sneak/pixa - pixa - git.eeqj.de

sneak/pixa

Fork 0

Commit Graph

Author	SHA1	Message	Date
clawbot	a50364bfca	Enforce and document exact-match-only for signature verification (#40 ) All checks were successful check / check (push) Successful in 58s Details Closes #27 Signatures are per-URL only — this PR adds explicit tests and documentation enforcing that HMAC-SHA256 signatures verify against exact URLs only. No suffix matching, wildcard matching, or partial matching is supported. ## What this does NOT touch The host whitelist code (`whitelist.go`) is not modified. This PR is exclusively about signature verification, per sneak's instructions on [issue #27](#27), [PR #32](#32), and [PR #35](#35). ## Changes ### `internal/imgcache/signature.go` - Added documentation comments on `Verify()` and `buildSignatureData()` explicitly specifying that signatures are exact-match only — no suffix, wildcard, or partial matching ### `internal/imgcache/signature_test.go` - `TestSigner_Verify_ExactMatchOnly`: 14 tamper cases verifying that modifying any signed component (host, path, query, dimensions, format) causes verification to fail. Host-specific cases include: - Parent domain (`example.com`) does not match subdomain signature (`cdn.example.com`) - Sibling subdomain (`images.example.com`) does not match - Deeper subdomain (`images.cdn.example.com`) does not match - Evil suffix domain (`cdn.example.com.evil.com`) does not match - Prefixed host (`evilcdn.example.com`) does not match - `TestSigner_Sign_ExactHostInData`: Verifies that suffix-related hosts (`cdn.example.com`, `example.com`, `images.example.com`, etc.) all produce distinct signatures ### `internal/imgcache/service_test.go` - `TestService_ValidateRequest_SignatureExactHostMatch`: Integration test through `ValidateRequest` verifying that a valid signature for `cdn.example.com` is rejected when presented with a different host (parent domain, sibling subdomain, deeper subdomain, evil suffix, prefixed host) ### `README.md` - Updated Signature Specification section to explicitly document exact-match-only semantics Co-authored-by: user <user@Mac.lan guest wan> Reviewed-on: #40 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>	2026-03-20 23:56:45 +01:00
clawbot	0ff3071337	fix: encode source query in GenerateSignedURL to avoid malformed URLs When a source URL has query parameters, GenerateSignedURL() was embedding a bare '?' in the path, causing everything after it to be parsed as the HTTP query string instead of as path segments. This made the size/format segment unreachable by the URL parser. Percent-encode the query string in the path segment so it remains part of the path and can be correctly extracted by ParseImagePath. Fixes #2	2026-02-08 15:58:32 -08:00
sneak	cc2c40bfbf	Implement HMAC-SHA256 signature generation and verification	2026-01-08 03:02:09 -08:00

Author

SHA1

Message

Date

clawbot

a50364bfca

Enforce and document exact-match-only for signature verification (#40 )

check / check (push) Successful in 58s

Details

Closes #27

Signatures are per-URL only — this PR adds explicit tests and documentation enforcing that HMAC-SHA256 signatures verify against exact URLs only. No suffix matching, wildcard matching, or partial matching is supported.

## What this does NOT touch

**The host whitelist code (`whitelist.go`) is not modified.** This PR is exclusively about signature verification, per sneak's instructions on [issue #27](#27), [PR #32](#32), and [PR #35](#35).

## Changes

### `internal/imgcache/signature.go`
- Added documentation comments on `Verify()` and `buildSignatureData()` explicitly specifying that signatures are exact-match only — no suffix, wildcard, or partial matching

### `internal/imgcache/signature_test.go`
- **`TestSigner_Verify_ExactMatchOnly`**: 14 tamper cases verifying that modifying any signed component (host, path, query, dimensions, format) causes verification to fail. Host-specific cases include:
  - Parent domain (`example.com`) does not match subdomain signature (`cdn.example.com`)
  - Sibling subdomain (`images.example.com`) does not match
  - Deeper subdomain (`images.cdn.example.com`) does not match
  - Evil suffix domain (`cdn.example.com.evil.com`) does not match
  - Prefixed host (`evilcdn.example.com`) does not match
- **`TestSigner_Sign_ExactHostInData`**: Verifies that suffix-related hosts (`cdn.example.com`, `example.com`, `images.example.com`, etc.) all produce distinct signatures

### `internal/imgcache/service_test.go`
- **`TestService_ValidateRequest_SignatureExactHostMatch`**: Integration test through `ValidateRequest` verifying that a valid signature for `cdn.example.com` is rejected when presented with a different host (parent domain, sibling subdomain, deeper subdomain, evil suffix, prefixed host)

### `README.md`
- Updated Signature Specification section to explicitly document exact-match-only semantics

Co-authored-by: user <user@Mac.lan guest wan>
Reviewed-on: #40
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>

2026-03-20 23:56:45 +01:00

clawbot

0ff3071337

fix: encode source query in GenerateSignedURL to avoid malformed URLs

When a source URL has query parameters, GenerateSignedURL() was
embedding a bare '?' in the path, causing everything after it to be
parsed as the HTTP query string instead of as path segments. This
made the size/format segment unreachable by the URL parser.

Percent-encode the query string in the path segment so it remains
part of the path and can be correctly extracted by ParseImagePath.

Fixes #2

2026-02-08 15:58:32 -08:00

sneak

cc2c40bfbf

Implement HMAC-SHA256 signature generation and verification

2026-01-08 03:02:09 -08:00

3 Commits