From 399d62be0fe606cdadb5c27e7d8dd95249902a28 Mon Sep 17 00:00:00 2001 From: Josh Wood Date: Wed, 11 Aug 2021 14:09:30 +0800 Subject: [PATCH] Do not Escape HTML when encoding the policy --- feature/cloudfront/sign/policy.go | 8 ++++--- feature/cloudfront/sign/policy_test.go | 29 ++++++++++++++++++++++++ feature/cloudfront/sign/sign_url_test.go | 8 +++++++ 3 files changed, 42 insertions(+), 3 deletions(-) diff --git a/feature/cloudfront/sign/policy.go b/feature/cloudfront/sign/policy.go index f780ed5110c..e38a66bc54e 100644 --- a/feature/cloudfront/sign/policy.go +++ b/feature/cloudfront/sign/policy.go @@ -182,11 +182,13 @@ func NewCannedPolicy(resource string, expires time.Time) *Policy { // encodePolicy encodes the Policy as JSON and also base 64 encodes it. func encodePolicy(p *Policy) (b64Policy, jsonPolicy []byte, err error) { - jsonPolicy, err = json.Marshal(p) - if err != nil { + buffer := &bytes.Buffer{} + encoder := json.NewEncoder(buffer) + encoder.SetEscapeHTML(false) + if err := encoder.Encode(p); err != nil { return nil, nil, fmt.Errorf("failed to encode policy, %s", err.Error()) } - + jsonPolicy = buffer.Bytes() // Remove leading and trailing white space, JSON encoding will note include // whitespace within the encoding. jsonPolicy = bytes.TrimSpace(jsonPolicy) diff --git a/feature/cloudfront/sign/policy_test.go b/feature/cloudfront/sign/policy_test.go index 4273c242e18..fe2d0282395 100644 --- a/feature/cloudfront/sign/policy_test.go +++ b/feature/cloudfront/sign/policy_test.go @@ -49,6 +49,10 @@ var testCreateResource = []struct { expect string errPrefix string }{ + { + "https", "https://example.com/a?b=1&c=2", + "https://example.com/a?b=1&c=2", "", + }, { "https", "https://example.com/a?b=1", "https://example.com/a?b=1", "", @@ -61,6 +65,10 @@ var testCreateResource = []struct { "rtmp", "https://example.com/a?b=1", "a?b=1", "", }, + { + "rtmp", "https://example.com/a?b=1&c=2", + "a?b=1&c=2", "", + }, { "ftp", "ftp://example.com/a?b=1", "", "invalid URL scheme", @@ -112,6 +120,27 @@ func TestEncodePolicy(t *testing.T) { } } +func TestEncodePolicyWithQueryParams(t *testing.T) { + const ( + expectedJSONPolicy = `{"Statement":[{"Resource":"https://example.com/a?b=1&c=2","Condition":{"DateLessThan":{"AWS:EpochTime":1257894000}}}]}` + expectedB64Policy = `eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9hP2I9MSZjPTIiLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjEyNTc4OTQwMDB9fX1dfQ==` + ) + p := NewCannedPolicy("https://example.com/a?b=1&c=2", testTime) + + b64Policy, jsonPolicy, err := encodePolicy(p) + if err != nil { + t.Fatalf("Unexpected error, %#v", err) + } + + if string(jsonPolicy) != expectedJSONPolicy { + t.Errorf("Expected json encoding to match, \nexpect: %s\nactual: %s\n", expectedJSONPolicy, jsonPolicy) + } + + if string(b64Policy) != expectedB64Policy { + t.Errorf("Expected b64 encoding to match, \nexpect: %s\nactual: %s\n", expectedB64Policy, b64Policy) + } +} + func