feat: prevent passing in role claim in presigned URL JWTs (#520)

hf · web-flow · commit 9486b37b387e · 2024-07-16T09:49:22.000+02:00
diff --git a/src/storage/object.ts b/src/storage/object.ts
@@ -540,6 +540,10 @@ export class ObjectStorage {
       return all
     }, metadata || {})
 
+    // security-in-depth: as signObjectUrl could be used as a signing oracle,
+    // make sure it's never able to specify a role JWT claim
+    delete metadata['role']
+
     const urlParts = url.split('/')
     const urlToSign = decodeURI(urlParts.splice(3).join('/'))
     const { secret: jwtSecret } = await getJwtSecret(this.db.tenantId)
