Add explicit tests proving that HMAC-SHA256 signatures verify against
exact URLs only — no suffix matching, wildcard matching, or partial
matching is supported. A signature for cdn.example.com will not verify
for example.com, images.example.com, or any other host.
Changes:
- signature.go: Add documentation comments on Verify() and
buildSignatureData() specifying exact-match semantics
- signature_test.go: Add TestSigner_Verify_ExactMatchOnly (14 tamper
cases covering host, path, query, dimensions, format) and
TestSigner_Sign_ExactHostInData (verifies suffix-related hosts
produce distinct signatures)
- service_test.go: Add TestService_ValidateRequest_SignatureExactHostMatch
(integration test verifying ValidateRequest rejects signatures when
host differs — parent domain, sibling subdomain, deeper subdomain,
evil suffix, prefixed host)
- README.md: Document exact-match-only behavior in Signature section
Does NOT modify whitelist.go or any whitelist-related code.
When a source URL has query parameters, GenerateSignedURL() was
embedding a bare '?' in the path, causing everything after it to be
parsed as the HTTP query string instead of as path segments. This
made the size/format segment unreachable by the URL parser.
Percent-encode the query string in the path segment so it remains
part of the path and can be correctly extracted by ParseImagePath.
Fixes#2
