Fix API parameters signature

Author: adimiz1

cloudinary-core/src/main/java/com/cloudinary/Cloudinary.java

@@ -130,8 +130,8 @@ public String signedPreloadedImage(Map result) {
                 + (result.containsKey("format") ? "." + result.get("format") : "") + "#" + result.get("signature");
     }
 
-    public String apiSignRequest(Map<String, Object> paramsToSign, String apiSecret) {
-        return Util.produceSignature(paramsToSign, apiSecret, config.signatureAlgorithm);
+    public String apiSignRequest(Map<String, Object> paramsToSign, String apiSecret, int signatureVersion) {
+        return Util.produceSignature(paramsToSign, apiSecret, config.signatureAlgorithm, signatureVersion);
     }
 
     /**
@@ -206,7 +206,7 @@ public void signRequest(Map<String, Object> params, Map<String, Object> options)
         if (apiSecret == null)
             throw new IllegalArgumentException("Must supply api_secret");
         Util.clearEmpty(params);
-        params.put("signature", this.apiSignRequest(params, apiSecret));
+        params.put("signature", this.apiSignRequest(params, apiSecret, this.config.signatureVersion));
         params.put("api_key", apiKey);
     }
 

cloudinary-core/src/main/java/com/cloudinary/Configuration.java

@@ -21,6 +21,7 @@ public class Configuration {
     public final static String USER_AGENT = "cld-android-" + VERSION;
     public static final boolean DEFAULT_IS_LONG_SIGNATURE = false;
     public static final SignatureAlgorithm DEFAULT_SIGNATURE_ALGORITHM = SignatureAlgorithm.SHA1;
+    public static final int DEFAULT_SIGNATURE_VERSION = 2;
 
     private static final String CONFIG_PROP_SIGNATURE_ALGORITHM = "signature_algorithm";
 
@@ -48,6 +49,7 @@ public class Configuration {
     public boolean forceVersion = true;
     public boolean longUrlSignature = DEFAULT_IS_LONG_SIGNATURE;
     public SignatureAlgorithm signatureAlgorithm = DEFAULT_SIGNATURE_ALGORITHM;
+    public int signatureVersion = DEFAULT_SIGNATURE_VERSION;
     public String oauthToken = null;
     public Boolean analytics;
     public Configuration() {
@@ -75,6 +77,7 @@ private Configuration(
             boolean forceVersion,
             boolean longUrlSignature,
             SignatureAlgorithm signatureAlgorithm,
+            int signatureVersion,
             String oauthToken,
             boolean analytics) {
         this.cloudName = cloudName;
@@ -98,6 +101,7 @@ private Configuration(
         this.forceVersion = forceVersion;
         this.longUrlSignature = longUrlSignature;
         this.signatureAlgorithm = signatureAlgorithm;
+        this.signatureVersion = signatureVersion;
         this.oauthToken = oauthToken;
         this.analytics = analytics;
     }
@@ -140,6 +144,7 @@ public void update(Map config) {
         }
         this.longUrlSignature = ObjectUtils.asBoolean(config.get("long_url_signature"), DEFAULT_IS_LONG_SIGNATURE);
         this.signatureAlgorithm = SignatureAlgorithm.valueOf(ObjectUtils.asString(config.get(CONFIG_PROP_SIGNATURE_ALGORITHM), DEFAULT_SIGNATURE_ALGORITHM.name()));
+        this.signatureVersion = ObjectUtils.asInteger(config.get("signature_version"), DEFAULT_SIGNATURE_VERSION);
         this.oauthToken = (String) config.get("oauth_token");
 
     }
@@ -173,6 +178,7 @@ public Map<String, Object> asMap() {
         map.put("properties", new HashMap<String,Object>(properties));
         map.put("long_url_signature", longUrlSignature);
         map.put(CONFIG_PROP_SIGNATURE_ALGORITHM, signatureAlgorithm.toString());
+        map.put("signature_version", signatureVersion);
         map.put("oauth_token", oauthToken);
         map.put("analytics", analytics);
         return map;
@@ -206,6 +212,7 @@ public Configuration(Configuration other) {
         this.properties.putAll(other.properties);
         this.longUrlSignature = other.longUrlSignature;
         this.signatureAlgorithm = other.signatureAlgorithm;
+        this.signatureVersion = other.signatureVersion;
         this.oauthToken = other.oauthToken;
         this.analytics = other.analytics;
     }
@@ -320,6 +327,7 @@ public static class Builder {
         private boolean forceVersion = true;
         private boolean longUrlSignature = DEFAULT_IS_LONG_SIGNATURE;
         private SignatureAlgorithm signatureAlgorithm = DEFAULT_SIGNATURE_ALGORITHM;
+        private int signatureVersion = DEFAULT_SIGNATURE_VERSION;
         private String oauthToken = null;
         private boolean analytics;
 
