Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

generatePreSignedURL should restrict access to ceremonies buckets only #309

Closed
ctrlc03 opened this issue Feb 1, 2023 · 0 comments · Fixed by #310
Closed

generatePreSignedURL should restrict access to ceremonies buckets only #309

ctrlc03 opened this issue Feb 1, 2023 · 0 comments · Fixed by #310
Assignees
@ctrlc03
Labels
bug 🪲 Something isn't working Medium Priority ⏰
Milestone
[E1 - MS2] Write ...

Comments

@ctrlc03
Copy link

ctrlc03 commented Feb 1, 2023
edited
Loading

Currently, the generatePreSignedURL cloud function allows to generate a pre-signed URL for any bucket/object combination.

Buckets are used to store ceremonies data only, and are named:

  • ceremony prefix-ceremony postifx e.g. maci-ceremony-small-mpc-dev

A possible solution could be to use the bucket name (passed in as parameter to the cloud function) to retrieve the ceremony prefix (this requires the postfix to be added in the .env of the backend package). With the ceremony prefix we can query the ceremonies collection to see if any ceremony is in the db with this prefix. If there is a match, then we generate the pre-signed URL. No checks on the object key is done as any object stored inside the bucket should not be sensitive (circuits data, zkeys, etc.).

This prevents users to get pre-signed URLs for any bucket/object combination within the coordinator AWS account, if any.
@ctrlc03 ctrlc03 added bug 🪲 Something isn't working Medium Priority ⏰ labels Feb 1, 2023
@ctrlc03 ctrlc03 self-assigned this Feb 1, 2023
ctrlc03 added a commit to ctrlc03/mpc-phase2-suite that referenced this issue Feb 1, 2023
@ctrlc03
fix(generategetobjectpresignedurl): implemented changes to restrict a…
388caac 
…rbitrary access

Implemented changes to the generateGetObjectPreSignedUrl cloud function to prevent creation of
pre-signed URLs for arbitrary objects.

fix quadratic-funding#309
@ctrlc03 ctrlc03 mentioned this issue Feb 1, 2023
Merged
@ctrlc03 ctrlc03 linked a pull request Feb 1, 2023 that will close this issue
fix(generategetobjectpresignedurl): implemented changes to restrict arbitrary access #310
Merged
@0xjei 0xjei closed this as completed Feb 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ctrlc03 ctrlc03

Labels
bug 🪲 Something isn't working Medium Priority ⏰
Projects
None yet
Milestone
[E1 - MS2] Write Tests (>=90%)
2 participants
@0xjei @ctrlc03