search

scireum / s3ninja

S3 ninja emulates the Amazon S3 API for developement and test purposes
MIT License
494 stars 91 forks source link

discrepancy in signature when query parameter contains a space #153

Closed stjordan closed 4 years ago

stjordan commented 4 years ago

s3-ninja doesn't agree with real AWS when serving signed requests that are signed with a query parameter that contains a space

var client = AmazonS3ClientBuilder
  .standard()
  .withEndpointConfiguration(new EndpointConfiguration("http://localhost:9444", "us-east-1"))
  .withCredentials(creds)
  .withPathStyleAccessEnabled(true)
  .build();

var url = client
  .generatePresignedUrl(
    new GeneratePresignedUrlRequest("bucketName", "key")
      .withExpiration(Date.from(Instant.now().plus(1, ChronoUnit.HOURS)))
      .withResponseHeaders(new ResponseHeaderOverrides().withContentDisposition("inline; filename=\"hello.txt\""))
  )
  .toString();

builds this URL

http://localhost:9444/bucketName/key?response-content-disposition=inline%3B%20filename%3D%22hello.txt%22&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20200917T023806Z&X-Amz-SignedHeaders=host&X-Amz-Expires=3599&X-Amz-Credential=AKIAIOSFODNN7EXAMPLE%2F20200917%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=e3c8cf5aa7e8917469857d509adf63b5b0bc93089251a23179be70da8973bdce

s3-ninja fails to serve that with an Invalid Hash. Real AWS accepts the signature and serves the file.

Removing the space is a workaround: inline;filename="hello.txt". s3-ninja accepts the URL generated with that. But removing the space may not always be acceptable.

jakobvogel commented 4 years ago

Hello @stjordan 👋 Thanks for pointing this out. The linked PR #154 should fix this.