Skip to content

Commit

Permalink
Merge pull request #2852 from RanVaknin/signature-header-parsing-fix
Browse files Browse the repository at this point in the history
patching GetSignedRequestSignature to cover edge cases with the signature
  • Loading branch information
RanVaknin authored Oct 28, 2024
2 parents e058903 + 803614d commit b65b80a
Show file tree
Hide file tree
Showing 5 changed files with 67 additions and 1 deletion.
Binary file added .DS_Store
Binary file not shown.
8 changes: 8 additions & 0 deletions .changelog/f63b26b19e2e4330b4240f38088453ea.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"id": "f63b26b1-9e2e-4330-b424-0f38088453ea",
"type": "bugfix",
"description": "Improve handling of whitespace (or lack thereof) in sigv4 GetSignedRequestSignature.",
"modules": [
"."
]
}
3 changes: 2 additions & 1 deletion aws/signer/v4/middleware.go
Original file line number Diff line number Diff line change
Expand Up @@ -372,8 +372,9 @@ func GetSignedRequestSignature(r *http.Request) ([]byte, error) {
const authHeaderSignatureElem = "Signature="

if auth := r.Header.Get(authorizationHeader); len(auth) != 0 {
ps := strings.Split(auth, ", ")
ps := strings.Split(auth, ",")
for _, p := range ps {
p = strings.TrimSpace(p)
if idx := strings.Index(p, authHeaderSignatureElem); idx >= 0 {
sig := p[len(authHeaderSignatureElem):]
if len(sig) == 0 {
Expand Down
57 changes: 57 additions & 0 deletions aws/signer/v4/middleware_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package v4
import (
"bytes"
"context"
"encoding/hex"
"errors"
"fmt"
"io"
Expand Down Expand Up @@ -372,6 +373,62 @@ func TestUseDynamicPayloadSigningMiddleware(t *testing.T) {
}
}

func TestGetSignedRequestSignature(t *testing.T) {
testCases := map[string]struct {
authHeader string
expectedSig string
expectedErrMsg string
}{
"Valid signature": {
authHeader: "AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20150830/us-east-1/service/aws4_request, SignedHeaders=host;x-amz-date, Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024",
expectedSig: "fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024",
},
"Whitespace after Signature": {
authHeader: "AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20150830/us-east-1/service/aws4_request, SignedHeaders=host;x-amz-date, Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024 ",
expectedSig: "fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024",
},
"Whitespaces before Signature": {
authHeader: "AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20150830/us-east-1/service/aws4_request, SignedHeaders=host;x-amz-date, Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024 ",
expectedSig: "fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024",
},
"Empty signature": {
authHeader: "AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20150830/us-east-1/service/aws4_request, SignedHeaders=host;x-amz-date, Signature=",
expectedErrMsg: "invalid request signature authorization header",
},
"Missing signature": {
authHeader: "AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20150830/us-east-1/service/aws4_request, SignedHeaders=host;x-amz-date",
expectedErrMsg: "request not signed",
},
}

for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
r, err := http.NewRequest("GET", "/", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
r.Header.Set("Authorization", tc.authHeader)

sig, err := GetSignedRequestSignature(r)

if tc.expectedErrMsg != "" {
if err == nil {
t.Errorf("Expected error with message '%s', but got no error", tc.expectedErrMsg)
} else if err.Error() != tc.expectedErrMsg {
t.Errorf("Expected error message '%s', but got '%s'", tc.expectedErrMsg, err.Error())
}
} else {
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if hex.EncodeToString(sig) != tc.expectedSig {
t.Errorf("Expected signature '%s', but got '%s'", tc.expectedSig, hex.EncodeToString(sig))
}
}
})
}
}

type nonSeeker struct{}

func (nonSeeker) Read(p []byte) (n int, err error) {
Expand Down
Binary file added service/.DS_Store
Binary file not shown.

0 comments on commit b65b80a

Please sign in to comment.