Missing Admin Auth on Notification Target Endpoints in RustFS

Finding Summary

All four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a check_permissions helper that validates authentication only (access key + session token), without performing any admin-action authorization via validate_admin_request. Every other admin handler in the codebase correctly calls validate_admin_request with a specific AdminAction. This is the only admin handler file that skips authorization.

A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion.

What Was Proven Live

1. Authorization bypass on all four endpoints (03_readonly_user_bypass.py)

   • PUT, GET list, GET arns, DELETE all return 200 for readonly-user
   • Control routes (list-users, kms/status) correctly return 403
   • Unauthenticated requests correctly rejected (403 Signature required)

2. SSRF via health probe (04_ssrf_listener_landing.py)

   • HEAD request from rustfs container to attacker-controlled listener
   • No host validation: only scheme check (http/https)

3. Target hijacking and event exfiltration (05_target_hijacking.py, 06_full_event_exfil.py)

   • Readonly-user overwrites admin-configured target URL by name
   • Subsequent S3 events delivered to attacker-controlled endpoint
   • Captured event body includes object keys, bucket names, user identities, and request metadata

4. Audit evasion (05_target_hijacking.py)

   • Readonly-user can delete unbound targets
   • Readonly-user can overwrite bound targets (silently redirecting events)

Escalation Vectors Tested But Not Viable

1. Self-referencing webhook to admin API (13_self_referencing_test.py)
   • Webhook sends unsigned POST with event JSON body
   • Admin endpoints require SigV4 auth -- unsigned...