Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: disallow invalid x-amz-security-token for root credentials #13388

Merged
merged 2 commits into from Oct 10, 2021

Conversation

harshavardhana
Copy link
Member

Description

fix: disallow invalid x-amz-security-token for root credentials

Motivation and Context

fixes #13335

This was a regression added in #12947 when this part of the
code was refactored to avoid privilege issues with service
accounts with session policy.

How to test this PR?

Just do

MC_HOST_local=http://minio:minio123:tk@localhost:9000/ mc ls local/

This shall not fail with the master branch but it should with this fix.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Optimization (provides speedup with no functional changes)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

fixes minio#13335

This was a regression added in minio#12947 when this part of the
code was refactored to avoid priviledge issues with service
accounts with session policy.
- AssumeRoleWithCertificate was not mapping to correct
  policies even after successfully generating keys, since
  the claims associated with this API were never looked up
  properly. Ensure that policies are set appropriately.

- GetUser() API was not loading policies correctly based
  on AccessKey based mapping which is true with OpenID
  and AssumeRoleWithCertificate API.
@minio-trusted
Copy link
Contributor

Mint Automation

Test Result
mint-large-bucket.sh ✔️
mint-fs.sh ✔️
mint-gateway-s3.sh ✔️
mint-erasure.sh ✔️
mint-dist-erasure.sh ✔️
mint-zoned.sh ✔️
mint-gateway-nas.sh ✔️
mint-compress-encrypt-dist-erasure.sh ✔️
Deleting image on docker hub
Deleting image locally

@harshavardhana harshavardhana merged commit 8d52c7d into minio:master Oct 10, 2021
8 checks passed
@harshavardhana harshavardhana deleted the cred-ucre branch October 10, 2021 05:00
@harshavardhana
Copy link
Member Author

Taking this PR in since we have to make a release as we have had a broken AssumeRoleWithCertificate API.

@kevinlul
Copy link

I'd like some further insight into what happened with CVE-2021-41137/GHSA-v64v-g97p-577c since the security issue introduced was severe (permissions and policies simply didn't matter). So what happened was, under time pressure to release a new version to correct a different regression, the lead maintainer unilaterally merged this pull request over the weekend without code reviews and released a new version, introducing the vulnerability?

@harshavardhana
Copy link
Member Author

I'd like some further insight into what happened with CVE-2021-41137/GHSA-v64v-g97p-577c since the security issue introduced was severe (permissions and policies simply didn't matter). So what happened was, under time pressure to release a new version to correct a different regression, the lead maintainer unilaterally merged this pull request over the weekend without code reviews and released a new version, introducing the vulnerability?

That is correct @kevinlul

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

security_token not checked
3 participants