@uppy/aws-s3-multipart: Escape more special chars in path and less ch…

…ars in query on self-signing request. Thanks to review from @aduh95
transloadit · Mar 19, 2024 · 3ab6024 · 3ab6024
1 parent 0a61ffe
commit 3ab6024
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 39 deletions.
diff --git a/packages/@uppy/aws-s3-multipart/src/createSignedURL.js b/packages/@uppy/aws-s3-multipart/src/createSignedURL.js
@@ -76,28 +76,8 @@ async function hash (key, data) {
   return subtle.sign(algorithm, await generateHmacKey(key), ec.encode(data))
 }
 
-/**
- * @see
- *   https://github.com/smithy-lang/smithy-typescript/blob/main/packages/smithy-client/src/extended-encode-uri-component.ts
- */
-function extendedEncodeURIComponent(str) {
-  return encodeURIComponent(str).replace(/[!'()*]/g, (c) =>
-    `%${c.charCodeAt(0).toString(16).toUpperCase()}`
-  )
-}
-
-class Query {
-  #params = []
-
-  append(key, value) {
-    this.#params.push([key, value])
-  }
-
-  toString() {
-    return this.#params
-      .map(([key, value]) => `${extendedEncodeURIComponent(key)}=${extendedEncodeURIComponent(value)}`)
-      .join('&')
-  }
+function percentEncode(c) {
+  return `%${c.charCodeAt(0).toString(16).toUpperCase()}`
 }
 
 /**
@@ -114,32 +94,38 @@ export default async function createSignedURL ({
 }) {
   const Service = 's3'
   const host = `${bucketName}.${Service}.${Region}.amazonaws.com`
-  const CanonicalUri = `/${Key.split('/').map(extendedEncodeURIComponent).join('/')}`
+  /**
+   * List of char out of `encodeURI()` is taken from ECMAScript spec
+   *
+   * @see https://tc39.es/ecma262/#sec-encodeuri-uri
+   */
+  const CanonicalUri = `/${encodeURI(Key).replace(/[;?:@&=+$,#!'()*]/g, percentEncode)}`
+  console.log(CanonicalUri)
   const payload = 'UNSIGNED-PAYLOAD'
 
   const requestDateTime = new Date().toISOString().replace(/[-:]|\.\d+/g, '') // YYYYMMDDTHHMMSSZ
   const date = requestDateTime.slice(0, 8) // YYYYMMDD
   const scope = `${date}/${Region}/${Service}/aws4_request`
 
-  const query = new Query();
+  const url = new URL(`https://${host}${CanonicalUri}`)
   // N.B.: URL search params needs to be added in the ASCII order
-  query.append('X-Amz-Algorithm', 'AWS4-HMAC-SHA256')
-  query.append('X-Amz-Content-Sha256', payload)
-  query.append('X-Amz-Credential', `${accountKey}/${scope}`)
-  query.append('X-Amz-Date', requestDateTime)
-  query.append('X-Amz-Expires', expires)
+  url.searchParams.set('X-Amz-Algorithm', 'AWS4-HMAC-SHA256')
+  url.searchParams.set('X-Amz-Content-Sha256', payload)
+  url.searchParams.set('X-Amz-Credential', `${accountKey}/${scope}`)
+  url.searchParams.set('X-Amz-Date', requestDateTime)
+  url.searchParams.set('X-Amz-Expires', expires)
   // We are signing on the client, so we expect there's going to be a session token:
-  query.append('X-Amz-Security-Token', sessionToken)
-  query.append('X-Amz-SignedHeaders', 'host')
+  url.searchParams.set('X-Amz-Security-Token', sessionToken)
+  url.searchParams.set('X-Amz-SignedHeaders', 'host')
   // Those two are present only for Multipart Uploads:
-  if (partNumber) query.append('partNumber', partNumber)
-  if (uploadId) query.append('uploadId', uploadId)
-  query.append('x-id', partNumber && uploadId ? 'UploadPart' : 'PutObject')
+  if (partNumber) url.searchParams.set('partNumber', partNumber)
+  if (uploadId) url.searchParams.set('uploadId', uploadId)
+  url.searchParams.set('x-id', partNumber && uploadId ? 'UploadPart' : 'PutObject')
 
   // Step 1: Create a canonical request
   const canonical = createCanonicalRequest({
     CanonicalUri,
-    CanonicalQueryString: query.toString(),
+    CanonicalQueryString: url.search.slice(1),
     SignedHeaders: {
       host,
     },
@@ -165,7 +151,7 @@ export default async function createSignedURL ({
   const signature = arrayBufferToHexString(await hash(kSigning, stringToSign))
 
   // Step 5: Add the signature to the request
-  query.append('X-Amz-Signature', signature)
+  url.searchParams.set('X-Amz-Signature', signature)
 
-  return new URL(`https://${host}${CanonicalUri}?${query.toString()}`)
+  return url;
 }
diff --git a/packages/@uppy/aws-s3-multipart/src/createSignedURL.test.js b/packages/@uppy/aws-s3-multipart/src/createSignedURL.test.js
@@ -79,8 +79,10 @@ describe('createSignedURL', () => {
   it('should escape path and query as restricted to RFC 3986', async () => {
     const client = new S3Client(s3ClientOptions)
     const partNumber = 99
-    const uploadId = 'Upload!\'()*Id'
-    const Key = '!\'()*/!\'()*.ext'
+    const specialChars = ';?:@&=+$,#!\'()'
+    const uploadId = `Upload${specialChars}Id`
+    // '.*' chars of path should be encoded
+    const Key = `${specialChars}.*/${specialChars}.*.ext`
     const implResult =
       await createSignedURL({
         accountKey: s3ClientOptions.credentials.accessKeyId,