@@ -360,6 +368,7 @@ public Configuration build() {
                             forceVersion,
                             longUrlSignature,
                             signatureAlgorithm,
+                            signatureVersion,
                             oauthToken,
                             analytics);
             configuration.clientHints = clientHints;
@@ -500,6 +509,11 @@ public Builder setSignatureAlgorithm(SignatureAlgorithm signatureAlgorithm) {
             return this;
         }
 
+        public Builder setSignatureVersion(int signatureVersion) {
+            this.signatureVersion = signatureVersion;
+            return this;
+        }
+
         public Builder setOAuthToken(String oauthToken) {
             this.oauthToken = oauthToken;
             return this;
@@ -535,6 +549,7 @@ public Builder from(Configuration other) {
             this.forceVersion = other.forceVersion;
             this.longUrlSignature = other.longUrlSignature;
             this.signatureAlgorithm = other.signatureAlgorithm;
+            this.signatureVersion = other.signatureVersion;
             this.oauthToken = other.oauthToken;
             this.analytics = other.analytics;
             return this;

cloudinary-core/src/main/java/com/cloudinary/Util.java

@@ -366,8 +366,8 @@ public static byte[] getUTF8Bytes(String string) {
      * @param apiSecret     secret value
      * @return hex-string representation of signature calculated based on provided parameters map and secret
      */
-    public static String produceSignature(Map<String, Object> paramsToSign, String apiSecret) {
-        return produceSignature(paramsToSign, apiSecret, SignatureAlgorithm.SHA1);
+    public static String produceSignature(Map<String, Object> paramsToSign, String apiSecret, int signatureVersion) {
+        return produceSignature(paramsToSign, apiSecret, SignatureAlgorithm.SHA1, signatureVersion);
     }
 
     /**
@@ -384,22 +384,42 @@ public static String produceSignature(Map<String, Object> paramsToSign, String a
      * @param signatureAlgorithm type of hashing algorithm to use for calculation of HMAC
      * @return hex-string representation of signature calculated based on provided parameters map and secret
      */
-    public static String produceSignature(Map<String, Object> paramsToSign, String apiSecret, SignatureAlgorithm signatureAlgorithm) {
-        Collection<String> params = new ArrayList<String>();
-        for (Map.Entry<String, Object> param : new TreeMap<String, Object>(paramsToSign).entrySet()) {
-            if (param.getValue() instanceof Collection) {
-                params.add(param.getKey() + "=" + StringUtils.join((Collection) param.getValue(), ","));
-            } else if (param.getValue() instanceof Object[]) {
-                params.add(param.getKey() + "=" + StringUtils.join((Object[]) param.getValue(), ","));
-            } else {
-                if (StringUtils.isNotBlank(param.getValue())) {
-                    params.add(param.getKey() + "=" + param.getValue().toString());
-                }
+    public static String produceSignature(Map<String, Object> paramsToSign, String apiSecret, SignatureAlgorithm signatureAlgorithm, int signatureVersion) {
+        Collection<String> flattenedParams = flattenAndSanitizeParams(paramsToSign, signatureVersion);
+        String toSign = StringUtils.join(flattenedParams, "&") + apiSecret;
+        byte[] hash = Util.hash(toSign, signatureAlgorithm);
+        return StringUtils.encodeHexString(hash);
+    }
+
+    private static Collection<String> flattenAndSanitizeParams(Map<String, Object> paramsToSign, int signatureVersion) {
+        Collection<String> params = new ArrayList<>();
+
+        for (Map.Entry<String, Object> entry : new TreeMap<>(paramsToSign).entrySet()) {
+            Object value = entry.getValue();
+            String rawValue = null;
+
+            if (value instanceof Collection) {
+                rawValue = StringUtils.join((Collection) value, ",");
+            } else if (value instanceof Object[]) {
+                rawValue = StringUtils.join((Object[]) value, ",");
+            } else if (value != null && StringUtils.isNotBlank(value.toString())) {
+                rawValue = value.toString();
+            }
+
+            if (rawValue != null) {
+                String sanitizedValue = (signatureVersion == 2)
+                        ? escapeAmpersand(rawValue)
+                        : rawValue;
+
+                params.add(entry.getKey() + "=" + sanitizedValue);
             }
         }
-        String to_sign = StringUtils.join(params, "&");
-        byte[] hash = Util.hash(to_sign + apiSecret, signatureAlgorithm);
-        return StringUtils.encodeHexString(hash);
+
+        return params;
+    }
+
+    private static String escapeAmpersand(String input) {
+        return input.replace("&", "%26");
     }
 
