Static object session with search verb allows to search all objects in container #36

Open
opened 2025-12-28 18:14:27 +00:00 by sami · 2 comments
Owner

Originally created by @abereziny on GitHub (Nov 9, 2022).

  1. Have 3 objects in container (oid1, oid2, oid3)
  2. Create static session with search verb for 2 objects in container
{
    "body": {
        "id": "GA38eKGHSxK6dCrrIcNOCA==",
        "ownerID": {
            "value": "<owner_id>"
        },
        "lifetime": {
            "exp": "100000000",
            "nbf": "0",
            "iat": "0"
        },
        "sessionKey": "<session_key_of_user_wallet>",
        "object": {
            "verb": "SEARCH",
            "target": {
                "container": {
                    "value": "<container_id>"
                },
                "objects": [
                    {
                        "value": "<oid1>"
                    },
                    {
                        "value": "<oid2>"
                    }
                ]
            }
        }
    }
}
  1. Sign token
  2. Using signed token as static session make search request

Expected Behavior

Search should return only objects allowed in static session: oid1 and oid2

Current Behavior

Search returns all objects in container: oid1, oid2, oid3

Which makes user with limited rights to scan whole container.

Autotest

in feature branch
https://github.com/abereziny/neofs-testcases/tree/feature/abereziny-add-object-static-session-tests
testsuites.session_token.test_object_session_token#test_static_session_search

Originally created by @abereziny on GitHub (Nov 9, 2022). 1. Have 3 objects in container (oid1, oid2, oid3) 2. Create static session with search verb for 2 objects in container ``` { "body": { "id": "GA38eKGHSxK6dCrrIcNOCA==", "ownerID": { "value": "<owner_id>" }, "lifetime": { "exp": "100000000", "nbf": "0", "iat": "0" }, "sessionKey": "<session_key_of_user_wallet>", "object": { "verb": "SEARCH", "target": { "container": { "value": "<container_id>" }, "objects": [ { "value": "<oid1>" }, { "value": "<oid2>" } ] } } } } ``` 3. Sign token 4. Using signed token as static session make search request ## Expected Behavior Search should return only objects allowed in static session: oid1 and oid2 ## Current Behavior Search returns all objects in container: oid1, oid2, oid3 Which makes user with limited rights to scan whole container. ## Autotest in feature branch https://github.com/abereziny/neofs-testcases/tree/feature/abereziny-add-object-static-session-tests testsuites.session_token.test_object_session_token#test_static_session_search
Author
Owner

@fyrchik commented on GitHub (Nov 11, 2022):

I see no value in this restriction:

  1. SEARCH command is used to find all objects with some property. If the set of objects is known beforehand, this can trivially be done with GET.
  2. Even more than that, SEARCH will probably visit all container nodes but with GET we likely know the precise location of all objects.
  3. We usually use target field for restricting input operations, here we restrict the result, because search has no parameters.
@fyrchik commented on GitHub (Nov 11, 2022): I see no value in this restriction: 1. SEARCH command is used to find _all_ objects with some property. If the set of objects is known beforehand, this can trivially be done with GET. 2. Even more than that, SEARCH will probably visit _all_ container nodes but with GET we likely know the precise location of all objects. 3. We usually use `target` field for restricting input operations, here we restrict the result, because search has no parameters.
Author
Owner

@roman-khimov commented on GitHub (Apr 21, 2023):

Should be documented somewhere.

@roman-khimov commented on GitHub (Apr 21, 2023): Should be documented somewhere.
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
nspcc-dev/neofs-spec#36
No description provided.