Minio server should reject presigned post policy with duplicate keys #11894
Description
As you mentioned, it is a server problem and refer minio/minio#11843
I took a closer look at the changes in #11843, and I'm not convinced that the additional round-trip via the github.com/bcicen/jstream library actually adresses this security issue.
See this Go playground example: https://play.golang.org/p/h50SFkPZsps
Using the equivalent sanitizePolicy and parsePostPolicyForm functions, the resulting decoded rawPolicy only contain the []interface {}{"eq", "$bucket", "evil"} condition injected via the attacker-controlled key field. The ["eq","$bucket","good"] present in the original conditions is missing:
input policy: {"expiration":"2021-03-22T09:16:21.310Z","conditions":[["eq","$bucket","good"],["eq","$key","hello.txt"]],"conditions":[["eq","$bucket","evil"],["eq","$key","hello.txt"],["eq","$success_action_status","201"],["eq","$Content-Type","plain/text"],["eq","$success_action_status","201"],["eq","$x-amz-algorithm","AWS4-HMAC-SHA256"],["eq","$x-amz-credential","Q3AM3UQ867SPQQA43P2F/20210315/us-east-1/s3/aws4_request"],["eq","$x-amz-date","20210315T091621Z"]]}
sanitized policy: {"conditions":[["eq","$bucket","evil"],["eq","$key","hello.txt"],["eq","$success_action_status","201"],["eq","$Content-Type","plain/text"],["eq","$success_action_status","201"],["eq","$x-amz-algorithm","AWS4-HMAC-SHA256"],["eq","$x-amz-credential","Q3AM3UQ867SPQQA43P2F/20210315/us-east-1/s3/aws4_request"],["eq","$x-amz-date","20210315T091621Z"]],"expiration":"2021-03-22T09:16:21.310Z"}
decoded policy: main.Policy{Expiration:"2021-03-22T09:16:21.310Z", Conditions:[]interface {}{[]interface {}{"eq", "$bucket", "evil"}, []interface {}{"eq", "$key", "hello.txt"}, []interface {}{"eq", "$success_action_status", "201"}, []interface {}{"eq", "$Content-Type", "plain/text"}, []interface {}{"eq", "$success_action_status", "201"}, []interface {}{"eq", "$x-amz-algorithm", "AWS4-HMAC-SHA256"}, []interface {}{"eq", "$x-amz-credential", "Q3AM3UQ867SPQQA43P2F/20210315/us-east-1/s3/aws4_request"}, []interface {}{"eq", "$x-amz-date", "20210315T091621Z"}}}
AFAIK the updated minio server would still be exploitable via this kind of attack, allowing uploads to the wrong bucket/key.
Originally posted by @SpComb in minio/minio-java#1174 (comment)