Any vulnerabilities in allowing users to choose path of S3 file?

Question

I'm building a web app that uses S3. In some of our operations, we're creating a file on S3 with a path that's directly dependent on user input, so an attacker might cause a file to be created on S3 with whichever path he wants.

Is there a way for an attacker to leverage this into an attack? (A few ideas that came to mind were using magic file names, or feeding very long paths, but if you have other ideas I'll be happy to hear them.)

If there's a serious possibility for a vulnerability, we'll consider redesigning the system.

What files can s/he make the app overwrite? Can s/he make the app read an arbitrary file? — atk, Feb 24 '14 at 11:33
@atk Let's assume it's any file inside their user folder. (So they can't affect other users' file.) The files are all public so anyone can read them. — Ram Rachum, Feb 24 '14 at 12:38
Maybe stating the obvious but… Any file type ? Can a user upload a PHP or other server side code file ? — Joan Charmant, Feb 24 '14 at 14:46
Yep. Do you think that Amazon would execute such a file though? — Ram Rachum, Feb 24 '14 at 17:04

score 4 · Accepted Answer · answered Feb 25 '14 at 10:08

The two possible vulnerabilities that come to mind are Path Traversal and XSS.

To protect against Path Traversal validate the path input to make sure the user cannot change it to include characters such as .. or / or their encoded versions (e.g. %2e%2e). If they could there is the possibility that your application (or the S3 API) would interpret the characters to be the parent or root folder.

For example, if the user was saving on S3 in their /foo folder and they set their folder name to ../bar/ you should make sure the file is not saved in /bar instead (which may be another user's folder).

XSS is only an issue if the domain is shared with any application code that uses cookies. Unlikely in this scenario, but thought I'd mention it just in case. This would also only really apply if the user could influence file content such as being able to include <script> tags and then reference the page as a HTML document that a user could be enticed to visit which would then transmit cookies to the attacker.

score 0 · Answer 2 · answered Feb 24 '14 at 12:02

0

Without really diving into S3's API, here are a few possibilities.

Can the user overwrite files if he knows the path?
Can the user read files if he knows the path?
Can the user enumerate existing files? This might be an issue if the files are supposed to be private.

It's nothing that your application cannot handle with a small amount of code, but you have to really think through the edge cases.

answered Feb 24 '14 at 12:02

The files are all publicly readable, so I think that takes care of the last 2 points. The user could overwrite files, but only within their user folder. – Ram Rachum Feb 24 '14 at 12:40

Any vulnerabilities in allowing users to choose path of S3 file?

2 Answers2