[GitHub] [apisix] spacewander commented on a change in pull request #2749: fix(hmac-auth): when the request contains escape characters, the signature verification fails

GitBox Sun, 15 Nov 2020 17:08:04 -0800


spacewander commented on a change in pull request #2749:
URL: https://github.com/apache/apisix/pull/2749#discussion_r523847260




##########
File path: doc/zh-cn/plugins/hmac-auth.md
##########
@@ -44,6 +44,7 @@
 | clock_skew     | integer       | 可选   | 0           |                        
                     | 签名允许的时间偏移，以秒为单位的计时。比如允许时间偏移 10 秒钟，那么就应设置为 `10`。特别地，`0` 
表示不对 `Date` 进行检查。                                                        |
 | signed_headers | array[string] | 可选   |               |                      
                       | 限制加入加密计算的 headers ，指定后客户端请求只能在此范围内指定 headers 
，此项为空时将把所有客户端请求指定的 headers 加入加密计算。如： ["User-Agent", "Accept-Language", 
"x-custom-a"] |
 | keep_headers | boolean | 可选   |      false        |           [ true, false 
]                             | 认证成功后的 http 请求中是否需要保留 
`X-HMAC-SIGNATURE`、`X-HMAC-ALGORITHM` 和 `X-HMAC-SIGNED-HEADERS` 的请求头。true: 表示保留 
http 请求头，false: 表示移除 http 请求头。 |
+| enable_encode | boolean | 可选   |      true        |           [ true, false 
]                             | 是否对签名中的 uri 参数进行转义,例如: `params1=hello%2Cworld` 
进行了转义，`params2=hello,world` 没有进行转义。true: 表示对签名中的 uri 参数进行转义，false: 不对签名中的 uri 
参数转义。 |

Review comment:
       Better to update the example in `测试插件`

##########
File path: apisix/plugins/hmac-auth.lua
##########
@@ -74,6 +74,11 @@ local consumer_schema = {
             type = "boolean",
             title = "whether to keep the http request header",
             default = false,
+        },
+        enable_encode = {

Review comment:
       Better to use `encode_uri_param` so people can know what is encoded.

##########
File path: apisix/plugins/hmac-auth.lua
##########
@@ -194,14 +209,28 @@ local function generate_signature(ctx, secret_key, params)
         end
         core.table.sort(keys)
 
+        local field_val = get_conf_field(params.access_key, "enable_encode")
+        core.log.info("enable_encode: ", field_val)
+
         for _, key in pairs(keys) do
             local param = args[key]
-            if type(param) == "table" then
-                for _, val in pairs(param) do
-                    core.table.insert(query_tab, escape_uri(key) .. "=" .. 
escape_uri(val))
+            -- whether to escape the uri parameters
+            if field_val then

Review comment:
       Would be better if we use an empty function to escape the uri params 
when the option is disable. Like, `core.table.insert(query_tab, 
encode_or_not(key) .. "=" .. encode_or_not(val))`. When you do it, note that, 
please avoid creating a new function per request.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

[GitHub] [apisix] spacewander commented on a change in pull request #2749: fix(hmac-auth): when the request contains escape characters, the signature verification fails

Reply via email to