Skip to content

CLDSRV-932: validate x-amz-content-sha256#6208

Merged
bert-e merged 8 commits into
development/9.4from
bugfix/CLDSRV-932-check-x-amz-content-sha256
Jul 3, 2026
Merged

CLDSRV-932: validate x-amz-content-sha256#6208
bert-e merged 8 commits into
development/9.4from
bugfix/CLDSRV-932-check-x-amz-content-sha256

Conversation

@leif-scality

@leif-scality leif-scality commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Reject a SigV4 request if the sha256 of the body does not match the x-amz-content-sha256 header

@bert-e

bert-e commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Hello leif-scality,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options
name description privileged authored
/after_pull_request Wait for the given pull request id to be merged before continuing with the current one.
/bypass_author_approval Bypass the pull request author's approval
/bypass_build_status Bypass the build and test status
/bypass_commit_size Bypass the check on the size of the changeset TBA
/bypass_incompatible_branch Bypass the check on the source branch prefix
/bypass_jira_check Bypass the Jira issue check
/bypass_peer_approval Bypass the pull request peers' approval
/bypass_leader_approval Bypass the pull request leaders' approval
/approve Instruct Bert-E that the author has approved the pull request. ✍️
/create_pull_requests Allow the creation of integration pull requests.
/create_integration_branches Allow the creation of integration branches.
/no_octopus Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
/unanimity Change review acceptance criteria from one reviewer at least to all reviewers
/wait Instruct Bert-E not to run until further notice.
Available commands
name description privileged
/help Print Bert-E's manual in the pull request.
/status Print Bert-E's current status in the pull request TBA
/clear Remove all comments from Bert-E from the history TBA
/retry Re-start a fresh build TBA
/build Re-start a fresh build TBA
/force_reset Delete integration branches & pull requests, and restart merge process from the beginning.
/reset Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

@bert-e

bert-e commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Incorrect fix version

The Fix Version/s in issue CLDSRV-932 contains:

  • None

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

  • 9.4.0

Please check the Fix Version/s of CLDSRV-932, or the target
branch of this pull request.

@leif-scality leif-scality changed the title CLDSRV-932: validate x-amz content sha256 CLDSRV-932: validate x-amz-content-sha256 Jun 26, 2026
Comment thread lib/auth/streamingV4/ContentSHA256Transform.js Dismissed
Comment thread lib/auth/streamingV4/ContentSHA256Transform.js Dismissed
Comment thread package.json Outdated
Comment thread tests/unit/api/apiUtils/integrity/validateChecksums.js Outdated
Comment thread tests/unit/api/apiUtils/integrity/validateChecksums.js Outdated
Comment thread tests/unit/api/apiUtils/integrity/validateChecksums.js Outdated
Comment thread tests/functional/raw-node/test/xAmzContentSha256Mismatch.js Outdated
@codecov

codecov Bot commented Jun 26, 2026

Copy link
Copy Markdown

❌ 2 Tests Failed:

Tests completed Failed Passed Skipped
9661 2 9659 0
View the full list of 2 ❄️ flaky test(s)
"after each" hook for "should fail if trying to overwrite a delete marker"::MPU with x-scal-s3-version-id header With default signature "after each" hook for "should fail if trying to overwrite a delete marker"

Flake rate in main: 100.00% (Passed 0 times, Failed 172 times)

Stack Traces | 0.015s run time
We encountered an internal error. Please try again.
"after each" hook for "should fail if trying to overwrite a delete marker"::MPU with x-scal-s3-version-id header With v4 signature "after each" hook for "should fail if trying to overwrite a delete marker"

Flake rate in main: 100.00% (Passed 0 times, Failed 174 times)

Stack Traces | 0.017s run time
We encountered an internal error. Please try again.

To view more test analytics, go to the Test Analytics Dashboard
📋 Got 3 mins? Take this short survey to help us improve Test Analytics.

@leif-scality leif-scality force-pushed the bugfix/CLDSRV-932-check-x-amz-content-sha256 branch 2 times, most recently from 969e37f to ffbc547 Compare June 26, 2026 15:52
Comment thread lib/api/apiUtils/object/validatePayloadProtocol.js
@leif-scality leif-scality force-pushed the bugfix/CLDSRV-932-check-x-amz-content-sha256 branch 4 times, most recently from 9070485 to 9aafbf6 Compare July 1, 2026 08:26

@fredmnl fredmnl left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, I'm approving. Unless you have a strong reason not to (if the AWS implementation/spec doesn't comply in this case), please include the zero-byte test case.

