feat(signature-v4): presigner skips headers from hosting to query

aws · Nov 19, 2020 · f430d94 · f430d94
1 parent 2cb016f
commit f430d94
Show file tree

Hide file tree

Showing 5 changed files with 73 additions and 3 deletions.
diff --git a/packages/signature-v4/src/SignatureV4.spec.ts b/packages/signature-v4/src/SignatureV4.spec.ts
@@ -66,6 +66,30 @@ describe("SignatureV4", () => {
       });
     });
 
+    it("should sign request without hoisting some headers", async () => {
+      const { query, headers } = await signer.presign(
+        {
+          ...minimalRequest,
+          headers: {
+            ...minimalRequest.headers,
+            "x-amz-not-hoisted": "test",
+          },
+        },
+        { ...presigningOptions, unhoistableHeaders: new Set(["x-amz-not-hoisted"]) }
+      );
+      expect(query).toEqual({
+        [ALGORITHM_QUERY_PARAM]: ALGORITHM_IDENTIFIER,
+        [CREDENTIAL_QUERY_PARAM]: "foo/20000101/us-bar-1/foo/aws4_request",
+        [AMZ_DATE_QUERY_PARAM]: "20000101T000000Z",
+        [EXPIRES_QUERY_PARAM]: presigningOptions.expiresIn.toString(),
+        [SIGNED_HEADERS_QUERY_PARAM]: `${HOST_HEADER};x-amz-not-hoisted`,
+        [SIGNATURE_QUERY_PARAM]: "3c3ef586754b111e9528009710b797a07457d6a671058ba89041a06bab45f585",
+      });
+      expect(headers).toMatchObject({
+        "x-amz-not-hoisted": "test",
+      });
+    });
+
     it("should support overriding region and service in the signer instance", async () => {
       const signer = new SignatureV4({
         ...signerInit,

diff --git a/packages/signature-v4/src/SignatureV4.ts b/packages/signature-v4/src/SignatureV4.ts
@@ -120,6 +120,7 @@ export class SignatureV4 implements RequestPresigner, RequestSigner, StringSigne
       signingDate = new Date(),
       expiresIn = 3600,
       unsignableHeaders,
+      unhoistableHeaders,
       signableHeaders,
       signingRegion,
       signingService,
@@ -135,7 +136,7 @@ export class SignatureV4 implements RequestPresigner, RequestSigner, StringSigne
     }
 
     const scope = createScope(shortDate, region, signingService ?? this.service);
-    const request = moveHeadersToQuery(prepareRequest(originalRequest));
+    const request = moveHeadersToQuery(prepareRequest(originalRequest), { unhoistableHeaders });
 
     if (credentials.sessionToken) {
       request.query[TOKEN_QUERY_PARAM] = credentials.sessionToken;

diff --git a/packages/signature-v4/src/moveHeadersToQuery.spec.ts b/packages/signature-v4/src/moveHeadersToQuery.spec.ts
@@ -68,4 +68,35 @@ describe("moveHeadersToQuery", () => {
       "X-Amz-Storage-Class": "STANDARD_IA",
     });
   });
+
+  it("should skip hoisting headers to the querystring supplied in unhoistedHeaders", () => {
+    const req = moveHeadersToQuery(
+      new HttpRequest({
+        ...minimalRequest,
+        headers: {
+          Host: "www.example.com",
+          "X-Amz-Website-Redirect-Location": "/index.html",
+          Foo: "bar",
+          fizz: "buzz",
+          SNAP: "crackle, pop",
+          "X-Amz-Storage-Class": "STANDARD_IA",
+        },
+      }),
+      {
+        unhoistableHeaders: new Set(["x-amz-website-redirect-location"]),
+      }
+    );
+
+    expect(req.query).toEqual({
+      "X-Amz-Storage-Class": "STANDARD_IA",
+    });
+
+    expect(req.headers).toEqual({
+      Host: "www.example.com",
+      "X-Amz-Website-Redirect-Location": "/index.html",
+      Foo: "bar",
+      fizz: "buzz",
+      SNAP: "crackle, pop",
+    });
+  });
 });
diff --git a/packages/signature-v4/src/moveHeadersToQuery.ts b/packages/signature-v4/src/moveHeadersToQuery.ts
@@ -5,12 +5,15 @@ import { cloneRequest } from "./cloneRequest";
 /**
  * @internal
  */
-export function moveHeadersToQuery(request: HttpRequest): HttpRequest & { query: QueryParameterBag } {
+export function moveHeadersToQuery(
+  request: HttpRequest,
+  options: { unhoistableHeaders?: Set<string> } = {}
+): HttpRequest & { query: QueryParameterBag } {
   const { headers, query = {} as QueryParameterBag } =
     typeof (request as any).clone === "function" ? (request as any).clone() : cloneRequest(request);
   for (const name of Object.keys(headers)) {
     const lname = name.toLowerCase();
-    if (lname.substr(0, 6) === "x-amz-") {
+    if (lname.substr(0, 6) === "x-amz-" && !options.unhoistableHeaders?.has(lname)) {
       query[name] = headers[name];
       delete headers[name];
     }

diff --git a/packages/types/src/signature.ts b/packages/types/src/signature.ts
@@ -52,6 +52,17 @@ export interface RequestPresigningArguments extends RequestSigningArguments {
    * The number of seconds before the presigned URL expires
    */
   expiresIn?: number;
+
+  /**
+   * A set of string whose members represents headers that should not be hoisted
+   * to presigned request's query string. If not supplied, the presigner will
+   * move all the AWS-specific headers(starting with `x-amz-`) to the request
+   * query string. If supplied, these headers remain in the presigned request's
+   * header.
+   * All headers in the provided request will have their names converted to
+   * lower case and then checked for existence in the unhoistableHeaders set.
+   */
+  unhoistableHeaders?: Set<string>;
 }
 
 export interface EventSigningArguments extends SigningArguments {