Receive 403 Forbidden when perform GetObjectMetadata if the object's key has leading dot (.) character

[congthanhnguyenOL]

Describe the bug

When getting object metadata using GetObjectMetadata, if the object's key contains leading dot (.) character, for example, ./test.txt as illustrated in this minimal test case

then the result would be a 403 Forbbiden exception.

Stack trace

"C:\Program Files\JetBrains\JetBrains Rider 2022.3.2\plugins\dpa\DotFiles\JetBrains.DPA.Runner.exe" --handle=22840 --backend-pid=29480 --etw-collect-flags=58720014 --detach-event-name=dpa.detach.22840 C:/Users/congthanh.nguyen/Downloads/ConsoleApp1/ConsoleApp1/bin/Debug/net6.0/ConsoleApp1.exe
Unhandled exception. Amazon.S3.AmazonS3Exception: Error making request with Error Code Forbidden and Http Status Code Forbidden. No further error information was returned by the service.
 ---> Amazon.Runtime.Internal.HttpErrorResponseException: Exception of type 'Amazon.Runtime.Internal.HttpErrorResponseException' was thrown.
   at Amazon.Runtime.HttpWebRequestMessage.ProcessHttpResponseMessage(HttpResponseMessage responseMessage)
   at Amazon.Runtime.HttpWebRequestMessage.GetResponseAsync(CancellationToken cancellationToken)
   at Amazon.Runtime.Internal.HttpHandler`1.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.Runtime.Internal.RedirectHandler.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.Runtime.Internal.Unmarshaller.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.S3.Internal.AmazonS3ResponseHandler.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.Runtime.Internal.ErrorHandler.InvokeAsync[T](IExecutionContext executionContext)
   --- End of inner exception stack trace ---
   at Amazon.Runtime.Internal.HttpErrorResponseExceptionHandler.HandleExceptionStream(IRequestContext requestContext, IWebResponseData httpErrorResponse, HttpErrorResponseException exception, Stream responseStream)
   at Amazon.Runtime.Internal.HttpErrorResponseExceptionHandler.HandleExceptionAsync(IExecutionContext executionContext, HttpErrorResponseException exception)
   at Amazon.Runtime.Internal.ExceptionHandler`1.HandleAsync(IExecutionContext executionContext, Exception exception)
   at Amazon.Runtime.Internal.ErrorHandler.ProcessExceptionAsync(IExecutionContext executionContext, Exception exception)
   at Amazon.Runtime.Internal.ErrorHandler.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.Runtime.Internal.CallbackHandler.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.Runtime.Internal.Signer.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.S3.Internal.S3Express.S3ExpressPreSigner.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.Runtime.Internal.EndpointDiscoveryHandler.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.Runtime.Internal.EndpointDiscoveryHandler.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.Runtime.Internal.CredentialsRetriever.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.Runtime.Internal.RetryHandler.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.Runtime.Internal.RetryHandler.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.Runtime.Internal.CallbackHandler.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.Runtime.Internal.CallbackHandler.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.S3.Internal.AmazonS3ExceptionHandler.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.Runtime.Internal.ErrorCallbackHandler.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.Runtime.Internal.MetricsHandler.InvokeAsync[T](IExecutionContext executionContext)
   at Program.<Main>$(String[] args) in C:\Users\congthanh.nguyen\Downloads\ConsoleApp1\ConsoleApp1\Program.cs:line 5
   at Program.<Main>(String[] args)

Expected Behavior

The object ./test.txt exists, so it is expected that the operation return its metadata correctly given that the credentials are correct.

One thing to note is that aws s3api head-object can get this information with no problem

Current Behavior

403 Forbidden is thrown

Reproduction Steps

Step 1:

Use aws CloudShell to create a dummy file with a dot in the beginning of its key as illustrated below

Step 2:

Invoke GetObjectMetadata

Step 3:

Observe the exception

Possible Solution

No response

Additional Information/Context

No response

AWS .NET SDK and/or Package version used

AWSSDK.S3 3.7.205.21

Targeted .NET Platform

.NET 6.0

Operating System and version

Windows 10

[dscpinheiro]

Before we added support for .NET 8 (starting in versions 3.7.300.0 of the service packages), the S3 client would try to canonicalize the resource path (breaking scenarios like this and foo/../bar.txt).

This problem doesn't happen in the latest version of the S3 package, but you will need to update your application to target .NET 8 as well. Here's the changelog entry for when we fixed this problem: https://github.com/aws/aws-sdk-net/blob/main/changelogs/SDK.CHANGELOG.2023.md#376830-2023-11-10-0208-utc

[github-actions]

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.