Do not Escape HTML when encoding the policy (#1374)

joshwoodkx · web-flow · commit f5c57ae60015 · 2021-08-11T15:34:45.000-07:00
diff --git a/feature/cloudfront/sign/policy.go b/feature/cloudfront/sign/policy.go
@@ -182,11 +182,13 @@ func NewCannedPolicy(resource string, expires time.Time) *Policy {
 
 // encodePolicy encodes the Policy as JSON and also base 64 encodes it.
 func encodePolicy(p *Policy) (b64Policy, jsonPolicy []byte, err error) {
-	jsonPolicy, err = json.Marshal(p)
-	if err != nil {
+	buffer := &bytes.Buffer{}
+	encoder := json.NewEncoder(buffer)
+	encoder.SetEscapeHTML(false)
+	if err := encoder.Encode(p); err != nil {
 		return nil, nil, fmt.Errorf("failed to encode policy, %s", err.Error())
 	}
-
+	jsonPolicy = buffer.Bytes()
 	// Remove leading and trailing white space, JSON encoding will note include
 	// whitespace within the encoding.
 	jsonPolicy = bytes.TrimSpace(jsonPolicy)
diff --git a/feature/cloudfront/sign/policy_test.go b/feature/cloudfront/sign/policy_test.go
@@ -49,6 +49,10 @@ var testCreateResource = []struct {
 	expect    string
 	errPrefix string
 }{
+	{
+		"https", "https://example.com/a?b=1&c=2",
+		"https://example.com/a?b=1&c=2", "",
+	},
 	{
 		"https", "https://example.com/a?b=1",
 		"https://example.com/a?b=1", "",
@@ -61,6 +65,10 @@ var testCreateResource = []struct {
 		"rtmp", "https://example.com/a?b=1",
 		"a?b=1", "",
 	},
+	{
+		"rtmp", "https://example.com/a?b=1&c=2",
+		"a?b=1&c=2", "",
+	},
 	{
 		"ftp", "ftp://example.com/a?b=1",
 		"", "invalid URL scheme",
@@ -112,6 +120,27 @@ func TestEncodePolicy(t *testing.T) {
 	}
 }
 
