fix: require signature verification in Snowball extract handler (CVE-2026-40344)#33
Conversation
…2026-40344) PutObjectExtractHandler (the X-Amz-Meta-Snowball-Auto-Extract handler) was missing a case for authTypeStreamingUnsignedTrailer in its `switch rAuthType` block. When STREAMING-UNSIGNED-PAYLOAD-TRAILER support was added upstream (PR minio#16484 / commit 76913a9), the new auth type was wired into PutObjectHandler and PutObjectPartHandler but never into the extract handler. As a result, a request carrying `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER`, the Snowball auto-extract header, and an Authorization header with a valid access key but a FABRICATED signature fell through the switch (no matching case, no default) with ZERO cryptographic signature verification. isPutActionAllowed, called before the switch, only authorizes the access key against IAM policy and does not verify the request signature, so the tar payload was extracted into the bucket unauthenticated. This adds the missing `case authTypeStreamingUnsignedTrailer:` mirroring the protected handlers: the body is wrapped in newUnsignedV4ChunkedReader, which verifies the request signature when credentials are present. The hasCreds gate (Authorization header OR X-Amz-Credential query param) matches the post-CVE-2026-41145 form so the query-string credential bypass (Vuln 2) is not reintroduced. The Content-Length / X-Amz-Decoded-Content-Length size-decode guard is also extended to cover the unsigned-trailer auth type, matching PutObjectHandler. A regression test (TestCVE202640344SnowballExtract in cmd/server_test.go) exercises the full handler over HTTP: a Snowball extract PUT with a fabricated signature is now rejected, while a legitimately signed extract still succeeds and unpacks the tar into the bucket. The test fails without this fix and passes with it. Refs: GHSA-9c4q-hq6p-c237 / CVE-2026-40344 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Will Cooke <will.cooke@chainguard.dev>
Second-pass reviewDid an independent review of this change and it looks sound. Findings: Root cause confirmed. On Fix approach is the lowest-risk option. The new case is a faithful mirror of the already-merged Tests cover the right cases: the fabricated-signature attack (must be rejected) and the legitimate signed extract (must still succeed, with the extracted object present). Good positive and negative coverage. Within EmeritOSS source-CVE policy: small, contained, no API changes, reuses existing primitives. LGTM. |
Summary
Patches Vulnerability 1 of CVE-2026-40344 (GHSA-9c4q-hq6p-c237) — High, missing signature verification in the Snowball auto-extract handler. No upstream OSS patch (AIStor-only); EmeritOSS best-effort source patch.
The bug
When
authTypeStreamingUnsignedTrailersupport was added upstream (PR minio#16484), it was wired intoPutObjectHandlerandPutObjectPartHandlerbut never intoPutObjectExtractHandler. That handler'sswitch rAuthTypehas noauthTypeStreamingUnsignedTrailercase and nodefault, so a Snowball extract PUT withX-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER,X-Amz-Meta-Snowball-Auto-Extract: true, a valid access key and a fabricated signature falls through with zero signature verification and the tar is extracted into the bucket.isPutActionAllowedonly checks the access key + IAM, not the signature.(Vulnerability 2 of this CVE — query-string credential bypass — was already fixed in
b94db7d78; this PR is scoped to Vuln 1.)The fix
Adds the missing
case authTypeStreamingUnsignedTrailer:toPutObjectExtractHandler, wrapping the body innewUnsignedV4ChunkedReader(r, true, hasCreds)with the post-CVE-2026-41145hasCreds := Authorization || X-Amz-Credentialgate — so unsigned-trailer requests get signature verification and Vuln 2 is not reintroduced. Also extends theX-Amz-Decoded-Content-Lengthsize-decode guard to coverauthTypeStreamingUnsignedTrailer(otherwise the decoded read size would be wrong for aws-chunked unsigned-trailer bodies), matchingPutObjectHandler.Change site carries a
CVE-2026-40344comment.Scope assessment
Within EmeritOSS best-effort policy: small, contained, mirrors the already-patched sibling handlers, no API change. Should get ProdSec PSIRT review before merge.
Test plan
TestCVE202640344SnowballExtract(end-to-end, runs across ErasureSD/Erasure/ErasureSet): attack request with clobbered signature is rejected; legitimate signed request returns 200 and the extracted object reads back correctly. Negative control (fix removed) confirmed the test FAILS, so it genuinely detects the missing verification.go build ./cmd/...+ targetedgo test ./cmd/...pass locally.Refs: GHSA-9c4q-hq6p-c237 / CVE-2026-40344 · Tracking: chainguard-dev/customer-issues#3598 · Linear OS-2158