Firstsawyou opened a new issue #2710:
URL: https://github.com/apache/apisix/issues/2710
### Issue description
In different programming language environments, the escape characters of
parameters in `uri` have the difference between uppercase and lowercase
letters, and they all represent the same characters. In the `hmac-auth` plugin,
the parameters in `uri` are uniformly escaped with `escape_uri`, which will
convert lowercase letters in escaped characters to uppercase letters.
Eventually, the signature in the request will be inconsistent with the
signature generated by the `hmac-auth` plugin, and the signature verification
will fail.
The `escape_uri` operation should be removed from the `hmac-auth` plugin,
then this problem will be resolved.
### Environment
* apisix version (cmd: `apisix version`): 2.0
* OS:
Example:
1.Add a line of logging code below line 204 of the `hmac-auth` plugin to
print the characters escaped by `escape_uri`.
```
core.log.info("query: ", escape_uri(key) .. "=" .. escape_uri(param))
```
<img width="759" alt="截屏2020-11-11 下午5 19 10"
src="https://user-images.githubusercontent.com/52862365/98793152-71c35400-2442-11eb-9b7e-e553e24b5371.png";>
2.Add test case with lowercase letter escape characters in the `hmac-auth.t`
file.
```
=== TEST 35: test escape_uri
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"hmac-auth": {}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/hello"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]
=== TEST 36: test escape_uri
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "james",
"plugins": {
"hmac-auth": {
"access_key": "my-access-key4",
"secret_key": "my-secret-key4"
}
}
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]
=== TEST 37: The escape characters `%3e` and `%2c` with lowercase letters in
the uri parameter
--- config
location /t {
content_by_lua_block {
local ngx_time = ngx.time
local ngx_http_time = ngx.http_time
local core = require("apisix.core")
local t = require("lib.test_admin")
local hmac = require("resty.hmac")
local ngx_re = require("ngx.re")
local ngx_encode_base64 = ngx.encode_base64
local data = {cert = "ssl_cert", key = "ssl_key", sni = "test.com"}
local req_body = core.json.encode(data)
req_body = req_body or ""
local secret_key = "my-secret-key4"
local timestamp = ngx_time()
local gmt = ngx_http_time(timestamp)
local access_key = "my-access-key4"
local custom_header_a = "asld$%dfasf"
local custom_header_b = "23879fmsldfk"
local signing_string = {
"GET",
"/hello",
"name=rose%3ehello&name2=james%2chello",
access_key,
gmt,
"x-custom-header-a:" .. custom_header_a,
"x-custom-header-b:" .. custom_header_b
}
signing_string = core.table.concat(signing_string, "\n") .. "\n"
core.log.info("signing_string:", signing_string)
local signature = hmac:new(secret_key,
hmac.ALGOS.SHA256):final(signing_string)
core.log.info("signature:", ngx_encode_base64(signature))
local headers = {}
headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature)
headers["X-HMAC-ALGORITHM"] = "hmac-sha256"
headers["Date"] = gmt
headers["X-HMAC-ACCESS-KEY"] = access_key
headers["X-HMAC-SIGNED-HEADERS"] =
"x-custom-header-a;x-custom-header-b"
headers["x-custom-header-a"] = custom_header_a
headers["x-custom-header-b"] = custom_header_b
local code, body =
t.test('/hello?name=rose%3ehello&name2=james%2chello',
ngx.HTTP_GET,
req_body,
nil,
headers
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]
```
3.Test case execution result
<img width="718" alt="截屏2020-11-11 下午6 02 39"
src="https://user-images.githubusercontent.com/52862365/98798038-5fe4af80-2448-11eb-922f-6302031cfcaf.png";>
View log:
<img width="564" alt="截屏2020-11-11 下午6 06 34"
src="https://user-images.githubusercontent.com/52862365/98798322-b8b44800-2448-11eb-96e1-54b911c7bccd.png";>
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
![https://user-images.githubusercontent.com/52862365/98793152-71c35400-2442-11eb-9b7e-e553e24b5371.png"](https://user-images.githubusercontent.com/52862365/98793152-71c35400-2442-11eb-9b7e-e553e24b5371.png"){kind=link}
![https://user-images.githubusercontent.com/52862365/98798038-5fe4af80-2448-11eb-922f-6302031cfcaf.png"](https://user-images.githubusercontent.com/52862365/98798038-5fe4af80-2448-11eb-922f-6302031cfcaf.png"){kind=link}
![https://user-images.githubusercontent.com/52862365/98798322-b8b44800-2448-11eb-96e1-54b911c7bccd.png"](https://user-images.githubusercontent.com/52862365/98798322-b8b44800-2448-11eb-96e1-54b911c7bccd.png"){kind=link}