});
});

makeMismatchTests(() => `http://${host}:${port}/${bucket}/${objectKey}`);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  const emptyBody = Buffer.alloc(0);
  const emptySha256Hex = crypto.createHash('sha256').update(emptyBody).digest('hex');

  describe('with an empty body (zero-byte path)', () => {
      makeMismatchTests(() => `http://${host}:${port}/${bucket}/${objectKey}`, emptyBody, emptySha256Hex);
  });

Claude suggested this test for an zero-byte object (and is saying that it will fail)

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed PutObject zero byte case. Also added multiple zero-byte tests for the other endpoints

@leif-scality

Copy link
Copy Markdown
Contributor Author

ping

@bert-e

bert-e commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Waiting for approval

The following approvals are needed before I can proceed with the merge:

  • the author

  • 2 peers

@leif-scality

Copy link
Copy Markdown
Contributor Author

/approve

@bert-e

bert-e commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Build failed

The build for commit did not succeed in branch bugfix/CLDSRV-932-check-x-amz-content-sha256

The following options are set: approve

@bert-e

bert-e commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Conflict

There is a conflict between your branch bugfix/CLDSRV-932-check-x-amz-content-sha256 and the
destination branch development/9.4.

Please resolve the conflict on the feature branch (bugfix/CLDSRV-932-check-x-amz-content-sha256).

git fetch && \
git checkout origin/bugfix/CLDSRV-932-check-x-amz-content-sha256 && \
git merge origin/development/9.4

Resolve merge conflicts and commit

git push origin HEAD:bugfix/CLDSRV-932-check-x-amz-content-sha256

The following options are set: approve

@leif-scality leif-scality force-pushed the bugfix/CLDSRV-932-check-x-amz-content-sha256 branch from 8d88ff2 to 37fa6dc Compare July 3, 2026 20:40
Comment on lines +54 to +68
return Promise.resolve(algorithms[algorithm].digest(Buffer.alloc(0))).then(
value => {
if (expected !== undefined && expected !== value) {
return callback(errorInstances.BadDigest.customizeDescription(
`The ${algorithm.toUpperCase()} you specified did not match the calculated checksum.`
));
return callback(
errorInstances.BadDigest.customizeDescription(
`The ${algorithm.toUpperCase()} you specified did not match the calculated checksum.`,
),
);
}
// eslint-disable-next-line no-param-reassign
metadataStoreParams.checksum = { algorithm, value, type: 'FULL_OBJECT' };
return callback(null);
}, err => callback(err));
},
err => callback(err),
);
Comment on lines -271 to +331
return next(arsenalErrorFromChecksumError(headerChecksum));
}
const checksums = {
primary: headerChecksum || defaultChecksumData,
secondary: null,
};
return dataStore(objectKeyContext, cipherBundle, request, size,
streamingV4Params, backendInfo, checksums, log, next);
},
function processDataResult(dataGetInfo, calculatedHash, checksum, next) {
if (dataGetInfo === null || dataGetInfo === undefined) {
return next(null, null);
}
// So that data retrieval information for MPU's and
// regular puts are stored in the same data structure,
// place the retrieval info here into a single element array
const { key, dataStoreName, dataStoreType, dataStoreETag,
dataStoreVersionId } = dataGetInfo;
const prefixedDataStoreETag = dataStoreETag
? `1:${dataStoreETag}`
: `1:${calculatedHash}`;
const dataGetInfoArr = [{ key, size, start: 0, dataStoreName,
dataStoreType, dataStoreETag: prefixedDataStoreETag,
dataStoreVersionId
}];
if (cipherBundle) {
dataGetInfoArr[0].cryptoScheme = cipherBundle.cryptoScheme;
dataGetInfoArr[0].cipheredDataKey =
cipherBundle.cipheredDataKey;
}
if (mdOnlyHeader === 'true') {
metadataStoreParams.size = mdOnlySize;
dataGetInfoArr[0].size = mdOnlySize;
}
metadataStoreParams.contentMD5 = calculatedHash;
if (checksum) {
// eslint-disable-next-line no-param-reassign
checksum.type = 'FULL_OBJECT';
metadataStoreParams.checksum = checksum;
}
return next(null, dataGetInfoArr);
},
function getVersioningInfo(infoArr, next) {
// if x-scal-s3-version-id header is specified, we overwrite the object/version metadata.
if (isPutVersion) {
const options = overwritingVersioning(objMD, metadataStoreParams);
return process.nextTick(() => next(null, options, infoArr));
}
const headerChecksum = getChecksumDataFromHeaders(request.headers);
if (headerChecksum && headerChecksum.error) {
return next(arsenalErrorFromChecksumError(headerChecksum));
}
const checksums = {
primary: headerChecksum || defaultChecksumData,
secondary: null,
};
return dataStore(
objectKeyContext,
cipherBundle,
request,
size,
streamingV4Params,
backendInfo,
checksums,
log,
next,
);
},
function processDataResult(dataGetInfo, calculatedHash, checksum, next) {
if (dataGetInfo === null || dataGetInfo === undefined) {
return next(null, null);
}
// So that data retrieval information for MPU's and
// regular puts are stored in the same data structure,
// place the retrieval info here into a single element array
const { key, dataStoreName, dataStoreType, dataStoreETag, dataStoreVersionId } = dataGetInfo;
const prefixedDataStoreETag = dataStoreETag ? `1:${dataStoreETag}` : `1:${calculatedHash}`;
const dataGetInfoArr = [
{
key,
size,
start: 0,
dataStoreName,
dataStoreType,
dataStoreETag: prefixedDataStoreETag,
dataStoreVersionId,
},
];
if (cipherBundle) {
dataGetInfoArr[0].cryptoScheme = cipherBundle.cryptoScheme;
dataGetInfoArr[0].cipheredDataKey = cipherBundle.cipheredDataKey;
}
if (mdOnlyHeader === 'true') {
metadataStoreParams.size = mdOnlySize;
dataGetInfoArr[0].size = mdOnlySize;
}
metadataStoreParams.contentMD5 = calculatedHash;
if (checksum) {
// eslint-disable-next-line no-param-reassign
checksum.type = 'FULL_OBJECT';
metadataStoreParams.checksum = checksum;
}
return next(null, dataGetInfoArr);
},
function getVersioningInfo(infoArr, next) {
// if x-scal-s3-version-id header is specified, we overwrite the object/version metadata.
if (isPutVersion) {
const options = overwritingVersioning(objMD, metadataStoreParams);
return process.nextTick(() => next(null, options, infoArr));
}