     /**

cloudinary-core/src/main/java/com/cloudinary/api/signing/ApiResponseSignatureVerifier.java

@@ -60,6 +60,6 @@ public ApiResponseSignatureVerifier(String secretKey, SignatureAlgorithm signatu
     public boolean verifySignature(String publicId, String version, String signature) {
         return Util.produceSignature(ObjectUtils.asMap(
                 "public_id", emptyIfNull(publicId),
-                "version", emptyIfNull(version)), secretKey, signatureAlgorithm).equals(signature);
+                "version", emptyIfNull(version)), secretKey, signatureAlgorithm, 1).equals(signature);
     }
 }

cloudinary-core/src/test/java/com/cloudinary/test/CloudinaryTest.java

@@ -1438,14 +1438,14 @@ public void testCloudinaryUrlEmptyScheme() {
     @Test
     public void testApiSignRequestSHA1() {
         cloudinary.config.signatureAlgorithm = SignatureAlgorithm.SHA1;
-        String signature = cloudinary.apiSignRequest(ObjectUtils.asMap("cloud_name", "dn6ot3ged", "timestamp", 1568810420, "username", "user@cloudinary.com"), "hdcixPpR2iKERPwqvH6sHdK9cyac");
+        String signature = cloudinary.apiSignRequest(ObjectUtils.asMap("cloud_name", "dn6ot3ged", "timestamp", 1568810420, "username", "user@cloudinary.com"), "hdcixPpR2iKERPwqvH6sHdK9cyac", cloudinary.config.signatureVersion);
         assertEquals("14c00ba6d0dfdedbc86b316847d95b9e6cd46d94", signature);
     }
 
     @Test
     public void testApiSignRequestSHA256() {
         cloudinary.config.signatureAlgorithm = SignatureAlgorithm.SHA256;
-        String signature = cloudinary.apiSignRequest(ObjectUtils.asMap("cloud_name", "dn6ot3ged", "timestamp", 1568810420, "username", "user@cloudinary.com"), "hdcixPpR2iKERPwqvH6sHdK9cyac");
+        String signature = cloudinary.apiSignRequest(ObjectUtils.asMap("cloud_name", "dn6ot3ged", "timestamp", 1568810420, "username", "user@cloudinary.com"), "hdcixPpR2iKERPwqvH6sHdK9cyac", cloudinary.config.signatureVersion);
         assertEquals("45ddaa4fa01f0c2826f32f669d2e4514faf275fe6df053f1a150e7beae58a3bd", signature);
     }
 

