Bug: contract signatures publicly accessible via MinIO CDN #186

New issue

Closed

opened 2026-03-27 00:28:11 +00:00 by forgejo_admin · 2 comments

forgejo_admin commented 2026-03-27 00:28:11 +00:00

Owner

Copy link

Type

Bug

Lineage

Standalone — discovered during westside playground asset audit 2026-03-26.
Related story: story:WS-S4 (static assets via public CDN).

Repo

forgejo_admin/pal-e-platform (MinIO bucket policy)

What Broke

The assets bucket in MinIO is publicly accessible via minio-api.tail5b443a.ts.net/assets/. This is intentional for branding, coaches, sponsors images (WS-S4). However, westside/signatures/ contains 13 contract signature images that are also publicly accessible. Anyone with the URL pattern can view signed contract signatures.

Verified: curl -sI "https://minio-api.tail5b443a.ts.net/assets/westside/signatures/108_1774343239303.png" returns HTTP 200.

Repro Steps

1. Navigate to https://minio-api.tail5b443a.ts.net/assets/westside/signatures/108_1774343239303.png
2. Observe: signature image loads without any auth

Expected Behavior

Signature images should NOT be publicly accessible. Either:

• Move signatures to a separate private bucket
• Or set a bucket policy that denies public access to the westside/signatures/ prefix

Environment

• Cluster/namespace: minio
• Service: MinIO with Tailscale funnel (minio-api)
• Related: PR #132 (MinIO public CDN setup)

File Targets

• terraform/modules/storage/main.tf:75-86 — MinIO bucket policy resource (public access rules)

Acceptance Criteria

• curl to any signature URL returns 403 or 404
• Branding/coaches/sponsors images remain publicly accessible
• No regression in email image delivery (emails use CDN URLs)
• westside-contracts can still upload signatures via service account credentials

Related

• project-westside-basketball
• arch-deployment-westside-basketball
• WS-S4 (static assets via public CDN)

### Type Bug ### Lineage Standalone — discovered during westside playground asset audit 2026-03-26. Related story: **story:WS-S4** (static assets via public CDN). ### Repo `forgejo_admin/pal-e-platform` (MinIO bucket policy) ### What Broke The `assets` bucket in MinIO is publicly accessible via `minio-api.tail5b443a.ts.net/assets/`. This is intentional for branding, coaches, sponsors images (WS-S4). However, `westside/signatures/` contains 13 contract signature images that are also publicly accessible. Anyone with the URL pattern can view signed contract signatures. Verified: `curl -sI "https://minio-api.tail5b443a.ts.net/assets/westside/signatures/108_1774343239303.png"` returns HTTP 200. ### Repro Steps 1. Navigate to `https://minio-api.tail5b443a.ts.net/assets/westside/signatures/108_1774343239303.png` 2. Observe: signature image loads without any auth ### Expected Behavior Signature images should NOT be publicly accessible. Either: - Move signatures to a separate private bucket - Or set a bucket policy that denies public access to the `westside/signatures/` prefix ### Environment - Cluster/namespace: minio - Service: MinIO with Tailscale funnel (minio-api) - Related: PR #132 (MinIO public CDN setup) ### File Targets - `terraform/modules/storage/main.tf:75-86` — MinIO bucket policy resource (public access rules) ### Acceptance Criteria - [ ] `curl` to any signature URL returns 403 or 404 - [ ] Branding/coaches/sponsors images remain publicly accessible - [ ] No regression in email image delivery (emails use CDN URLs) - [ ] westside-contracts can still upload signatures via service account credentials ### Related - `project-westside-basketball` - `arch-deployment-westside-basketball` - WS-S4 (static assets via public CDN)

forgejo_admin commented 2026-03-27 21:05:39 +00:00

Author

Owner

Copy link

Scope Review: NEEDS_REFINEMENT

Review note: review-415-2026-03-27

Template is complete and file targets verified — root cause confirmed at terraform/modules/storage/main.tf lines 75-86 (minio_s3_bucket_policy.assets_public_read grants s3:GetObject on arn:aws:s3:::assets/*). Blast radius mapped: 25+ CDN URLs in westside-app + pal-e-mail email templates must remain public.

Three items needed before READY:

• Missing traceability: Add story:WS-S4 label to board item #415 (issue body references WS-S4 but board label is missing)
• Missing file target: Add explicit file target terraform/modules/storage/main.tf:75-86 to issue body so implementing agent knows where to change
• Missing acceptance criterion: Add "westside-contracts can still upload signatures via service account credentials" to verify write path is unaffected by the policy change

## Scope Review: NEEDS_REFINEMENT Review note: `review-415-2026-03-27` Template is complete and file targets verified — root cause confirmed at `terraform/modules/storage/main.tf` lines 75-86 (`minio_s3_bucket_policy.assets_public_read` grants `s3:GetObject` on `arn:aws:s3:::assets/*`). Blast radius mapped: 25+ CDN URLs in westside-app + pal-e-mail email templates must remain public. Three items needed before READY: - **Missing traceability**: Add `story:WS-S4` label to board item #415 (issue body references WS-S4 but board label is missing) - **Missing file target**: Add explicit file target `terraform/modules/storage/main.tf:75-86` to issue body so implementing agent knows where to change - **Missing acceptance criterion**: Add "westside-contracts can still upload signatures via service account credentials" to verify write path is unaffected by the policy change

forgejo_admin commented 2026-03-27 22:04:28 +00:00

Author

Owner

Copy link

Issue body updated per scope review corrections.

Issue body updated per scope review corrections.

forgejo_admin referenced this issue from a commit 2026-03-27 22:12:03 +00:00

fix: deny public read on assets/westside/signatures/ prefix

forgejo_admin referenced this issue from a pull request that will close it, 2026-03-27 22:12:51 +00:00

fix: deny public read on MinIO signatures prefix #209

forgejo_admin closed this issue 2026-03-28 00:07:47 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

188-cross-repo-worktree-isolation-for-parall

111-fix-keycloak-probe

86-fix-rotate-woodpecker-api-token-in-salt

71-feat-deploy-pyrra-slo-manager-with-servi

64-hotfix-woodpecker-oauth-login-broken-for

18-fix-grafana-duplicate-default-datasource-v2

18-fix-grafana-duplicate-default-datasource

13-fix-cnpg-all-parameters

No results found.

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

  

status:approved

QA passed, awaiting merge approval

  

status:in-progress

Dev agent is actively working

  

status:needs-fix

QA found issues, back to dev

  

status:qa

PR submitted, awaiting QA review

  

type:bug

Bug fix

  

type:devops

Infrastructure/CI/config work

  

type:feature

New functionality

No labels

domain:backend

domain:devops

domain:frontend

status:approved

status:in-progress

status:needs-fix

status:qa

type:bug

type:devops

type:feature

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/pal-e-platform#186

No description provided.