if (!bucketMD.isVersioningEnabled() && objMD?.archive?.archiveInfo) {
// Ensure we trigger a "delete" event in the oplog for the previously archived object
metadataStoreParams.needOplogUpdate = 's3:ReplaceArchivedObject';
}
if (!bucketMD.isVersioningEnabled() && objMD?.archive?.archiveInfo) {
// Ensure we trigger a "delete" event in the oplog for the previously archived object
metadataStoreParams.needOplogUpdate = 's3:ReplaceArchivedObject';
}

return versioningPreprocessing(bucketName, bucketMD,
metadataStoreParams.objectKey, objMD, log, (err, options) => {
if (err) {
// TODO: check AWS error when user requested a specific
// version before any versions have been put
const logLvl = err.is.BadRequest ?
'debug' : 'error';
log[logLvl]('error getting versioning info', {
error: err,
method: 'versioningPreprocessing',
});
}
return versioningPreprocessing(
bucketName,
bucketMD,
metadataStoreParams.objectKey,
objMD,
log,
Comment on lines +332 to -367
(err, options) => {
if (err) {
// TODO: check AWS error when user requested a specific
// version before any versions have been put
const logLvl = err.is.BadRequest ? 'debug' : 'error';
log[logLvl]('error getting versioning info', {
error: err,
method: 'versioningPreprocessing',
});
}

const location = infoArr?.[0]?.dataStoreName;
if (location === bucketMD.getLocationConstraint() && bucketMD.isIngestionBucket()) {
// If the object is being written to the "ingested" storage location, keep the same
// versionId for consistency and to avoid creating an extra version when it gets
// ingested
const backendVersionId = decodeVID(infoArr[0].dataStoreVersionId);
if (!(backendVersionId instanceof Error)) {
options.versionId = backendVersionId; // eslint-disable-line no-param-reassign
const location = infoArr?.[0]?.dataStoreName;
if (location === bucketMD.getLocationConstraint() && bucketMD.isIngestionBucket()) {
// If the object is being written to the "ingested" storage location, keep the same
// versionId for consistency and to avoid creating an extra version when it gets
// ingested
const backendVersionId = decodeVID(infoArr[0].dataStoreVersionId);
if (!(backendVersionId instanceof Error)) {
options.versionId = backendVersionId; // eslint-disable-line no-param-reassign
}
}
}

