AWS S3 createPresignedPost URL 可以上传任何大小的文件,尽管有限制

AWS S3 createPresignedPost URL can upload file of any size despite limiting it

我正在创建一个预签名 URL 以便前端用户可以上传文件(最大 10MB)这就是我创建它的方式

  const s3Params = {
        Bucket: S3_BUCKET,
        Expires: 30,
        Fields: {
            key: key,
        },
        Conditions: [
            ["eq", "$acl", "public-read"],
            ["eq", "$x-amz-meta-filename", fileName],
            ["content-length-range", 1, 10000000], //10MB
            ["eq", "$x-amz-meta-userid", userid],
        ],
    };

    console.log(s3Params);

    s3.createPresignedPost(s3Params, (err, data) => {
        if (err) {
            console.log(err);
            return cb({success: false, error: err});
        }

        data.fields["x-amz-meta-filename"] = fileName;
        data.fields["x-amz-meta-userid"] = userid;

        const returnData = {
            signedRequest: data,
            url: `https://${S3_BUCKET}.s3.amazonaws.com/${key}`,
        };
        return cb({success: true, data: {returnData}});
    });

在条件中将最大文件大小(内容长度范围)设置为 10MB,但我仍然能够使用生成的预签名 URL 上传 25MB 的文件。我在想这可能与桶政策有关,但我不确定。

这是我的存储桶策略

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::blah.blah/*"
        }
    ]
}

我认为您的条件被简单地忽略了,因为存储桶允许匿名写入(非常糟糕的做法!)。来自 docs:

If you don't provide elements required for authenticated requests, such as the policy element, the request is assumed to be anonymous and will succeed only if you have configured the bucket for public read and write.

当您使用预签名的 url 时,您不应该 您的存储桶 public。