Add expiry validation for S3 gateway requests

This change adds validation for the `X-Amz-Expires` parameter in
presigned URLs and enforces the 15-minute time window for header-based
authentication as per the AWS S3 spec.

Changes:
- Parse `X-Amz-Expires` and validate within allowed range
- Check expiration time for presigned URLs and header-based
  authenticated requests
- Add an explicit check for all required parameters for presigned URLs

Fixes #9599

Author: zubron

pkg/gateway/sig/sig.go

@@ -99,6 +99,8 @@ func (c *chainedAuthenticator) Parse() (SigContext, error) {
 		if err == nil {
 			c.chosen = method
 			return sigContext, nil
+		} else if !errors.Is(err, ErrHeaderMalformed) {
+			return nil, err
 		}
 	}
 	return nil, gwErrors.ErrMissingFields

pkg/gateway/sig/v4.go

@@ -33,6 +33,14 @@ const (
 	v4scopeTerminator        = "aws4_request"
 	v4timeFormat             = "20060102T150405Z"
 	v4shortTimeFormat        = "20060102"
+	maxExpires               = 604800
+
+	v4AmzAlgorithm     = "X-Amz-Algorithm"
+	v4AmzCredential    = "X-Amz-Credential"
+	v4AmzSignature     = "X-Amz-Signature"
+	v4AmzDate          = "X-Amz-Date"
+	v4AmzSignedHeaders = "X-Amz-SignedHeaders"
+	v4AmzExpires       = "X-Amz-Expires"
 )
 
 var (
@@ -43,12 +51,14 @@ var (
 type V4Auth struct {
 	AccessKeyID         string
 	Date                string
+	Expires             int64
 	Region              string
 	Service             string
 	SignedHeaders       []string
 	SignedHeadersString string
 	Signature           string
 	ChecksumAlgorithm   string
+	IsPresigned         bool
 }
 
 func (a V4Auth) GetAccessKeyID() string {
@@ -61,6 +71,40 @@ func splitHeaders(headers string) []string {
 	return headerValues
 }
 
+func parseExpires(expiresStr string) (int64, error) {
+	expires, err := strconv.ParseInt(expiresStr, 10, 64)
+	if err != nil {
+		// handles both empty string and non-int string
+		return 0, errors.ErrMalformedExpires
+	}
+	if expires < 0 {
+		return 0, errors.ErrNegativeExpires
+	}
+	if expires > maxExpires {
+		return 0, errors.ErrMaximumExpires
+	}
+	return expires, nil
+}
+
+func hasRequiredParams(values url.Values) bool {
+	var requiredPresignedParams = []string{
+		v4AmzAlgorithm,
+		v4AmzCredential,
+		v4AmzSignature,
+		v4AmzDate,
+		v4AmzSignedHeaders,
+		v4AmzExpires,
+	}
+
+	for _, param := range requiredPresignedParams {
+		if _, ok := values[param]; !ok {
+			return false
+		}
+	}
+
+	return true
+}
+
 func ParseV4AuthContext(r *http.Request) (V4Auth, error) {
 	var ctx V4Auth
 
@@ -88,16 +132,22 @@ func ParseV4AuthContext(r *http.Request) (V4Auth, error) {
 		signatureHeaders := result["SignatureHeaders"]
 		ctx.SignedHeaders = splitHeaders(signatureHeaders)
 		ctx.SignedHeadersString = signatureHeaders
+		ctx.IsPresigned = false
 		return ctx, nil
 	}
 
-	// otherwise, see if we have all the required query parameters
 	query := r.URL.Query()
-	algorithm := query.Get("X-Amz-Algorithm")
+	// otherwise, see if we have all the required query parameters
+	if !hasRequiredParams(query) {
+		return ctx, errors.ErrInvalidQueryParams
+	}
+	ctx.IsPresigned = true
+
+	algorithm := query.Get(v4AmzAlgorithm)
 	if len(algorithm) == 0 || !strings.EqualFold(algorithm, V4authHeaderPrefix) {
 		return ctx, errors.ErrInvalidQuerySignatureAlgo
 	}
-	credentialScope := query.Get("X-Amz-Credential")
+	credentialScope := query.Get(v4AmzCredential)
 	if len(credentialScope) == 0 {
 		return ctx, errors.ErrMissingCredTag
 	}
@@ -116,7 +166,13 @@ func ParseV4AuthContext(r *http.Request) (V4Auth, error) {
 	ctx.Region = credsResult["Region"]
 	ctx.Service = credsResult["Service"]
 
-	ctx.SignedHeadersString = query.Get("X-Amz-SignedHeaders")
+	expires, err := parseExpires(query.Get(v4AmzExpires))
+	if err != nil {
+		return ctx, err
+	}
+	ctx.Expires = expires
+
+	ctx.SignedHeadersString = query.Get(v4AmzSignedHeaders)
 	headers := splitHeaders(ctx.SignedHeadersString)
 	ctx.SignedHeaders = headers
 	ctx.Signature = query.Get(v4SignatureHeader)
@@ -144,6 +200,11 @@ func V4Verify(auth V4Auth, credentials *model.Credential, r *http.Request) error
 		return errors.ErrSignatureDoesNotMatch
 	}
 
+	// check that the request hasn't expired
+	if err := ctx.verifyExpiration(); err != nil {
+		return err
+	}
+
 	// wrap body with verifier
 	reader, err := ctx.reader(r.Body, credentials)
 	if err != nil {
@@ -293,6 +354,41 @@ func (ctx *verificationCtx) getAmzDate() (string, error) {
 	return amzDate, nil
 }
 
+func (ctx *verificationCtx) verifyExpiration() error {
+	// Get and validate the request timestamp
+	amzDate, err := ctx.getAmzDate()
+	if err != nil {
+		return err
+	}
+
+	requestTime, err := time.Parse(v4timeFormat, amzDate)
+	if err != nil {
+		return err
+	}
+
+	now := time.Now().UTC()
+	timeDiff := now.Sub(requestTime)
+
+	// Check for requests from the future and allow small clock skew
+	if timeDiff < 0 && timeDiff.Abs() > 5*time.Minute {
+		return errors.ErrRequestNotReadyYet
+	}
+
+	if ctx.AuthValue.IsPresigned {
+		expirationTime := requestTime.Add(time.Duration(ctx.AuthValue.Expires) * time.Second)
+		if now.After(expirationTime) {
+			return errors.ErrExpiredPresignRequest
+		}
+	} else {
+		// Header based auth requests are valid for 15 minutes
+		if timeDiff.Abs() > 15*time.Minute {
+			return errors.ErrExpiredPresignRequest
+		}
+	}
+
+	return nil
+}
+
 func sign(key []byte, msg string) []byte {
 	h := hmac.New(sha256.New, key)
 	_, _ = h.Write([]byte(msg))