Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-s3-multipart: Self-signed request does NOT escape path according to RFC 3986 #5005

Closed
2 tasks done
hiromi2424 opened this issue Mar 18, 2024 · 2 comments · Fixed by #5006
Closed
2 tasks done

aws-s3-multipart: Self-signed request does NOT escape path according to RFC 3986 #5005

hiromi2424 opened this issue Mar 18, 2024 · 2 comments · Fixed by #5006
Labels
Bug

Comments

@hiromi2424
Copy link
Contributor

hiromi2424 commented Mar 18, 2024
edited
Loading

Initial checklist

  • I understand this is a bug report and questions should be posted in the Community Forum
  • I searched issues and couldn’t find anything (or linked relevant results below)

Link to runnable example

https://github.com/transloadit/uppy/tree/main/packages/%40uppy/companion

Steps to reproduce

Very simple to say one phrase, this is reproduced by using AWS-S3-Multipart with companionUrl and getTemporarySecurityCredentials :true options.

Runnable example will be produced by @uppy/companion server with making setup s3-multipart, S3 CORS-policy and sts federation permission.

Note that default key implementation makes key including filename so that special chars in name of uploading file causes error.

https://github.com/transloadit/uppy/blob/main/packages/%40uppy/companion/src/server/helpers/utils.js#L149
${crypto.randomUUID()}-${filename}

After above setup, try upload file with special chars in file name. (Example: !'()*.txt)

Expected behavior

  • The chars "!'()*" is escaped in URL path
  • The chars "!'()*" is escaped in URL query
  • Signed request succeed

Actual behavior

  • The chars "!'()*" is NOT escaped in URL path
  • The chars "!'()*" is NOT escaped in URL query
  • Signed request fails
@hiromi2424 hiromi2424 added the Bug label Mar 18, 2024
@hiromi2424
Copy link
Contributor Author

I will send PR to fix this and may include info what is a difference between uppy's implementation and AWS SDK's one.

hiromi2424 added a commit to hiromi2424/uppy that referenced this issue Mar 18, 2024
@hiromi2424
@uppy/aws-s3-multipart: Fix escaping issue with client signed request.
0a61ffe 
…fixes transloadit#5005
@hiromi2424 hiromi2424 mentioned this issue Mar 18, 2024
Merged
@aduh95
Copy link
Contributor

aduh95 commented Mar 18, 2024

I'm not sure RFC 3986 requires escaping those characters, but I suppose that hardly matters if AWS requires it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

@uppy/aws-s3-multipart: Fix escaping issue with client signed request hiromi2424/uppy
2 participants
@hiromi2424 @aduh95