`OperationBlobSASPermission` not requiring "r" permission for a number of operations

[qc00]

Which service(blob, file, queue, table) does this issue concern?

blob (but others might also be wrong)

Which version of the Azurite was used?

master

Where do you get Azurite? (npm, DockerHub, NuGet, Visual Studio Code Extension)

npm

What's the Node.js version?

irrelevant

What problem was encountered?

Per Azure docs calling GET on a container requires the SAS token to have "r" permission; however, Azurite code does not enforce that:

Azurite/src/blob/authentication/OperationBlobSASPermission.ts

Lines 62 to 69 in caa3429

	OPERATION_BLOB_SAS_BLOB_PERMISSIONS.set(
	Operation.Container_GetProperties,
	new OperationBlobSASPermission()
	);
	OPERATION_BLOB_SAS_BLOB_PERMISSIONS.set(
	Operation.Container_GetPropertiesWithHead,
	new OperationBlobSASPermission()
	);

In fact, it's not enforcing the permission for a lot of operations.

Steps to reproduce the issue?

Have you found a mitigation/solution?

Patching the source code.

[blueww]

@qc00

It looks this issue related with the code change in 4209080.
The above code you mentioned is for blob SAS, and Blob SAS is not allowed to do container Get properties (container SAS also not allowed, only account sas allowed, see link1, link2), so there are no permission set, which mean this operation is not allowed with blob SAS.
However, with the above code change, the operation without permission will pass authentication validation. We will check this and see how to fix it.

[blueww]

This issue is already fixed by #2305.
Close as the fix is already released in 3.28.0.