Add validation for internal R2 requests

Validate incoming R2 requests from `workerd` with `zod`, increasing
type safety. This removes some implicit `any`s from `JSON.parse`, and
allows us to use `method` as a type-level union discriminator.

Validation of types has also been removed from the `Validator` class,
as we don't need to duplicate this. `workerd` will handle validating
user input here.

Author: mrbbot

package-lock.json

@@ -42,7 +42,7 @@
     "workerd": "^1.20230221.0",
     "ws": "^8.11.0",
     "youch": "^3.2.2",
-    "zod": "^3.18.0"
+    "zod": "^3.20.6"
   },
   "devDependencies": {
     "@cloudflare/workers-types": "^4.20221111.1",

packages/tre/package.json

@@ -1,4 +1,5 @@
 import { Response } from "../../http";
+import { HttpError } from "../../shared";
 import { CfHeader } from "../shared/constants";
 import { R2Object } from "./r2Object";
 
@@ -22,22 +23,18 @@ enum CfCode {
   InvalidRange = 10039,
 }
 
-export class R2Error extends Error {
-  status: number;
-  v4Code: number;
+export class R2Error extends HttpError {
   object?: R2Object;
-  constructor(status: number, message: string, v4Code: number) {
-    super(message);
-    this.name = "R2Error";
-    this.status = status;
-    this.v4Code = v4Code;
+
+  constructor(code: number, message: string, readonly v4Code: number) {
+    super(code, message);
   }
 
   toResponse() {
     if (this.object !== undefined) {
       const { metadataSize, value } = this.object.encode();
       return new Response(value, {
-        status: this.status,
+        status: this.code,
         headers: {
           [CfHeader.MetadataSize]: `${metadataSize}`,
           "Content-Type": "application/json",
@@ -51,7 +48,7 @@ export class R2Error extends Error {
       });
     }
     return new Response(null, {
-      status: this.status,
+      status: this.code,
       headers: {
         [CfHeader.Error]: JSON.stringify({
           message: this.message,

packages/tre/src/plugins/r2/errors.ts

@@ -1,93 +1,43 @@
+import { z } from "zod";
 import { Log } from "../../shared";
 import { RangeStoredValueMeta, Storage } from "../../storage";
 import { InvalidRange, NoSuchKey } from "./errors";
 import {
-  R2HTTPMetadata,
   R2Object,
   R2ObjectBody,
   R2ObjectMetadata,
   createVersion,
 } from "./r2Object";
-import { Validator } from "./validator";
-
-// For more information, refer to https://datatracker.ietf.org/doc/html/rfc7232
-export interface R2Conditional {
-  // Performs the operation if the object’s etag matches the given string.
-  etagMatches?: string;
-  // Performs the operation if the object’s etag does not match the given string.
-  etagDoesNotMatch?: string;
-  // Performs the operation if the object was uploaded before the given date.
-  uploadedBefore?: number;
-  // Performs the operation if the object was uploaded after the given date.
-  uploadedAfter?: number;
-}
-
-export interface R2Range {
-  offset?: number;
-  length?: number;
-  suffix?: number;
-}
-
-export interface R2GetOptions {
-  // Specifies that the object should only be returned given satisfaction of
-  // certain conditions in the R2Conditional. Refer to R2Conditional above.
-  onlyIf?: R2Conditional;
-  // Specifies that only a specific length (from an optional offset) or suffix
-  // of bytes from the object should be returned. Refer to
-  // https://developers.cloudflare.com/r2/runtime-apis/#ranged-reads.
-  range?: R2Range;
-}
-
-export interface R2PutOptions {
-  // Various HTTP headers associated with the object. Refer to
-  // https://developers.cloudflare.com/r2/runtime-apis/#http-metadata.
-  httpMetadata: R2HTTPMetadata;
-  // A map of custom, user-defined metadata that will be stored with the object.
-  customMetadata: Record<string, string>;
-  // A md5 hash to use to check the recieved object’s integrity.
-  md5?: string;
-}
-
-export type R2ListOptionsInclude = ("httpMetadata" | "customMetadata")[];
+import {
+  R2GetRequestSchema,
+  R2ListRequestSchema,
+  R2PutRequestSchema,
+} from "./schemas";
+import { MAX_LIST_KEYS, Validator } from "./validator";
 
