fix: prevent creation of objects with no name

bnjmnt4n · inian · commit 9bf39cd2b5f8 · 2022-08-01T17:07:24.000+08:00
diff --git a/src/test/object.test.ts b/src/test/object.test.ts
@@ -285,6 +285,23 @@ describe('testing POST object via multipart upload', () => {
     )
   })
 
+  test('return 400 when uploading to object with no file name', async () => {
+    const form = new FormData()
+    form.append('file', fs.createReadStream(`./src/test/assets/sadcat.jpg`))
+    const headers = Object.assign({}, form.getHeaders(), {
+      authorization: `Bearer ${anonKey}`,
+    })
+
+    const response = await app().inject({
+      method: 'POST',
+      url: '/object/bucket4/',
+      headers,
+      payload: form,
+    })
+    expect(response.statusCode).toBe(400)
+    expect(S3Backend.prototype.uploadObject).not.toHaveBeenCalled()
+  })
+
   test('should not add row to database if upload fails', async () => {
     // Mock S3 upload failure.
     jest.spyOn(S3Backend.prototype, 'uploadObject').mockRejectedValue(
@@ -496,6 +513,27 @@ describe('testing POST object via binary upload', () => {
     )
   })
 
+  test('return 400 when uploading to object with no file name', async () => {
+    const path = './src/test/assets/sadcat.jpg'
+    const { size } = fs.statSync(path)
+
+    const headers = {
+      authorization: `Bearer ${anonKey}`,
+      'Content-Length': size,
+      'Content-Type': 'image/jpeg',
+      'x-upsert': 'true',
+    }
+
+    const response = await app().inject({
+      method: 'POST',
+      url: '/object/bucket4/',
+      headers,
+      payload: fs.createReadStream(path),
+    })
+    expect(response.statusCode).toBe(400)
+    expect(S3Backend.prototype.uploadObject).not.toHaveBeenCalled()
+  })
+
   test('should not add row to database if upload fails', async () => {
     // Mock S3 upload failure.
     jest.spyOn(S3Backend.prototype, 'uploadObject').mockRejectedValue(
diff --git a/src/utils/index.ts b/src/utils/index.ts
@@ -90,5 +90,5 @@ export function normalizeContentType(contentType: string | undefined): string |
 export function isValidKey(key: string): boolean {
   // only allow s3 safe characters and characters which require special handling for now
   // https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html
-  return /^(\w|\/|!|-|\.|\*|'|\(|\)| |&|\$|@|=|;|:|\+|,|\?)*$/.test(key)
+  return key.length > 0 && /^(\w|\/|!|-|\.|\*|'|\(|\)| |&|\$|@|=|;|:|\+|,|\?)*$/.test(key)
 }

Original file line number	Diff line number	Diff line change
`@@ -90,5 +90,5 @@ export function normalizeContentType(contentType: string \| undefined): string \|`
`90`	`90`	`export function isValidKey(key: string): boolean {`
`91`	`91`	`// only allow s3 safe characters and characters which require special handling for now`
`92`	`92`	`// https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html`
`93`		`- return /^(\w\|\/\|!\|-\|\.\|\\|'\|\(\|\)\| \|&\|\$\|@\|=\|;\|:\|\+\|,\|\?)$/.test(key)`
	`93`	`+ return key.length > 0 && /^(\w\|\/\|!\|-\|\.\|\\|'\|\(\|\)\| \|&\|\$\|@\|=\|;\|:\|\+\|,\|\?)$/.test(key)`
`94`	`94`	`}`