Skip to content

feat(large-messages): add optional allowedBuckets allowlist#2555

Open
phipag wants to merge 2 commits into
mainfrom
feat/large-messages-allowed-buckets
Open

feat(large-messages): add optional allowedBuckets allowlist#2555
phipag wants to merge 2 commits into
mainfrom
feat/large-messages-allowed-buckets

Conversation

@phipag

@phipag phipag commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

Changes

Please provide a summary of what's being changed

Adds an opt-in bucket allowlist to the v2 large messages utility. The S3 bucket in the large-message pointer is supplied by the message sender, so this gives consumers fine-grained, in-application control over which buckets the utility reads from and deletes, complementing plain IAM permissions with a defense-in-depth layer that lives next to their handler configuration.

Configure it through the existing LargeMessageConfig singleton:

LargeMessageConfig.init().withAllowedBuckets(Set.of("my-offload-bucket"));

When a non-empty allowlist is configured, the utility rejects any message whose pointer names a bucket outside the allowlist by throwing LargeMessageProcessingException before any S3 read or delete. An empty allowlist (the default) applies no restriction, so the change is fully backward compatible. It works for both the @LargeMessage annotation and the functional LargeMessages.processLargeMessage(...) API.

Details:

  • LargeMessageConfig.withAllowedBuckets(Set<String>) / getAllowedBuckets(), with the test-only reset clearing it.
  • LargeMessageProcessor validates the pointer's bucket against the allowlist before fetching/deleting.
  • Unit tests covering config behavior plus the annotation and functional paths (match processes; mismatch throws and never touches S3).
  • A new largemessage-restricted e2e handler and a negative e2e test asserting an offloaded message from a non-allowlisted bucket is neither processed nor deleted.
  • Docs: a security note that the bucket is sender-controlled, a resource-scoped IAM example, and allowedBuckets usage for both APIs.

Please add the issue number below, if no issue is present the PR might get blocked and not be reviewed

Issue number: #2554


By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Add an opt-in bucket allowlist to the v2 large messages utility. The
S3 bucket in the message pointer is controlled by the sender, so this
gives consumers fine-grained, in-application control over which buckets
the utility may read from and delete, complementing IAM permissions.

Configure via LargeMessageConfig.withAllowedBuckets(Set). When a
non-empty allowlist is set, a message whose pointer names a bucket
outside the allowlist is rejected with LargeMessageProcessingException
before any S3 interaction. An empty allowlist (default) preserves the
existing behavior, so the change is backward compatible and applies to
both the @LargeMessage annotation and the functional API.

Includes unit tests, an e2e handler and negative e2e test, and docs
with a security note, resource-scoped IAM example, and usage examples.
@github-actions

Copy link
Copy Markdown
Contributor

Dependency Review

The following issues were found:

  • ❌ 1 vulnerable package(s)
  • ❌ 1 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 48 package(s) with unknown licenses.
  • ⚠️ 3 packages with OpenSSF Scorecard issues.

View full job summary

@phipag phipag linked an issue Jun 30, 2026 that may be closed by this pull request
Avoid exposing the internal set reference (SpotBugs EI_EXPOSE_REP).
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Maintenance: Add optional bucket allowlist to large messages utility

1 participant