-bucket listings.
GET /?x-id=ListDirectoryBucketsnow maps tos3express:ListAllMyDirectoryBucketsinstead ofs3:ListBuckets, correcting allow/deny behavior under--iam.ListAllMyDirectoryBucketswith thes3expressprefix.ListDirectoryBucketsdistinct fromListBuckets.Written for commit ae1933f. Summary will update on new commits.