thevar1able/ClickHouse
1
0
Fork 0
mirror of https://github.com/ClickHouse/ClickHouse.git synced 2024-11-24 08:32:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Restriction for the access key id for s3.

Browse Source
This commit is contained in:
MikhailBurdukov 2024-01-17 10:43:58 +00:00
parent 9d8290cc50
commit e2729ed4c9
3 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/IO/S3/Client.cpp
View File

@ -24,6 +24,7 @@
#include <Common/logger_useful.h>
#include <Common/ProxyConfigurationResolverProvider.h>
#include <Common/re2.h>
#include <base/sleep.h>
@ -47,6 +48,7 @@ namespace ErrorCodes
{
extern const int LOGICAL_ERROR;
extern const int TOO_MANY_REDIRECTS;
extern const int BAD_ARGUMENTS;
}
namespace S3
@ -104,6 +106,20 @@ void verifyClientConfiguration(const Aws::Client::ClientConfiguration & client_c
assert_cast<const Client::RetryStrategy &>(*client_config.retryStrategy);
}
void validateCredentials(const Aws::Auth::AWSCredentials& auth_credentials)
{
if (auth_credentials.GetAWSAccessKeyId().empty())
{
return;
}
/// Follow https://docs.aws.amazon.com/IAM/latest/APIReference/API_AccessKey.html
const auto * ACCESS_KEY_ID_REGEX = R"(\w+)";
if (!re2::RE2::FullMatch(auth_credentials.GetAWSAccessKeyId(), ACCESS_KEY_ID_REGEX))
{
throw Exception(ErrorCodes::BAD_ARGUMENTS, "Access key id has invalid character");
}
}
void addAdditionalAMZHeadersToCanonicalHeadersList(
Aws::AmazonWebServiceRequest & request,
const HTTPHeaderEntries & extra_headers
@ -129,6 +145,7 @@ std::unique_ptr<Client> Client::create(
const ClientSettings & client_settings)
{
verifyClientConfiguration(client_configuration);
validateCredentials(credentials_provider->GetAWSCredentials());
return std::unique_ptr<Client>(
new Client(max_redirects_, std::move(sse_kms_config_), credentials_provider, client_configuration, sign_payloads, client_settings));
}

0
tests/queries/0_stateless/02966_s3_access_key_id_restriction.reference Normal file
View File

4
tests/queries/0_stateless/02966_s3_access_key_id_restriction.sql Normal file
View File

@ -0,0 +1,4 @@
select * from s3('http://localhost:11111/test/a.tsv', '\ninjection\n', 'admin'); -- { serverError 36 }
select * from deltaLake('http://localhost:11111/test/a.tsv', '\ninjection\n', 'admin'); -- { serverError 36 }
select * from hudi('http://localhost:11111/test/a.tsv', '\ninjection\n', 'admin'); -- { serverError 36 }
select * from iceberg('http://localhost:11111/test/a.tsv', '\ninjection\n', 'admin'); -- { serverError 36 }