From 1bb06e192212a061193da6b65ba440f82dc8635c Mon Sep 17 00:00:00 2001
From: Dan LaManna <dan.lamanna@kitware.com>
Date: Tue, 2 Sep 2025 09:19:28 -0400
Subject: [PATCH] Comprehensively lock down zipstreamer service

---
 zip_streamer/server.go       | 17 ++++++++++-------
 zip_streamer/zip_streamer.go |  6 +++---
 2 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/zip_streamer/server.go b/zip_streamer/server.go
index 6d8abc7..df8cf31 100644
--- a/zip_streamer/server.go
+++ b/zip_streamer/server.go
@@ -41,10 +41,15 @@ func NewServer() *Server {
 
 	sentryHandler := sentryhttp.New(sentryhttp.Options{})
 
-	r.HandleFunc("/download", server.HandlePostDownload).Methods("POST")
+	//r.HandleFunc("/download", server.HandlePostDownload).Methods("POST")
+	//r.HandleFunc("/create_download_link", server.HandleCreateLink).Methods("POST")
+	//r.HandleFunc("/download_link/{link_id}", server.HandleDownloadLink).Methods("GET")
+	/*
+		NOTE: Given that the zipstreamer server has unlimited access to private data, we have to disable every endpoint
+		that could allow users with the correct URLs to private data to exfiltrate it through the zipstreamer service.
+		This also includes modifying the server.HandleGetDownload such that it *only* supports listfile IDs, and not URLs.
+	*/
 	r.HandleFunc("/download", sentryHandler.HandleFunc(server.HandleGetDownload)).Methods("GET")
-	r.HandleFunc("/create_download_link", server.HandleCreateLink).Methods("POST")
-	r.HandleFunc("/download_link/{link_id}", server.HandleDownloadLink).Methods("GET")
 
 	return &server
 }
@@ -102,11 +107,9 @@ func (s *Server) HandlePostDownload(w http.ResponseWriter, req *http.Request) {
 
 func (s *Server) HandleGetDownload(w http.ResponseWriter, req *http.Request) {
 	params := req.URL.Query()
-	listfileUrl := params.Get("zsurl")
 	listFileId := params.Get("zsid")
-	if listfileUrl == "" && s.ListfileUrlPrefix != "" && listFileId != "" {
-		listfileUrl = s.ListfileUrlPrefix + listFileId
-	}
+	listfileUrl := s.ListfileUrlPrefix + listFileId
+
 	if listfileUrl == "" {
 		w.WriteHeader(http.StatusBadRequest)
 		w.Write([]byte(`{"status":"error","error":"invalid parameters"}`))
diff --git a/zip_streamer/zip_streamer.go b/zip_streamer/zip_streamer.go
index 20cb35d..e5c0940 100644
--- a/zip_streamer/zip_streamer.go
+++ b/zip_streamer/zip_streamer.go
@@ -61,7 +61,7 @@ func getS3Object(urlStr string) (*http.Response, error) {
 	// Extract bucket name from hostname (bucket.s3.region.amazonaws.com format)
 	host := parsedURL.Host
 	key := strings.TrimPrefix(parsedURL.Path, "/")
-	
+
 	parts := strings.Split(host, ".")
 	bucket := parts[0]
 
@@ -73,7 +73,7 @@ func getS3Object(urlStr string) (*http.Response, error) {
 	if region == "" {
 		region = "us-east-1"
 	}
-	
+
 	cfg, err := config.LoadDefaultConfig(context.TODO(),
 		config.WithRegion(region),
 	)
@@ -116,7 +116,7 @@ func retryableGet(urlStr string) (*http.Response, error) {
 		sleepDuration = time.Duration(math.Min(math.Pow(float64(2), float64(i)), float64(30))) * time.Second
 
 		var resp *http.Response
-		
+
 		if isS3URL {
 			resp, err = getS3Object(urlStr)
 		} else {