php - Amazon S3 presigned url - Invalidate manually or one time upload -
i using s3 accept direct uploads user s3. therefore using pre-signed urls.
after successful upload, aws lambda make sure file upload image, , client tell server has finished uploading.
then server check if file exists in s3 (if lambda detects invalid image, deletes it). if does, rest of application logic follow.
however, there loophole in mechanism. user can use same url upload malicious file after telling server has finished uploading (and passing valid file).
lambda still delete file, server think file exists whereas not.
is there way generate one-time upload pre-signed url, or possible forcefully invalidate url generated has not yet expired?
turning answer...
once file uploaded, have lambda move (using copy object api), i.e. uploads/123.png
received/123.png
or similar.
if malicious user attempts re-use signed url, it'll go uploads/123.png
. worst-case, lambda checks again , rejects new file. since server's looking in received/
instead of uploads/
files process, we've rendered things safe.
Comments
Post a Comment