堆栈内存溢出
  简体   繁体   English

直接将浏览器上传到S3中的安全性问题

[英]Security concern in direct browser uploads to S3

 原文  2017-10-31 08:13:07       amazon-web-services/ security/ file-upload/ amazon-s3/ upload

问题描述

The main security concern in direct js browser uploads to S3 is that users will store their S3 credentials on the client side. 直接js浏览器上载到S3的主要安全问题是用户会将S3凭证存储在客户端。

To mitigate this risk, the S3 documentation recommends using a short lived keys generated by an intermediate server: 为了减轻这种风险,S3 文档建议使用由中间服务器生成的短期密钥:

  1. A file is selected for upload by the user in their web browser. 用户选择了要在其Web浏览器中上传的文件。
  2. The user's browser makes a request to your server, which produces a temporary signature with which to sign the upload request. 用户的浏览器向您的服务器发出请求,该服务器会生成一个临时签名,用来签署上传请求。
  3. The temporary signed request is returned to the browser in JSON format. 临时签名的请求以JSON格式返回到浏览器。
  4. The browser then uploads the file directly to Amazon S3 using the signed request supplied by your server. 然后,浏览器使用服务器提供的签名请求将文件直接上传到Amazon S3。

The problem with this flow is that I don't see how it helps in the case of public uploads. 该流程的问题在于,我看不到在公共上传的情况下它如何起作用。

Suppose my upload page is publicly available. 假设我的上传页面是公开可用的。 That means the server API endpoint that generates the short lived key needs to be public as well. 这意味着生成短期密钥的服务器API端点也需要公开。 A malicious user could then just find the address of the api endpoint and hit it everytime they want to upload something. 然后,恶意用户可能只是找到api端点的地址,并在每次要上传内容时都将其命中。 The server has no way of knowing if the request came from a real user on the upload page or from any other place. 服务器无法知道请求是来自上载页面上的真实用户还是来自其他任何地方。

Yeah, I could check the domain on the request coming in to the api, and validate it, but domain can be easily spoofed (when the request is not coming from a browser client). 是的,我可以检查进入api的请求中的域,并对其进行验证,但是可以轻松地欺骗域(当请求不是来自浏览器客户端时)。

Is this whole thing even a concern ? 这整个事情甚至令人担忧吗? The main risk is someone abusing my S3 account and uploading stuff to it. 主要风险是有人滥用我的S3帐户并向其中上传内容。 Are there other concerns that I need to know about ? 我还需要了解其他问题吗? Can this be mitigated somehow? 可以通过某种方式缓解这种情况吗?

1 个解决方案

解决方案1
 2 已采纳  2017-10-31 10:39:40

Suppose my upload page is publicly available. 假设我的上传页面是公开可用的。 That means the server API endpoint that generates the short lived key needs to be public as well. 这意味着生成短期密钥的服务器API端点也需要公开。 A malicious user could then just find the address of the api endpoint and hit it everytime they want to upload something. 然后,恶意用户可能只是找到api端点的地址,并在每次要上传内容时都将其命中。 The server has no way of knowing if the request came from a real user on the upload page or from any other place. 服务器无法知道请求是来自上载页面上的真实用户还是来自其他任何地方。

If that concerns you, you would require your users to login to your website somehow, and serve the API endpoint behind the same server-side authentication service that handles your login process. 如果这与您有关,则将要求您的用户以某种方式登录到您的网站,并在处理登录过程的同一服务器端身份验证服务后面提供API终结点。 Then only authenticated users would be able to upload files. 这样,只有经过身份验证的用户才能上传文件。

You might also want to look into S3 pre-signed URLs . 您可能还需要研究S3预签名URL

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 直接到s3 /客户端文件上传。 使用这种方法是否需要将未使用的文件存储在s3存储桶中? - Direct to s3 / client file uploads. Is there a concern for storing unused files in your s3 bucket with this approach? 浏览器使用实例角色上传到s3 - Browser uploads to s3 with instance roles AWS S3 ACL公共读写:安全问题 - AWS S3 ACL public-read-write: security concern evaporate.js s3直接上传403 - evaporate.js s3 direct uploads 403 直接浏览器上传到Amazon S3 - Direct browser upload to Amazon S3 直接从浏览器向S3发送文件,但更改文件名 - Sending file direct from browser to S3 but changing file name 从浏览器直接将字符串上传到s3,而无需本地文件 - direct upload string from browser to s3 without local file 使用 POST 直接从浏览器上传文件到 S3 - Upload file to S3 direct from the browser using POST 改进 S3 图像上传 - Improve S3 image uploads S3上传在Dropzone中不起作用 - S3 uploads not working in Dropzone
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM