AWS S3/Ruby on Rails/ heroku: Security hole in my app
Asked Answered
V

4

1

I have a route in my config which says that for a page, say /secure, there is a login required (done via authlogic). A before_filter in my controller takes care of that. That works fine, the page and its resources have restricted access - through the application.

Trouble is, we are using Amazon S3 for storage on this app (based on refinerycms) deployed to heroku. I have a bucket and it works fine.

However, any resource inserted in the secure part of the application is directly accessible through the browser. In other words, the /secure page contains items like pdf files. While through the app the resources are secured, those pdf files are accessible from anywhere in the Internet (example URL): http://s3.amazonaws.com/my_bucket/images/1234/the_file_which_should_be_secure.pdf

Can I do fine-grained access control on S3? Do I have to create a new bucket? Ideally I'd like to set a flag on my resource which makes it invisible in the Internet - don't know.

Any suggestion welcomed.

P.S. openid.org has an expired ssl cert, so needed to create a new empty account as I could not login

Vernal answered 23/10, 2010 at 11:55 Comment(0)
P
4

The simplest and easiest solution is just to name your S3 assets with random, unguessable filenames, and then only expose the secret URLs to the people who should have access.

This is how Facebook photos and many other sites work (there is no privacy or security beyond the obscurity of the individual filenames).

Primus answered 23/10, 2010 at 21:28 Comment(3)
Interesting approach, thank you. I did get response in the AWS forum to try their ACL documentation...If that will reveal itself to be a lot of work, I might go this way!Vernal
You're welcome. From my knowledge of AWS ACLs, they're not really suited to this kind of use, but you should investigate them. Don't forget to come back and accept this answer if it helped you.Primus
As the client was on a tight budget, I decided to choose this solution, as it is the quickest...Vernal
F
5

You could try what is said on this page:

http://thewebfellas.com/blog/2009/8/29/protecting-your-paperclip-downloads

The specficics are under the section "No more streaming, time for a redirection".

Summary: S3 has four canned access policies, by using the authenticated-read policy S3 provides a way to generate an authenticated URL for private content that only works for a specified period of time.

I haven't actually done this, so please let me know if it works for you. :-)

Floodgate answered 28/10, 2010 at 3:38 Comment(0)
P
4

The simplest and easiest solution is just to name your S3 assets with random, unguessable filenames, and then only expose the secret URLs to the people who should have access.

This is how Facebook photos and many other sites work (there is no privacy or security beyond the obscurity of the individual filenames).

Primus answered 23/10, 2010 at 21:28 Comment(3)
Interesting approach, thank you. I did get response in the AWS forum to try their ACL documentation...If that will reveal itself to be a lot of work, I might go this way!Vernal
You're welcome. From my knowledge of AWS ACLs, they're not really suited to this kind of use, but you should investigate them. Don't forget to come back and accept this answer if it helped you.Primus
As the client was on a tight budget, I decided to choose this solution, as it is the quickest...Vernal
T
2

If you use paperclip, you can restrict access to objects stored on Amazon S3 by expiring url. (if you don't mind to use expiring url)

Here is the Wiki from thoughtbot/paperclip on GitHub

https://github.com/thoughtbot/paperclip/wiki/Restricting-Access-to-Objects-Stored-on-Amazon-S3

Also, there are some helpful links at the bottom of that page which you might not want to miss.

Thiol answered 11/8, 2011 at 6:34 Comment(0)
C
0

Maybe I'm confused as to what you are trying to accomplish, but S3 has permissions access that require an encryption key to be in the url you provide the user. When using the aws-s3 gem, this option is enabled by default. Therefore, you should not be able to access the files unless the user is using the link with the encrypted key embedded in it. This would require you to make sure that the file is set to authorized access only.

More info can be found http://amazon.rubyforge.org/ about the gem. Look for documentation related to Access control (I think "authenticated_read" is what you want).

Childhood answered 24/10, 2010 at 2:1 Comment(2)
Right! I learnt now that I have an ACL on my bucket. There, I can set rights to Everyone, Authenticated Users, and my_username. For "Everyone" and "Authenticated Users", the ACL says 'no read/write/fullcontrol". Thus I do not understand how I actually can even access that stuff from the browser! I am quite confused too...Vernal
It's not an encrypted key, it's called a token.Kriskrischer

© 2022 - 2024 — McMap. All rights reserved.