+func TestEncodePolicyWithQueryParams(t *testing.T) {
+	const (
+		expectedJSONPolicy = `{"Statement":[{"Resource":"https://example.com/a?b=1&c=2","Condition":{"DateLessThan":{"AWS:EpochTime":1257894000}}}]}`
+		expectedB64Policy  = `eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9hP2I9MSZjPTIiLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjEyNTc4OTQwMDB9fX1dfQ==`
+	)
+	p := NewCannedPolicy("https://example.com/a?b=1&c=2", testTime)
+
+	b64Policy, jsonPolicy, err := encodePolicy(p)
+	if err != nil {
+		t.Fatalf("Unexpected error, %#v", err)
+	}
+
+	if string(jsonPolicy) != expectedJSONPolicy {
+		t.Errorf("Expected json encoding to match, \nexpect: %s\nactual: %s\n", expectedJSONPolicy, jsonPolicy)
+	}
+
+	if string(b64Policy) != expectedB64Policy {
+		t.Errorf("Expected b64 encoding to match, \nexpect: %s\nactual: %s\n", expectedB64Policy, b64Policy)
+	}
+}
+
 func TestSignEncodedPolicy(t *testing.T) {
 	p := NewCannedPolicy("https://example.com/a", testTime)
 	_, jsonPolicy, err := encodePolicy(p)
diff --git a/feature/cloudfront/sign/sign_url_test.go b/feature/cloudfront/sign/sign_url_test.go
@@ -22,6 +22,10 @@ var testSignURL = []struct {
 		"http://example.com/a", NewCannedPolicy("http://example.com/a", testSignTime), time.Time{}, true, false,
 		"http://example.com/a?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cDovL2V4YW1wbGUuY29tL2EiLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjEyNTc4OTQwMDB9fX1dfQ__&Signature=cMutWOvPMOPuh0KFDsOdbML~1fe0eEBC1hdMLGRbYr3mTRrVbKDdUXL6l3vlbE0Og3rTRS6mlaSORTwesN1srESH1pXFUyCVba8tWqNy1frEiL7jZLyzA1KndH0olfJDfgHXdw-Edtk0m8mqY~AnGIYGYDu659dWeP49jVeYn30XF9sYkRCdS5IezAkqh8TO9tTDNGS4Ic6DQue4agHUFLNv1VErTafUxlSBp8hlPCuMdtZLEBLr9UJVc3oWJI3zc1~9JgVTDjbXYV1-HgTn8qQsbAU2KcieUonIzTme2td-7c2FCC0EAbOF~6QXTHWcAiSB5nVmbxn-Mx-QMVsiLw__&Key-Pair-Id=KeyID",
 	},
+	{
+		"https://example.com/a?b=1&c=2", NewCannedPolicy("https://example.com/a?b=1&c=2", testSignTime), time.Time{}, true, false,
+		"https://example.com/a?b=1&c=2&Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9hP2I9MSZjPTIiLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjEyNTc4OTQwMDB9fX1dfQ__&Signature=E6xB7RtIDvx8AxM1Wuup3ROYTQwBDW-qqcrb8lSUvtL78wenjh3P0YLXK-mFK0PSzdNtzI2ZIXja6Nh2yma0IVQiZMjn3wijvVsMy9fRXyusVXB1zYSfiInVr2uhqSb-ZCn1RD32ebyMD6IWn5Kss1fT4wefc8Q76J0Y4jprAvmLCtGnrW~quZdOg~KKmY-qK11ifNwv2ECADBxZeEx1PIDHdWuXYrCBJIwSl-bVscwQWDm2BzeYuHCaLuAVDuc62JJzc7nX3E1CA1VRHY~vegYjOV6zVxtp7aBV4RJUY4yfHNM4n640FXUPPwMacqE-lnNOfx704YVTl4tjzuvzuA__&Key-Pair-Id=KeyID",
+	},
 	{
 		"http://example.com/a", nil, testSignTime, false, false,
 		"http://example.com/a?Expires=1257894000&Signature=cMutWOvPMOPuh0KFDsOdbML~1fe0eEBC1hdMLGRbYr3mTRrVbKDdUXL6l3vlbE0Og3rTRS6mlaSORTwesN1srESH1pXFUyCVba8tWqNy1frEiL7jZLyzA1KndH0olfJDfgHXdw-Edtk0m8mqY~AnGIYGYDu659dWeP49jVeYn30XF9sYkRCdS5IezAkqh8TO9tTDNGS4Ic6DQue4agHUFLNv1VErTafUxlSBp8hlPCuMdtZLEBLr9UJVc3oWJI3zc1~9JgVTDjbXYV1-HgTn8qQsbAU2KcieUonIzTme2td-7c2FCC0EAbOF~6QXTHWcAiSB5nVmbxn-Mx-QMVsiLw__&Key-Pair-Id=KeyID",
@@ -97,6 +101,10 @@ var testBuildSignedURL = []struct {
 		"https://example.com/a", "KeyID", NewCannedPolicy("", testSignTime), true, []byte("b64Policy"), []byte("b64Sig"),
 		"https://example.com/a?Policy=b64Policy&Signature=b64Sig&Key-Pair-Id=KeyID",
 	},
+	{
+		"https://example.com/a?b=1&c=2", "KeyID", NewCannedPolicy("", testSignTime), true, []byte("b64Policy"), []byte("b64Sig"),
+		"https://example.com/a?b=1&c=2&Policy=b64Policy&Signature=b64Sig&Key-Pair-Id=KeyID",
+	},
 	{
 		"https://example.com/a?b=1", "KeyID", NewCannedPolicy("https://example.com/a?b=1", testSignTime), false, []byte("b64Policy"), []byte("b64Sig"),
 		"https://example.com/a?b=1&Expires=1257894000&Signature=b64Sig&Key-Pair-Id=KeyID",
