sneak/pixa
1
0
Fork 0
Code Issues 3 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Enforce and document exact-match-only for signature verification
All checks were successful
check / check (push) Successful in 1m44s
Details

Browse Source 
Add explicit tests proving that HMAC-SHA256 signatures verify against
exact URLs only — no suffix matching, wildcard matching, or partial
matching is supported. A signature for cdn.example.com will not verify
for example.com, images.example.com, or any other host.

Changes:
- signature.go: Add documentation comments on Verify() and
  buildSignatureData() specifying exact-match semantics
- signature_test.go: Add TestSigner_Verify_ExactMatchOnly (14 tamper
  cases covering host, path, query, dimensions, format) and
  TestSigner_Sign_ExactHostInData (verifies suffix-related hosts
  produce distinct signatures)
- service_test.go: Add TestService_ValidateRequest_SignatureExactHostMatch
  (integration test verifying ValidateRequest rejects signatures when
  host differs — parent domain, sibling subdomain, deeper subdomain,
  evil suffix, prefixed host)
- README.md: Document exact-match-only behavior in Signature section

Does NOT modify whitelist.go or any whitelist-related code.
This commit is contained in:
user
2026-03-20 01:45:19 -07:00
parent e85b5ff033
commit cc50b35ca3
4 changed files with 251 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
internal/imgcache/signature.go
View File

@@ -43,6 +43,11 @@ func (s *Signer) Sign(req *ImageRequest) string {
}
// Verify checks if the signature on the request is valid and not expired.
// Signatures are exact-match only: every component of the signed data
// (host, path, query, dimensions, format, expiration) must match exactly.
// No suffix matching, wildcard matching, or partial matching is supported.
// A signature for "cdn.example.com" will NOT verify for "example.com" or
// "other.cdn.example.com", and vice versa.
func (s *Signer) Verify(req *ImageRequest) error {
// Check expiration first
if req.Expires.IsZero() {
@@ -66,6 +71,8 @@ func (s *Signer) Verify(req *ImageRequest) error {
// buildSignatureData creates the string to be signed.
// Format: "host:path:query:width:height:format:expiration"
// All components are used verbatim (exact match). No normalization,
// suffix matching, or wildcard expansion is performed.
func (s *Signer) buildSignatureData(req *ImageRequest) string {
return fmt.Sprintf("%s:%s:%s:%d:%d:%s:%d",
req.SourceHost,