-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[sec] Match ${aws:username} exactly instead of prefix match #7791
Conversation
This is a high priority fix @aead @kannappanr and we need to make a security release. |
23b4e1f
to
eff12a2
Compare
This PR fixes a security issue where an IAM user based on his policy is granted more privileges than restricted by the users IAM policy. This is due to an issue of prefix based Matcher() function which was incorrectly matching prefix based on resource prefixes instead of exact match.
d105c89
to
3cffe20
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice finding @harshavardhana 👍
Mint Automation
7791-eff12a2/mint-large-bucket.sh.log:
7791-eff12a2/mint-dist-xl.sh.log:
7791-eff12a2/mint-compression-fs.sh.log:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested. LGTM
was doing some testing, there is some issue (might not be related to this fix):
observe the entry:
need to see how it can be reproduced |
This is already fixed @krishnasrinivas we made a release after this fix b4ab778 You are on old commits... |
Codecov Report
@@ Coverage Diff @@
## master #7791 +/- ##
=========================================
+ Coverage 45.89% 46.29% +0.4%
=========================================
Files 284 300 +16
Lines 48016 48359 +343
=========================================
+ Hits 22038 22390 +352
+ Misses 23910 23887 -23
- Partials 2068 2082 +14
Continue to review full report at Codecov.
|
This PR fixes a security issue where an IAM user based on his policy is granted more privileges than restricted by the users IAM policy. This is due to an issue of prefix based Matcher() function which was incorrectly matching prefix based on resource prefixes instead of exact match.
Description
[sec] Match ${aws:username} exactly instead of prefix match
Motivation and Context
This PR fixes a security issue where an IAM user based
on his policy is granted more privileges than restricted
by the users IAM policy.
This is due to an issue of prefix-based Matcher() function
which was incorrectly matching prefix based on resource
prefixes instead of an exact match.
Regression
No, this bug was introduced in IAM implementation PR 54ae364
How Has This Been Tested?
Using the following reproducer
usernamepolicy.json
Types of changes
Checklist:
mint
PR # here: )