return next(err, options, infoArr);
});
},
function storeMDAndDeleteData(options, infoArr, next) {
metadataStoreParams.versionId = options.versionId;
Comment on lines 368 to 411
Comment on lines 412 to 432
Comment thread lib/api/objectPut.js
Comment on lines +143 to +148
function handleTransientOrDeleteBuckets(next) {
if (bucket.hasTransientFlag() || bucket.hasDeletedFlag()) {
return cleanUpBucket(bucket, canonicalID, log, next);
}
return next(null, sseConfig);
}
);
},
function createCipherBundle(serverSideEncryptionConfig, next) {
if (serverSideEncryptionConfig) {
return kms.createCipherBundle(
serverSideEncryptionConfig, log, (err, cipherBundle) => {
return next();
},
Comment thread lib/api/objectPut.js
Comment on lines +149 to +157
function getSSEConfig(next) {
return getObjectSSEConfiguration(headers, bucket, log, (err, sseConfig) => {
if (err) {
return next(err);
log.error('error getting server side encryption config', { err });
return next(invalidSSEError);
}
setSSEHeaders(responseHeaders,
cipherBundle.algorithm,
cipherBundle.configuredMasterKeyId || cipherBundle.masterKeyId);
return next(null, cipherBundle);
return next(null, sseConfig);
});
}
return next(null, null);
},
function objectCreateAndStore(cipherBundle, next) {
const objectLockValidationError
= validateHeaders(bucket, headers, log);
if (objectLockValidationError) {
return next(objectLockValidationError);
}
writeContinue(request, request._response);
return createAndStoreObject(bucketName,
bucket, objectKey, objMD, authInfo, canonicalID, cipherBundle,
request, false, streamingV4Params, overheadField, log, 's3:ObjectCreated:Put', next);
},
], (err, storingResult) => {
if (err) {
monitoring.promMetrics('PUT', bucketName, err.code,
'putObject');
return callback(err, responseHeaders);
}
// ingestSize assumes that these custom headers indicate
// an ingestion PUT which is a metadata only operation.
// Since these headers can be modified client side, they
// should be used with caution if needed for precise
// metrics.
const ingestSize = (request.headers['x-amz-meta-mdonly']
&& !Number.isNaN(request.headers['x-amz-meta-size']))
? Number.parseInt(request.headers['x-amz-meta-size'], 10) : null;
const newByteLength = parsedContentLength;
},
Comment thread lib/api/objectPut.js
Comment on lines +158 to +173
function createCipherBundle(serverSideEncryptionConfig, next) {
if (serverSideEncryptionConfig) {
return kms.createCipherBundle(serverSideEncryptionConfig, log, (err, cipherBundle) => {
if (err) {
return next(err);
}
setSSEHeaders(
responseHeaders,
cipherBundle.algorithm,
cipherBundle.configuredMasterKeyId || cipherBundle.masterKeyId,
);
return next(null, cipherBundle);
});
}
return next(null, null);
},
Comment thread lib/api/objectPut.js
Comment on lines +174 to +196
function objectCreateAndStore(cipherBundle, next) {
const objectLockValidationError = validateHeaders(bucket, headers, log);
if (objectLockValidationError) {
return next(objectLockValidationError);
}
writeContinue(request, request._response);
return createAndStoreObject(
bucketName,
bucket,
objectKey,
objMD,
authInfo,
canonicalID,
cipherBundle,
request,
false,
streamingV4Params,
overheadField,
log,
's3:ObjectCreated:Put',
next,
);
},
@bert-e

bert-e commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Build failed

The build for commit did not succeed in branch bugfix/CLDSRV-932-check-x-amz-content-sha256

The following options are set: approve

@bert-e

bert-e commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

I have successfully merged the changeset of this pull request
into targetted development branches:

  • ✔️ development/9.4

The following branches have NOT changed:

  • development/7.10
  • development/7.4
  • development/7.70
  • development/8.8
  • development/9.0
  • development/9.1
  • development/9.2
  • development/9.3

This pull request did not target the following hotfix branch(es) so they
were left untouched:

  • hotfix/7.10.49
  • hotfix/7.10.27
  • hotfix/7.4.5
  • hotfix/7.4.9
  • hotfix/7.4.0
  • hotfix/6.4.7
  • hotfix/7.10.8
  • hotfix/7.2.0
  • hotfix/7.4.10
  • hotfix/7.4.6
  • hotfix/8.8.45
  • hotfix/7.10.1
  • hotfix/7.4.3
  • hotfix/7.6.0
  • hotfix/9.0.7
  • hotfix/7.10.15
  • hotfix/7.7.0
  • hotfix/7.4.1
  • hotfix/9.2.24
  • hotfix/7.10.0
  • hotfix/7.4.7
  • hotfix/7.70.11
  • hotfix/7.70.21
  • hotfix/9.0.32
  • hotfix/7.4.8
  • hotfix/7.10.3
  • hotfix/9.2.36
  • hotfix/7.9.0
  • hotfix/7.70.45
  • hotfix/7.70.51
  • hotfix/7.10.28
  • hotfix/7.4.4
  • hotfix/7.10.2
  • hotfix/7.4.2
  • hotfix/7.8.0
  • hotfix/7.10.30
  • hotfix/7.70.73
  • hotfix/7.10.4

Please check the status of the associated issue CLDSRV-932.

Goodbye leif-scality.

The following options are set: approve

@bert-e bert-e merged commit 37fa6dc into development/9.4 Jul 3, 2026
82 of 85 checks passed
@bert-e bert-e deleted the bugfix/CLDSRV-932-check-x-amz-content-sha256 branch July 3, 2026 21:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants