I am using S3 to accept direct uploads from the user to S3. Therefore I will be using pre-signed urls.
After successful upload, AWS Lambda will make sure that the file upload is an image, and then the client will tell my server that he has finished uploading.
Then my server will check if that file exists in S3 (if Lambda detects an invalid image, it deletes it). If it does, then the rest of the application logic will follow.
However, there is a loophole in this mechanism. A user can use the same url to upload a malicious file after telling my server that he has finished uploading (and initially passing a valid file).
Lambda will still delete the file, but now my server will think that a file exists whereas it actually does not.
Is there any way to generate a one-time upload pre-signed url, or is it possible to forcefully invalidate a url that was generated but has not yet expired?
Advertisement
Answer
Turning this into an answer…
Once a file is uploaded, have Lambda move it (using the Copy Object API), i.e. from uploads/123.png to received/123.png or something similar.
If a malicious user attempts to re-use the signed URL, it’ll go to uploads/123.png. Worst-case, Lambda checks it again and rejects the new file. Since your server’s looking in received/ instead of uploads/ for files to process, we’ve rendered things safe.