Reputation: 68
AWS S3 createPresignedPost URL can upload file of any size despite limiting it
I'm creating a pre-signed URL so the user in the front end can upload a file (max 10MB) this is how I create it
const s3Params = {
Bucket: S3_BUCKET,
Expires: 30,
Fields: {
key: key,
},
Conditions: [
["eq", "$acl", "public-read"],
["eq", "$x-amz-meta-filename", fileName],
["content-length-range", 1, 10000000], //10MB
["eq", "$x-amz-meta-userid", userid],
],
};
console.log(s3Params);
s3.createPresignedPost(s3Params, (err, data) => {
if (err) {
console.log(err);
return cb({success: false, error: err});
}
data.fields["x-amz-meta-filename"] = fileName;
data.fields["x-amz-meta-userid"] = userid;
const returnData = {
signedRequest: data,
url: `https://${S3_BUCKET}.s3.amazonaws.com/${key}`,
};
return cb({success: true, data: {returnData}});
});
in the Conditions set the max file size (content-length-range) to be 10MB but I was still able to upload a 25 MB file using the generated Pre signed URL. I was thinking it might have something to do with the bucket policy but I'm not sure.
Here is my Bucket Policy
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::blah.blah/*"
}
]
}
Upvotes: 2
Views: 1287
Answers (1)
Reputation: 238497
I think your conditions are simply ignored because the bucket allows for anonymous writes (very terrible practice!). From docs:
If you don't provide elements required for authenticated requests, such as the policy element, the request is assumed to be anonymous and will succeed only if you have configured the bucket for public read and write.
When you are using pre-signed urls, you shouldn't make your bucket public.
Upvotes: 2
Related Questions
- How to limit file's size and mimetype on upload to S3
- Upload file to s3 with POST
- How to restrict the size of the file being uploaded on to the AWS S3 service using presigned urls
- Limitting size of uploaded file via presigned URLs to S3
- AWS S3 files not uploaded properly if total files size exceed 50GB
- AWS S3: MaxPostPreDataLengthExceeded Your POST request fields preceeding the upload file was too large
- Why is my s3 createPresignedPost not respecting the content-range-length condition
- S3 : How to upload a large file using S3 in nodejs using aws-sdk
- Stream File Upload To S3 While Limiting File Size Using ExpressJS
- Amazon S3 REST API incorrect size