[I] bug: aws-lambda plugin with IAM auth fails with URL-encoded query parameters [apisix]

Wed, 27 Mar 2024 03:11:27 -0700 


deiwin opened a new issue, #11097:
URL: https://github.com/apache/apisix/issues/11097

   ### Current Behavior
   
   When using the the `aws-lambda` plugin with IAM auth, then any request that 
includes URL-encoded query parameters will fail with the following error 
returned from AWS:
   ```
   HTTP/2 403
   ..
   x-amzn-errortype: InvalidSignatureException
   ..
   
   {"message":"The request signature we calculated does not match the signature 
you provided. Check your AWS Secret Access Key and signing method. Consult the 
service documentation for details."}
   ```
   
   I believe this happens because:
   - [`get_uri_args` unescapes query 
parameters](https://github.com/openresty/lua-nginx-module#ngxreqget_uri_args)
   - The `aws-lambda` plugin [uses 
`get_uri_args`](https://github.com/apache/apisix/blob/538b9480fd1d0fc41d627936279fcf28cb5802d7/apisix/plugins/serverless/generic-upstream.lua#L62),
 which unescapes the parameters but then [also unescapes them 
itself](https://github.com/apache/apisix/blob/538b9480fd1d0fc41d627936279fcf28cb5802d7/apisix/plugins/aws-lambda.lua#L128),
 causing the args to be unescaped twice.
   - Per [AWS 
docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html#create-canonical-request)
 the "canonical query parameters" used for the signature should be escaped, but 
they are double-unescaped instead.
   
   ### Expected Behavior
   
   _No response_
   
   ### Error Logs
   
   _No response_
   
   ### Steps to Reproduce
   
   Create a route including the `aws-lambda` plugin:
   ```yaml
   function_uri: <URI>
   authorization:
     iam:
       accesskey: <key>
       secretkey: <key>
       aws_region: <region>
       service: <execute-api/lambda>
   ```
   
   Then send a request to the route, including a query parameter such as 
`?param=with%20spaces`, for example.
   
   ### Environment
   
   - APISIX version (run `apisix version`): 3.7.0 (but the issue is also on 
master)
   - Operating system (run `uname -a`): Debian (from 
`apache/apisix:3.7.0-debian` Docker image)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to