Skip to content

fix(storage): SignedURL v4 allows headers with colons in value#7543

Merged
BrennaEpp merged 6 commits intogoogleapis:mainfrom
BrennaEpp:v4-headers
Mar 17, 2023
Merged

fix(storage): SignedURL v4 allows headers with colons in value#7543
BrennaEpp merged 6 commits intogoogleapis:mainfrom
BrennaEpp:v4-headers

Conversation

@BrennaEpp
Copy link
Contributor

@BrennaEpp BrennaEpp commented Mar 13, 2023

Previously, this:

opts := &storage.SignedURLOptions{  
       Scheme:  storage.SigningSchemeV4,  
       Headers: []string{  
            "x-goog-meta-start-time:2023-02-10T03:",   
        },  
        ...
}
url, err := client.Bucket(bucket).SignedURL(object, opts)

would return a URL that would return a 403 (signature mismatch) with the header x-goog-meta-start-time:2023-02-10T03:;
you would have to specify the header as x-goog-meta-start-time:2023-02-10T03 to get a 200 with the provided URL.

Based on our public docs, values should be able to use any US-ASCII characters, which includes colons.

This PR fixes the splitting of the headers so that colons (and anything after them) are preserved in the header values.

@BrennaEpp BrennaEpp requested review from a team March 13, 2023 22:58
@product-auto-label product-auto-label bot added size: s Pull request size is small. api: storage Issues related to the Cloud Storage API. labels Mar 13, 2023
@product-auto-label product-auto-label bot added size: m Pull request size is medium. and removed size: s Pull request size is small. labels Mar 14, 2023
@BrennaEpp BrennaEpp requested a review from tritone March 14, 2023 21:35
tritone
tritone approved these changes Mar 17, 2023
View reviewed changes
Copy link
Contributor

@tritone tritone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice fix. Can you look into adding a test case for this to the cross-lang signed URL conformance tests as well? https://github.com/googleapis/conformance-tests/blob/main/storage/v1/v4_signatures.json

@BrennaEpp
Copy link
Contributor Author

BrennaEpp commented Mar 17, 2023

Nice fix. Can you look into adding a test case for this to the cross-lang signed URL conformance tests as well? https://github.com/googleapis/conformance-tests/blob/main/storage/v1/v4_signatures.json

Sure thing, I'll open a PR there as discussed offline.

@BrennaEpp BrennaEpp enabled auto-merge (squash) March 17, 2023 20:21
@BrennaEpp BrennaEpp merged commit 602014d into googleapis:main Mar 17, 2023
@release-please release-please bot mentioned this pull request Mar 17, 2023
Merged
@BrennaEpp BrennaEpp deleted the v4-headers branch March 17, 2023 23:25
@BrennaEpp BrennaEpp mentioned this pull request Mar 18, 2023
Merged
tritone added a commit that referenced this pull request Mar 20, 2023
@tritone
Revert "fix(storage): SignedURL v4 allows headers with colons in value (
4b05b07 
#7543)"

This reverts commit 602014d.
@tritone tritone mentioned this pull request Mar 20, 2023
Merged
gcf-merge-on-green bot pushed a commit that referenced this pull request Mar 20, 2023
@tritone
Revert "fix(storage): SignedURL v4 allows headers with colons in valu…
5f3d2ec 
…e" (#7592)

This causes a build failure in Go 1.17 because `strings.Cut` was not added until Go 1.18. Need to investigate why the presubmit did not catch this.

Reverts #7543

Fixes #7588
@BrennaEpp BrennaEpp restored the v4-headers branch March 20, 2023 20:23
@BrennaEpp BrennaEpp mentioned this pull request Mar 20, 2023
Merged
gcf-merge-on-green bot pushed a commit that referenced this pull request Mar 21, 2023
@release-please
chore(main): release storage 1.30.1 (#7584)
c537b51 
🤖 I have created a release *beep* *boop*
---


## [1.30.1](https://togithub.com/googleapis/google-cloud-go/compare/storage/v1.30.0...storage/v1.30.1) (2023-03-21)


### Bug Fixes

* **storage:** Retract versions with Copier bug ([#7583](https://togithub.com/googleapis/google-cloud-go/issues/7583)) ([9c10b6f](https://togithub.com/googleapis/google-cloud-go/commit/9c10b6f8a54cb8447260148b5e4a9b5160281020))
* **storage:** SignedURL v4 allows headers with colons in value ([#7543](https://togithub.com/googleapis/google-cloud-go/issues/7543)) ([602014d](https://togithub.com/googleapis/google-cloud-go/commit/602014d2152cffe1860e00b713b1c3c8624e59f9))
* **storage:** SignedURL v4 allows headers with colons in value ([#7603](https://togithub.com/googleapis/google-cloud-go/issues/7603)) ([6b50f9b](https://togithub.com/googleapis/google-cloud-go/commit/6b50f9b368f5b271ade1706c342865cef46712e6))

---
This PR was generated with [Release Please](https://togithub.com/googleapis/release-please). See [documentation](https://togithub.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@tritone tritone tritone approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

api: storage Issues related to the Cloud Storage API. size: m Pull request size is medium.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BrennaEpp @tritone