gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

S3 API: unsigned streaming (no cred) but chunks contain signatures (#7118)

Browse Source 
* This handles the case where we have unsigned streaming (no cred) but chunks contain signatures

* Update chunked_reader_v4.go

* address comments
This commit is contained in:
Chris Lu
2025-08-11 10:31:01 -07:00
committed by GitHub
parent a265a07922
commit 9265e81fe9
2 changed files with 86 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
weed/s3api/chunked_bug_reproduction_test.go Normal file
View File

@@ -0,0 +1,55 @@
package s3api
import (
"bytes"
"io"
"net/http"
"testing"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
)
// TestChunkedEncodingMixedFormat tests the fix for GitHub issue #6847
// where AWS SDKs send mixed format: unsigned streaming headers but signed chunk data
func TestChunkedEncodingMixedFormat(t *testing.T) {
expectedContent := "hello world\n"
// Create the problematic mixed format payload:
// - Unsigned streaming headers (STREAMING-UNSIGNED-PAYLOAD-TRAILER)
// - But chunk data contains chunk-signature headers
mixedFormatPayload := "c;chunk-signature=347f6c62acd95b7c6ae18648776024a9e8cd6151184a5e777ea8e1d9b4e45b3c\r\n" +
"hello world\n\r\n" +
"0;chunk-signature=1a99b7790b8db0f4bfc048c8802056c3179d561e40c073167e79db5f1a6af4b2\r\n" +
"x-amz-checksum-crc32:rwg7LQ==\r\n" +
"\r\n"
// Create HTTP request with unsigned streaming headers
req, _ := http.NewRequest("PUT", "/test-bucket/test-object", bytes.NewReader([]byte(mixedFormatPayload)))
req.Header.Set("x-amz-content-sha256", "STREAMING-UNSIGNED-PAYLOAD-TRAILER")
req.Header.Set("x-amz-trailer", "x-amz-checksum-crc32")
// Process through SeaweedFS chunked reader
iam := setupTestIAM()
reader, errCode := iam.newChunkedReader(req)
if errCode != s3err.ErrNone {
t.Fatalf("Failed to create chunked reader: %v", errCode)
}
// Read the content
actualContent, err := io.ReadAll(reader)
if err != nil {
t.Fatalf("Failed to read content: %v", err)
}
// Should correctly extract just the content, ignoring chunk signatures
if string(actualContent) != expectedContent {
t.Errorf("Mixed format handling failed. Expected: %q, Got: %q", expectedContent, string(actualContent))
}
}
// setupTestIAM creates a test IAM instance using the same pattern as existing tests
func setupTestIAM() *IdentityAccessManagement {
iam := &IdentityAccessManagement{}
return iam
}

44
weed/s3api/chunked_reader_v4.go
View File

@@ -440,18 +440,35 @@ func (cr *s3ChunkedReader) Read(buf []byte) (n int, err error) {
continue continue
} }
case verifyChunk: case verifyChunk:
// Calculate the hashed chunk. // Check if we have credentials for signature verification
hashedChunk := hex.EncodeToString(cr.chunkSHA256Writer.Sum(nil)) // This handles the case where we have unsigned streaming (no cred) but chunks contain signatures
// Calculate the chunk signature. //
newSignature := cr.getChunkSignature(hashedChunk) // BUG FIX for GitHub issue #6847:
if !compareSignatureV4(cr.chunkSignature, newSignature) { // Some AWS SDK versions (Java 3.7.412+, .NET 4.0.0-preview.6+) send mixed format:
// Chunk signature doesn't match we return signature does not match. // - HTTP headers indicate unsigned streaming (STREAMING-UNSIGNED-PAYLOAD-TRAILER)
cr.err = errors.New(s3err.ErrMsgChunkSignatureMismatch) // - But chunk data contains chunk-signature headers (normally only for signed streaming)
return 0, cr.err // This causes a nil pointer dereference when trying to verify signatures without credentials
if cr.cred != nil {
// Normal signed streaming - verify the chunk signature
// Calculate the hashed chunk.
hashedChunk := hex.EncodeToString(cr.chunkSHA256Writer.Sum(nil))
// Calculate the chunk signature.
newSignature := cr.getChunkSignature(hashedChunk)
if !compareSignatureV4(cr.chunkSignature, newSignature) {
// Chunk signature doesn't match we return signature does not match.
cr.err = errors.New(s3err.ErrMsgChunkSignatureMismatch)
return 0, cr.err
}
// Newly calculated signature becomes the seed for the next chunk
// this follows the chaining.
cr.seedSignature = newSignature
} else {
// For unsigned streaming, we should not verify chunk signatures even if they are present
// This fixes the bug where AWS SDKs send chunk signatures with unsigned streaming headers
glog.V(3).Infof("Skipping chunk signature verification for unsigned streaming")
} }
// Newly calculated signature becomes the seed for the next chunk
// this follows the chaining. // Common cleanup and state transition for both signed and unsigned streaming
cr.seedSignature = newSignature
cr.chunkSHA256Writer.Reset() cr.chunkSHA256Writer.Reset()
if cr.lastChunk { if cr.lastChunk {
cr.state = eofChunk cr.state = eofChunk
@@ -513,9 +530,10 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) {
if err != nil { if err != nil {
// We always know when EOF is coming. // We always know when EOF is coming.
// If the caller asked for a line, there should be a line. // If the caller asked for a line, there should be a line.
if err == io.EOF { switch err {
case io.EOF:
err = io.ErrUnexpectedEOF err = io.ErrUnexpectedEOF
} else if err == bufio.ErrBufferFull { case bufio.ErrBufferFull:
err = errLineTooLong err = errLineTooLong
} }
return nil, err return nil, err