cloudinary-test-common/src/main/java/com/cloudinary/test/AbstractApiTest.java

@@ -1368,4 +1368,39 @@ public void testAllowDerivedNextCursor() throws Exception {
             cloudinary.uploader().destroy(publicId, Collections.singletonMap("invalidate", true));
         }
     }
+
+    @Test
+    public void testSignatureWithEscapingCharacters() {
+        String API_SIGN_REQUEST_CLOUD_NAME = "dn6ot3ged";
+        String API_SIGN_REQUEST_TEST_SECRET = "hdcixPpR2iKERPwqvH6sHdK9cyac";
+
+        Map<String, Object> paramsWithAmpersand = new HashMap<>();
+        paramsWithAmpersand.put("cloud_name", API_SIGN_REQUEST_CLOUD_NAME);
+        paramsWithAmpersand.put("timestamp", 1568810420);
+        paramsWithAmpersand.put("notification_url", "https://fake.com/callback?a=1&tags=hello,world");
+
+        String signatureWithAmpersand = Util.produceSignature(paramsWithAmpersand, API_SIGN_REQUEST_TEST_SECRET, cloudinary.config.signatureVersion);
+
+        Map<String, Object> paramsSmuggled = new HashMap<>();
+        paramsSmuggled.put("cloud_name", API_SIGN_REQUEST_CLOUD_NAME);
+        paramsSmuggled.put("timestamp", 1568810420);
+        paramsSmuggled.put("notification_url", "https://fake.com/callback?a=1");
+        paramsSmuggled.put("tags", "hello,world");
+
+        String signatureSmuggled = Util.produceSignature(paramsSmuggled, API_SIGN_REQUEST_TEST_SECRET, cloudinary.config.signatureVersion);
+
+        assertNotEquals(signatureWithAmpersand, signatureSmuggled,
+                "Signatures should be different to prevent parameter smuggling");
+
+        String expectedSignature = "4fdf465dd89451cc1ed8ec5b3e314e8a51695704";
+        assertEquals(expectedSignature, signatureWithAmpersand);
+
+        String expectedSmuggledSignature = "7b4e3a539ff1fa6e6700c41b3a2ee77586a025f9";
+        assertEquals(expectedSmuggledSignature, signatureSmuggled);
+
+        String versionOneSignature = Util.produceSignature(paramsSmuggled, API_SIGN_REQUEST_TEST_SECRET, 1);
+
+        assertEquals(expectedSmuggledSignature, versionOneSignature);
+
+    }
 }

cloudinary-test-common/src/main/java/com/cloudinary/test/AbstractUploaderTest.java

@@ -104,7 +104,7 @@ public void testUtf8Upload() throws IOException {
         Map<String, Object> to_sign = new HashMap<String, Object>();
         to_sign.put("public_id", result.get("public_id"));
         to_sign.put("version", ObjectUtils.asString(result.get("version")));
-        String expected_signature = cloudinary.apiSignRequest(to_sign, cloudinary.config.apiSecret);
+        String expected_signature = cloudinary.apiSignRequest(to_sign, cloudinary.config.apiSecret, cloudinary.config.signatureVersion);
         assertEquals(result.get("signature"), expected_signature);
     }
 
@@ -131,7 +131,7 @@ public void testUpload() throws IOException {
         Map<String, Object> to_sign = new HashMap<String, Object>();
         to_sign.put("public_id", result.get("public_id"));
         to_sign.put("version", ObjectUtils.asString(result.get("version")));
-        String expected_signature = cloudinary.apiSignRequest(to_sign, cloudinary.config.apiSecret);
+        String expected_signature = cloudinary.apiSignRequest(to_sign, cloudinary.config.apiSecret, cloudinary.config.signatureVersion);
         assertEquals(result.get("signature"), expected_signature);
     }
 
@@ -167,7 +167,7 @@ public void testUploadUrl() throws IOException {
         Map<String, Object> to_sign = new HashMap<String, Object>();
         to_sign.put("public_id", result.get("public_id"));
         to_sign.put("version", ObjectUtils.asString(result.get("version")));
-        String expected_signature = cloudinary.apiSignRequest(to_sign, cloudinary.config.apiSecret);
+        String expected_signature = cloudinary.apiSignRequest(to_sign, cloudinary.config.apiSecret, cloudinary.config.signatureVersion);
         assertEquals(result.get("signature"), expected_signature);
     }
 
@@ -179,7 +179,7 @@ public void testUploadLargeUrl() throws IOException {
         Map<String, Object> to_sign = new HashMap<String, Object>();
         to_sign.put("public_id", result.get("public_id"));
         to_sign.put("version", ObjectUtils.asString(result.get("version")));
-        String expected_signature = cloudinary.apiSignRequest(to_sign, cloudinary.config.apiSecret);
+        String expected_signature = cloudinary.apiSignRequest(to_sign, cloudinary.config.apiSecret, cloudinary.config.signatureVersion);
         assertEquals(result.get("signature"), expected_signature);
     }
 
@@ -191,7 +191,7 @@ public void testUploadDataUri() throws IOException {
         Map<String, Object> to_sign = new HashMap<String, Object>();
         to_sign.put("public_id", result.get("public_id"));
         to_sign.put("version", ObjectUtils.asString(result.get("version")));
-        String expected_signature = cloudinary.apiSignRequest(to_sign, cloudinary.config.apiSecret);
+        String expected_signature = cloudinary.apiSignRequest(to_sign, cloudinary.config.apiSecret, cloudinary.config.signatureVersion);
         assertEquals(result.get("signature"), expected_signature);
     }