s3proxy: add allow-multipart flag (#2420)

This flag allows users to control wether multipart uploads are blocked or allowed. At the moment s3proxy doesn't encrypt multipart uploads, so there is a potential for inadvertent data leakage. With this flag the default behavior is changed to a more secure default one: block multipart uploads. The previous behavior can be enabled by setting allow-multipart.
2025-08-06 05:54:28 -04:00 · 2023-10-09 15:18:12 +02:00 · 2023-10-09 15:18:12 +02:00 · c603b547db
commit c603b547db
parent 005e865a13
5 changed files with 253 additions and 151 deletions
--- a/s3proxy/cmd/main.go
+++ b/s3proxy/cmd/main.go
@ -49,6 +49,10 @@ func main() {

 	logger := logger.New(logger.JSONLog, logger.VerbosityFromInt(flags.logLevel))

+	if flags.forwardMultipartReqs {
+		logger.Warnf("configured to forward multipart uploads, this may leak data to AWS")
+	}
+
 	if err := runServer(flags, logger); err != nil {
 		panic(err)
 	}
@ -57,7 +61,7 @@ func main() {
 func runServer(flags cmdFlags, log *logger.Logger) error {
 	log.With(zap.String("ip", flags.ip), zap.Int("port", defaultPort), zap.String("region", flags.region)).Infof("listening")

-	router, err := router.New(flags.region, flags.kmsEndpoint, log)
+	router, err := router.New(flags.region, flags.kmsEndpoint, flags.forwardMultipartReqs, log)
 	if err != nil {
 		return fmt.Errorf("creating router: %w", err)
 	}
@ -96,6 +100,7 @@ func parseFlags() (cmdFlags, error) {
 	region := flag.String("region", defaultRegion, "AWS region in which target bucket is located")
 	certLocation := flag.String("cert", defaultCertLocation, "location of TLS certificate")
 	kmsEndpoint := flag.String("kms", "key-service.kube-system:9000", "endpoint of the KMS service to get key encryption keys from")
+	forwardMultipartReqs := flag.Bool("allow-multipart", false, "forward multipart requests to the target bucket; beware: this may store unencrypted data on AWS. See the documentation for more information")
 	level := flag.Int("level", defaultLogLevel, "log level")

 	flag.Parse()
@ -112,21 +117,23 @@ func parseFlags() (cmdFlags, error) {
 	// }

 	return cmdFlags{
-		noTLS:        *noTLS,
-		ip:           netIP.String(),
-		region:       *region,
-		certLocation: *certLocation,
-		kmsEndpoint:  *kmsEndpoint,
-		logLevel:     *level,
+		noTLS:                *noTLS,
+		ip:                   netIP.String(),
+		region:               *region,
+		certLocation:         *certLocation,
+		kmsEndpoint:          *kmsEndpoint,
+		forwardMultipartReqs: *forwardMultipartReqs,
+		logLevel:             *level,
 	}, nil
 }

 type cmdFlags struct {
-	noTLS        bool
-	ip           string
-	region       string
-	certLocation string
-	kmsEndpoint  string
+	noTLS                bool
+	ip                   string
+	region               string
+	certLocation         string
+	kmsEndpoint          string
+	forwardMultipartReqs bool
 	// TODO(derpsteb): enable once we are on go 1.21.
 	// logLevel slog.Level
 	logLevel int