TestSignEncodedPolicy(t *testing.T) { p := NewCannedPolicy("https://example.com/a", testTime) _, jsonPolicy, err := encodePolicy(p) diff --git a/feature/cloudfront/sign/sign_url_test.go b/feature/cloudfront/sign/sign_url_test.go index cc8702c01fa..46f8d73da3b 100644 --- a/feature/cloudfront/sign/sign_url_test.go +++ b/feature/cloudfront/sign/sign_url_test.go @@ -22,6 +22,10 @@ var testSignURL = []struct { "http://example.com/a", NewCannedPolicy("http://example.com/a", testSignTime), time.Time{}, true, false, "http://example.com/a?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cDovL2V4YW1wbGUuY29tL2EiLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjEyNTc4OTQwMDB9fX1dfQ__&Signature=cMutWOvPMOPuh0KFDsOdbML~1fe0eEBC1hdMLGRbYr3mTRrVbKDdUXL6l3vlbE0Og3rTRS6mlaSORTwesN1srESH1pXFUyCVba8tWqNy1frEiL7jZLyzA1KndH0olfJDfgHXdw-Edtk0m8mqY~AnGIYGYDu659dWeP49jVeYn30XF9sYkRCdS5IezAkqh8TO9tTDNGS4Ic6DQue4agHUFLNv1VErTafUxlSBp8hlPCuMdtZLEBLr9UJVc3oWJI3zc1~9JgVTDjbXYV1-HgTn8qQsbAU2KcieUonIzTme2td-7c2FCC0EAbOF~6QXTHWcAiSB5nVmbxn-Mx-QMVsiLw__&Key-Pair-Id=KeyID", }, + { + "https://example.com/a?b=1&c=2", NewCannedPolicy("https://example.com/a?b=1&c=2", testSignTime), time.Time{}, true, false, + "https://example.com/a?b=1&c=2&Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9hP2I9MSZjPTIiLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjEyNTc4OTQwMDB9fX1dfQ__&Signature=E6xB7RtIDvx8AxM1Wuup3ROYTQwBDW-qqcrb8lSUvtL78wenjh3P0YLXK-mFK0PSzdNtzI2ZIXja6Nh2yma0IVQiZMjn3wijvVsMy9fRXyusVXB1zYSfiInVr2uhqSb-ZCn1RD32ebyMD6IWn5Kss1fT4wefc8Q76J0Y4jprAvmLCtGnrW~quZdOg~KKmY-qK11ifNwv2ECADBxZeEx1PIDHdWuXYrCBJIwSl-bVscwQWDm2BzeYuHCaLuAVDuc62JJzc7nX3E1CA1VRHY~vegYjOV6zVxtp7aBV4RJUY4yfHNM4n640FXUPPwMacqE-lnNOfx704YVTl4tjzuvzuA__&Key-Pair-Id=KeyID", + }, { "http://example.com/a", nil, testSignTime, false, false, "http://example.com/a?Expires=1257894000&Signature=cMutWOvPMOPuh0KFDsOdbML~1fe0eEBC1hdMLGRbYr3mTRrVbKDdUXL6l3vlbE0Og3rTRS6mlaSORTwesN1srESH1pXFUyCVba8tWqNy1frEiL7jZLyzA1KndH0olfJDfgHXdw-Edtk0m8mqY~AnGIYGYDu659dWeP49jVeYn30XF9sYkRCdS5IezAkqh8TO9tTDNGS4Ic6DQue4agHUFLNv1VErTafUxlSBp8hlPCuMdtZLEBLr9UJVc3oWJI3zc1~9JgVTDjbXYV1-HgTn8qQsbAU2KcieUonIzTme2td-7c2FCC0EAbOF~6QXTHWcAiSB5nVmbxn-Mx-QMVsiLw__&Key-Pair-Id=KeyID", @@ -97,6 +101,10 @@ var testBuildSignedURL = []struct { "https://example.com/a", "KeyID", NewCannedPolicy("", testSignTime), true, []byte("b64Policy"), []byte("b64Sig"), "https://example.com/a?Policy=b64Policy&Signature=b64Sig&Key-Pair-Id=KeyID", }, + { + "https://example.com/a?b=1&c=2", "KeyID", NewCannedPolicy("", testSignTime), true, []byte("b64Policy"), []byte("b64Sig"), + "https://example.com/a?b=1&c=2&Policy=b64Policy&Signature=b64Sig&Key-Pair-Id=KeyID", + }, { "https://example.com/a?b=1", "KeyID", NewCannedPolicy("https://example.com/a?b=1", testSignTime), false, []byte("b64Policy"), []byte("b64Sig"), "https://example.com/a?b=1&Expires=1257894000&Signature=b64Sig&Key-Pair-Id=KeyID",