Static object session with search verb allows to search all objects in container #36

New issue

Open

opened 2025-12-28 18:14:27 +00:00 by sami · 2 comments

sami commented

2025-12-28 18:14:27 +00:00

Owner

Originally created by @abereziny on GitHub (Nov 9, 2022).

Have 3 objects in container (oid1, oid2, oid3)
Create static session with search verb for 2 objects in container

{
    "body": {
        "id": "GA38eKGHSxK6dCrrIcNOCA==",
        "ownerID": {
            "value": "<owner_id>"
        },
        "lifetime": {
            "exp": "100000000",
            "nbf": "0",
            "iat": "0"
        },
        "sessionKey": "<session_key_of_user_wallet>",
        "object": {
            "verb": "SEARCH",
            "target": {
                "container": {
                    "value": "<container_id>"
                },
                "objects": [
                    {
                        "value": "<oid1>"
                    },
                    {
                        "value": "<oid2>"
                    }
                ]
            }
        }
    }
}

Sign token
Using signed token as static session make search request

Expected Behavior

Search should return only objects allowed in static session: oid1 and oid2

Current Behavior

Search returns all objects in container: oid1, oid2, oid3

Which makes user with limited rights to scan whole container.

Autotest

in feature branch
https://github.com/abereziny/neofs-testcases/tree/feature/abereziny-add-object-static-session-tests
testsuites.session_token.test_object_session_token#test_static_session_search

Originally created by @abereziny on GitHub (Nov 9, 2022). 1. Have 3 objects in container (oid1, oid2, oid3) 2. Create static session with search verb for 2 objects in container ``` { "body": { "id": "GA38eKGHSxK6dCrrIcNOCA==", "ownerID": { "value": "<owner_id>" }, "lifetime": { "exp": "100000000", "nbf": "0", "iat": "0" }, "sessionKey": "<session_key_of_user_wallet>", "object": { "verb": "SEARCH", "target": { "container": { "value": "<container_id>" }, "objects": [ { "value": "<oid1>" }, { "value": "<oid2>" } ] } } } } ``` 3. Sign token 4. Using signed token as static session make search request ## Expected Behavior Search should return only objects allowed in static session: oid1 and oid2 ## Current Behavior Search returns all objects in container: oid1, oid2, oid3 Which makes user with limited rights to scan whole container. ## Autotest in feature branch https://github.com/abereziny/neofs-testcases/tree/feature/abereziny-add-object-static-session-tests testsuites.session_token.test_object_session_token#test_static_session_search

sami added the

documentation

good first issue

labels

2025-12-28 18:14:27 +00:00

sami commented

2025-12-28 18:14:28 +00:00

Author

Owner

@fyrchik commented on GitHub (Nov 11, 2022):

I see no value in this restriction:

SEARCH command is used to find all objects with some property. If the set of objects is known beforehand, this can trivially be done with GET.
Even more than that, SEARCH will probably visit all container nodes but with GET we likely know the precise location of all objects.
We usually use target field for restricting input operations, here we restrict the result, because search has no parameters.

@fyrchik commented on GitHub (Nov 11, 2022): I see no value in this restriction: 1. SEARCH command is used to find _all_ objects with some property. If the set of objects is known beforehand, this can trivially be done with GET. 2. Even more than that, SEARCH will probably visit _all_ container nodes but with GET we likely know the precise location of all objects. 3. We usually use `target` field for restricting input operations, here we restrict the result, because search has no parameters.

sami commented

2025-12-28 18:14:28 +00:00

Author

Owner

@roman-khimov commented on GitHub (Apr 21, 2023):

Should be documented somewhere.

@roman-khimov commented on GitHub (Apr 21, 2023): Should be documented somewhere.