Danger run resulted in 1 warning; to find out more, see the checks page.

Generated by 🚫 dangerJS

@mtrezza I did 2 tests 😉 .

Hello people.

Let me know if I need to do anything else so that you can merge this PR.

I think we can merge. @mtrezza do you think it is good now?

Just my comment on the parameters table thread.

I have added the parameter to the table and and improved the descriptions.

Now I wonder if we should add an additional test that ensures that the presigned URL only presigns for a getObject operation. Given the implications of presigned URLs, if there is a change in the code the presigned URL could give wide access to the S3 bucket, as described in the docs.

What's your opinion on that?

This can really be a problem.

I tried to generate a URL without passing a key in the hope of gaining access to the entire bucket, but the AWS SDK throws an exception. I also tried to put only one prefix as a key to try to access an entire "folder" from within the bucket, but when I open the URL the answer is that the key does not exist.

So, in case you read the bucket or folder, I don't see it as a problem.

Now for the case of writing to a file (or overwriting, via putObject operation), according to the documentation it can be a problem, but I don't know if I did the tests correctly locally, but the generated URL has no "visible" information that references the operation it allows.

That said, I may be mistaken, but I only see 2 "options" (that can be done together):

1. Put a comment in the code saying that this operation should not be changed within this method;
2. Create a variable or constant and create a test to validate that it has the value (getObject);

They are just suggestions, let me know if something really needs to be done or if we should make my suggestions or if you have any other ideas?

My two concerns are:

• the Parse Server S3 Adapter code is changed and getObject is not set as allowed operation by mistake
• the AWS SDK has a breaking change in the future and after upgrade the operations parameter is ignored and needs to be supplied in a different way

To address this I suggest to:

• add a comment in our code
• add a test case to spy on a method deep enough in the AWS SDK, preferably after some validation if there is any, ensuring that it receives getObject as allowed operation

Hello.

Could you add the comment to the code?

Regarding the test, let me know if this test is enough for you: danielsanfr@8266a66 . If so, I'll make the git cherry-pick.

The operation check should be a separate test case with a description that explains specifically what it is testing, to give this more significance.

Also, can you spy on a method within the S3 adapter and just call through or mock it?

The comment can just be a simple one that explains why the operation is specified and removing it can provide broad access to the S3 bucket, maybe with a like to the AWS S3 docs security section where this is explained.

Hello guys. I hope everyone is okay.

@mtrezza, I separated the test for the operation used and added the comment about security concerns in the code. I don't know how to "spy" on a method inside the S3 library, and I sincerely believe that it is not necessary.

I wonder if you can approve this PR or we still need to make more changes?

@danielsanfr Apologies for the long wait time, I have overlooked this in my notifications.

@danielsanfr I have been using this branch on my project, and it's working well. Thanks for your efforts!!

@danielsanfr Could you address the open questions so we can merge this? I think there is just some minor refactoring left.

@danielsanfr @dblythy Could anyone do this minor refactor? Then we can merge this feature and make is available officially. And the PR needs a rebase I think.

any updates on this? we really need this since its an important security feature for file downloads.

Would you want to create a new PR based on this PR and address the changes mentioned above?

Just opened a PR here #180. I branched off this and refactored the one test you mentioned, let me know if i need to change anything else to get this through 👍