Enforce and document exact-match-only for signature verification
All checks were successful
check / check (push) Successful in 1m44s
All checks were successful
check / check (push) Successful in 1m44s
Add explicit tests proving that HMAC-SHA256 signatures verify against exact URLs only — no suffix matching, wildcard matching, or partial matching is supported. A signature for cdn.example.com will not verify for example.com, images.example.com, or any other host. Changes: - signature.go: Add documentation comments on Verify() and buildSignatureData() specifying exact-match semantics - signature_test.go: Add TestSigner_Verify_ExactMatchOnly (14 tamper cases covering host, path, query, dimensions, format) and TestSigner_Sign_ExactHostInData (verifies suffix-related hosts produce distinct signatures) - service_test.go: Add TestService_ValidateRequest_SignatureExactHostMatch (integration test verifying ValidateRequest rejects signatures when host differs — parent domain, sibling subdomain, deeper subdomain, evil suffix, prefixed host) - README.md: Document exact-match-only behavior in Signature section Does NOT modify whitelist.go or any whitelist-related code.
This commit is contained in:
user
@@ -67,7 +67,10 @@ hosts require an HMAC-SHA256 signature.
|
||||
#### Signature Specification
|
||||
|
||||
Signatures use HMAC-SHA256 and include an expiration timestamp to
|
||||
prevent replay attacks.
|
||||
prevent replay attacks. Signatures are **exact match only**: every
|
||||
component (host, path, query, dimensions, format, expiration) must
|
||||
match exactly what was signed. No suffix matching, wildcard matching,
|
||||
or partial matching is supported.
|
||||
|
||||
**Signed data format** (colon-separated):
|
||||
|
||||
|
||||
Reference in New Issue
Block a user