Merge pull request #7326 from BitGo/ANT-1033-fix

bdesoky · web-flow · commit 8f28179868be · 2025-10-23T15:29:37.000-04:00
fix: Do not append text to HMAC subject if undefined
diff --git a/modules/sdk-hmac/src/hmac.ts b/modules/sdk-hmac/src/hmac.ts
@@ -57,13 +57,12 @@ export function calculateHMACSubject<T extends string | Buffer = string>({
         ? [method.toUpperCase(), timestamp, '3.0', queryPath].join('|')
         : [timestamp, queryPath].join('|');
   }
-  prefixedText += '|';
 
   const isBuffer = Buffer.isBuffer(text);
   if (isBuffer) {
-    return Buffer.concat([Buffer.from(prefixedText, 'utf-8'), text]) as T;
+    return Buffer.concat([Buffer.from(prefixedText + '|', 'utf-8'), text]) as T;
   }
-  return (prefixedText + text) as T;
+  return [prefixedText, text].join('|') as T;
 }
 
 /**
diff --git a/modules/sdk-hmac/test/hmac.ts b/modules/sdk-hmac/test/hmac.ts
@@ -75,6 +75,20 @@ describe('HMAC Utility Functions', () => {
       ).to.equal(expectedSubject);
     });
 
+    it('should not include undefined for a response when text is undefined', () => {
+      const expectedSubject = 'GET|1672531200000|/api/test|200|';
+      expect(
+        calculateHMACSubject({
+          urlPath: '/api/test',
+          text: undefined as unknown as string,
+          timestamp: MOCK_TIMESTAMP,
+          statusCode: 200,
+          method: 'get',
+          authVersion: 3,
+        })
+      ).to.equal(expectedSubject);
+    });
+
     it('should handle Buffer text input and return a Buffer for requests', () => {
       const buffer = Buffer.from('binary-data-content');
       const result = calculateHMACSubject({
@@ -96,6 +110,22 @@ describe('HMAC Utility Functions', () => {
       expect(result).to.deep.equal(expectedBuffer);
     });
 
+    it('should handle Buffer undefined text input and return a Buffer for requests', () => {
+      const buffer = undefined as unknown as Buffer;
+      const result = calculateHMACSubject({
+        urlPath: '/api/test',
+        text: buffer,
+        timestamp: MOCK_TIMESTAMP,
+        method: 'get',
+        authVersion: 3,
+      });
+
+      expect(Buffer.isBuffer(result)).to.be.false;
+
+      const expectedSubject = 'GET|1672531200000|3.0|/api/test|';
+      expect(result).to.deep.equal(expectedSubject);
+    });
+
     it('should handle Buffer text input and return a Buffer for responses', () => {
       const buffer = Buffer.from('binary-response-data');
       const result = calculateHMACSubject({

Original file line number	Diff line number	Diff line change
`@@ -57,13 +57,12 @@ export function calculateHMACSubject<T extends string \| Buffer = string>({`
`57`	`57`	`? [method.toUpperCase(), timestamp, '3.0', queryPath].join('\|')`
`58`	`58`	`: [timestamp, queryPath].join('\|');`
`59`	`59`	`}`
`60`		`- prefixedText += '\|';`
`61`	`60`
`62`	`61`	`const isBuffer = Buffer.isBuffer(text);`
`63`	`62`	`if (isBuffer) {`
`64`		`- return Buffer.concat([Buffer.from(prefixedText, 'utf-8'), text]) as T;`
	`63`	`+ return Buffer.concat([Buffer.from(prefixedText + '\|', 'utf-8'), text]) as T;`
`65`	`64`	`}`
`66`		`- return (prefixedText + text) as T;`
	`65`	`+ return [prefixedText, text].join('\|') as T;`
`67`	`66`	`}`
`68`	`67`
`69`	`68`	`/**`