[feature]: uploads to s3 bucket should be private

[dylanvaughn]

Is there an existing issue for this?

• I have searched the existing issues

Summary

While testing the current self-hosted installation, using the AWS S3 integration, I noticed that all uploaded files in the application were set as publicly readable. This means that attachments on an issue could be viewed by anyone if they had the URL.

Instead, if S3 integration is enabled, the objects should be private, and there should be a method in the application to authenticate the request for an asset (i.e. the logged in user has access to the issue the asset is attached to, for example), and then stream the object from S3.

Why should this be worked on?

This would improve the security posture of the application. Currently I think it is too risky to use the s3 integration if all files are marked as publicly readable. If there is a configuration option I am missing here to make the s3 objects private please let me know :).

[sriramveeraghanta]

Hello @dylanvaughn ,

We are working on making these assets private, but the problem is migrating the existing data safely. We are working on a few solutions to make this a smooth transition. We will keep you posted soon.

[Huy-Nhan]

I hope the function to use s3 private will come out soon.

[pushya22]

Hi @Huy-Nhan, Yes we are working towards releasing this out as soon as possible.

[akumar-99]

Do we have any updates or ETA on this? 🤔

[vihar]

We understand the security concerns regarding this issue, and we’re happy to report that all our storage now is on private S3 on our Cloud environments. Thank you for your patience.

[leedsjb]

Thanks @vihar . Will this come to self-hosted as well? I believe this issue is for self-hosted. #5145 is for cloud.

[sriramveeraghanta]

We will be shipping this to self-hosted instances in the upcoming release v0.24.0