-export interface R2ListOptions {
-  // The number of results to return. Defaults to 1000, with a maximum of 1000.
-  limit?: number;
-  // The prefix to match keys against. Keys will only be returned if they start with given prefix.
-  prefix?: string;
-  // An opaque token that indicates where to continue listing objects from.
-  // A cursor can be retrieved from a previous list operation.
-  cursor?: string;
-  // The character to use when grouping keys.
-  delimiter?: string;
-  // Can include httpFields and/or customFields. If included, items returned by
-  // the list will include the specified metadata. Note that there is a limit on the
-  // total amount of data that a single list operation can return.
-  // If you request data, you may recieve fewer than limit results in your response
-  // to accomodate metadata.
-  // Use the truncated property to determine if the list request has more data to be returned.
-  include?: R2ListOptionsInclude;
-}
+export type OmitRequest<T> = Omit<T, "method" | "object">;
+export type R2GetOptions = OmitRequest<z.infer<typeof R2GetRequestSchema>>;
+export type R2PutOptions = OmitRequest<z.infer<typeof R2PutRequestSchema>>;
+export type R2ListOptions = OmitRequest<z.infer<typeof R2ListRequestSchema>>;
 
 export interface R2Objects {
   // An array of objects matching the list request.
   objects: R2Object[];
-  // If true, indicates there are more results to be retrieved for the current list request.
+  // If true, indicates there are more results to be retrieved for the current
+  // list request.
   truncated: boolean;
-  // A token that can be passed to future list calls to resume listing from that point.
+  // A token that can be passed to future list calls to resume listing from that
+  // point.
   // Only present if truncated is true.
   cursor?: string;
-  // If a delimiter has been specified, contains all prefixes between the specified
-  // prefix and the next occurence of the delimiter.
-  // For example, if no prefix is provided and the delimiter is ‘/’, foo/bar/baz
-  // would return foo as a delimited prefix. If foo/ was passed as a prefix
-  // with the same structure and delimiter, foo/bar would be returned as a delimited prefix.
+  // If a delimiter has been specified, contains all prefixes between the
+  // specified prefix and the next occurrence of the delimiter. For example, if
+  // no prefix is provided and the delimiter is "/", "foo/bar/baz" would return
+  // "foo" as a delimited prefix. If "foo/" was passed as a prefix with the same
+  // structure and delimiter, "foo/bar" would be returned as a delimited prefix.
   delimitedPrefixes: string[];
 }
 
-const MAX_LIST_KEYS = 1_000;
-// https://developers.cloudflare.com/r2/platform/limits/ (5GB - 5MB)
-
 const validate = new Validator();
 
 export class R2Gateway {
@@ -110,10 +60,7 @@ export class R2Gateway {
     options: R2GetOptions = {}
   ): Promise<R2ObjectBody | R2Object> {
     const { range = {}, onlyIf } = options;
-    validate
-      .key(key)
-      .getOptions(options)
-      .condition(await this.head(key), onlyIf);
+    validate.key(key).condition(await this.head(key), onlyIf);
 
     let stored: RangeStoredValueMeta<R2ObjectMetadata> | undefined;
 
@@ -140,22 +87,18 @@ export class R2Gateway {
   ): Promise<R2Object> {
     const { customMetadata, md5, httpMetadata } = options;
 
-    const hash = validate
-      .key(key)
-      .putOptions(options)
-      .size(value)
-      .md5(value, md5);
+    const hash = validate.key(key).size(value).md5(value, md5);
 
     // build metadata
     const metadata: R2ObjectMetadata = {
       key,
       size: value.byteLength,
-      etag: hash,
+      etag: hash.toString("hex"),
       version: createVersion(),
       httpEtag: `"${hash}"`,
       uploaded: Date.now(),
-      httpMetadata,
-      customMetadata,
+      httpMetadata: httpMetadata ?? {},
+      customMetadata: customMetadata ?? {},
     };
 
     // Store value with expiration and metadata
@@ -173,9 +116,7 @@ export class R2Gateway {
   }
 
   async list(listOptions: R2ListOptions = {}): Promise<R2Objects> {
-    const delimitedPrefixes = new Set<string>();
-
-    validate.listOptions(listOptions);
+    validate.limit(listOptions.limit);
 
     const { prefix = "", include = [], cursor = "" } = listOptions;
     let { delimiter, limit = MAX_LIST_KEYS } = listOptions;
@@ -190,8 +131,7 @@ export class R2Gateway {
       cursor,
       delimiter,
     });
-    // add delimited prefixes should they exist
-    for (const dP of res.delimitedPrefixes ?? []) delimitedPrefixes.add(dP);
+    const delimitedPrefixes = new Set(res.delimitedPrefixes ?? []);
 
     const objects = res.keys
       // grab metadata

packages/tre/src/plugins/r2/gateway.ts

@@ -45,3 +45,4 @@ export const R2_PLUGIN: Plugin<
 
 export * from "./r2Object";
 export * from "./gateway";
+export * from "./schemas";