Skip to content

GET /object: only blacklist path instead of whitelisting a limited subset of params #314

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 4, 2025
Merged

GET /object: only blacklist path instead of whitelisting a limited subset of params #314

merged 3 commits into from
Sep 4, 2025

Conversation

@norrisng-bc
Copy link
Contributor

@norrisng-bc norrisng-bc commented Sep 4, 2025
edited
Loading

Description

This PR is a slight tweak to #312 .

When calling GET /object (search objects) without authentication, instead of whitelisting a limited subset of search parameters (bucketId, objectId, public, page, limit, sort), all parameters except for path are now allowed.

The other restrictions while no-auth remain; i.e. requiring a bucketId or objectId, ?public=true and redaction of some response fields.

No-auth object searches are already scoped by bucketId, so allowing other parameters is safe. However, path will still be blocked as it can potentially expose the underlying S3 bucket directory structure.

This allows the object filters in BCBox's <ObjectTable> to work without authentication (i.e. for displaying public folders).

Other tweaks:

  • Fix typos in the existing OpenAPI spec
  • GitHub Actions: temporarily disable Code Climate coverage, as Code Climate has turned their API off

https://apps.nrs.gov.bc.ca/int/jira/browse/SHOWCASE-3969

Types of changes

New feature (non-breaking change which adds functionality)

Checklist

  • I have read the CONTRIBUTING doc
  • I have checked that unit tests pass locally with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Further comments

N/A

@norrisng-bc
Existing OpenAPI spec typos and fixes
3443857
@norrisng-bc
GET /object without auth: blacklist ?path only instead of whitelisting
75b5ec4 
No-auth search is already scoped by requiring a bucketId, so allowing the other params is safe.
`path` is still blocked though, as it can expose the underlying S3 directory structure.
@github-actions
Copy link

github-actions bot commented Sep 4, 2025

Coverage Report

Totals Coverage
Statements: 55.34% ( 3057 / 5524 )
Methods: 45.67% ( 332 / 727 )
Lines: 61.99% ( 1833 / 2957 )
Branches: 48.48% ( 892 / 1840 )

@TimCsaky TimCsaky merged commit 77991bb into master Sep 4, 2025
13 checks passed
@norrisng-bc norrisng-bc deleted the chore/get-public-noauth-block-path-param branch September 4, 2025 21:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TimCsaky TimCsaky TimCsaky approved these changes

@jatindersingh93 jatindersingh93 Awaiting requested review from jatindersingh93 jatindersingh93 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@norrisng-bc @TimCsaky