Controlled storage browser validation

[bthall16]

Looking at the documentation examples of the controlled Storage Browser component, I've been wondering if the Storage Browser or something further down the line does any validation on the value prop to ensure its fields correspond to the configured storage. I'm specifically considering this in the context of reading the value from a URL search param which could be controlled by anyone, such as by sending someone a link where they changed the bucket name, causing someone to inadvertently access and possibly upload to a different bucket than expected.

Given we also have to configure auth to use the Storage Browser, I'd imagine a request to a bucket not related to our configured auth would fail, but I'm not familiar enough with Amplify and AWS to know for certain.

If the value's fields are validated - explicitly or implicitly - that'd probably be a good note to have in the controlled mode docs (unless that's just a given for accessing buckets). If not, then an example in the docs of how to validate fields yourself would be a great addition.

[soberm]

Hi @bthall16,

thank you for creating this issue. We will look into that and get back to you as soon as we have more information.

[soberm]

Hi @bthall16,

the Storage Browser component relies on AWS-level authorization for security rather than client-side validation. When the component attempts to access the specified location, it calls getLocationCredentials and AWS IAM policies, S3 bucket policies, or S3 Access Grants determine whether the user can actually access that bucket/prefix. Invalid or unauthorized access attempts will fail at the AWS API level with appropriate error responses.