chore: attempt to override url pathname

trivikr · trivikr · commit 55025878033d · 2025-07-30T19:25:08.000Z
diff --git a/packages/cloudfront-signer/src/getPathnameWithDots.spec.ts b/packages/cloudfront-signer/src/getPathnameWithDots.spec.ts
@@ -0,0 +1,24 @@
+import { describe, expect, it } from "vitest";
+
+import { getPathnameWithDots } from "./getPathnameWithDots";
+
+describe("getPathnameWithDots", () => {
+  const origin = "http://d1234.cloudfront.net";
+
+  it("should return if there's no pathname", () => {
+    expect(getPathnameWithDots(origin)).toBe("/");
+    expect(getPathnameWithDots(`${origin}/`)).toBe("/");
+  });
+
+  it("should return if there's no '/./' or '/../' in pathname", () => {
+    const expectedPathname = `/foo/bar/index.html`;
+    expect(getPathnameWithDots(`${origin}${expectedPathname}`)).toBe(expectedPathname);
+  });
+
+  it.each(["/./", "/../"])("should include '%s' in pathname if it exists", (folderName) => {
+    const expectedPathname = `/foo${folderName}bar/index.html`;
+    expect(getPathnameWithDots(`${origin}${expectedPathname}`)).toBe(expectedPathname);
+    expect(getPathnameWithDots(`${origin}${expectedPathname}?foo=bar`)).toBe(expectedPathname);
+    expect(getPathnameWithDots(`${origin}${expectedPathname}#foo=bar`)).toBe(expectedPathname);
+  });
+});
diff --git a/packages/cloudfront-signer/src/getPathnameWithDots.ts b/packages/cloudfront-signer/src/getPathnameWithDots.ts
@@ -0,0 +1,20 @@
+/**
+ * Returns pathname with `/./` and `/../` allowed by S3 Objects
+ *
+ * @param urlString string provided for generating the URL.
+ */
+export const getPathnameWithDots = (urlString: string) => {
+  const url = new URL(urlString);
+
+  if (url.pathname === "/") return url.pathname;
+
+  if (!urlString.includes("/./") && !urlString.includes("/../")) return url.pathname;
+
+  const startIndex = url.origin.length;
+  const endIndex = urlString.includes("?")
+    ? urlString.indexOf("?")
+    : urlString.includes("#")
+    ? urlString.indexOf("#")
+    : urlString.length;
+  return urlString.substring(startIndex, endIndex);
+};
diff --git a/packages/cloudfront-signer/src/sign.spec.ts b/packages/cloudfront-signer/src/sign.spec.ts
@@ -369,14 +369,9 @@ describe("getSignedUrl", () => {
 
   describe("should not normalize the URL", () => {
     it.each([".", ".."])("with '%s'", (folderName) => {
-      const urlWithFolderName = `https://d111111abcdef8.cloudfront.net/public-content/${folderName}/private-content/private.jpeg`;
+      const urlWithFolderName = `https://d1234.cloudfront.net/public-content/${folderName}/private-content/private.jpeg`;
       const policy = JSON.stringify({ Statement: [{ Resource: urlWithFolderName }] });
-      const result = getSignedUrl({
-        keyPairId,
-        privateKey,
-        policy,
-        passphrase,
-      });
+      const result = getSignedUrl({ keyPairId, privateKey, policy, passphrase });
       const signature = createSignature(policy);
       expect(result.startsWith(urlWithFolderName)).toBeTruthy();
       const signatureQueryParam = denormalizeBase64(signature);
diff --git a/packages/cloudfront-signer/src/sign.ts b/packages/cloudfront-signer/src/sign.ts
@@ -1,5 +1,7 @@
 import { createSign } from "crypto";
 
+import { getPathnameWithDots } from "./getPathnameWithDots";
+
 /**
  * Input type to getSignedUrl and getSignedCookies.
  * @public
@@ -137,6 +139,7 @@ export function getSignedUrl({
   }
 
   const newURL = new URL(baseUrl!);
+  newURL.pathname = getPathnameWithDots(baseUrl!);
   newURL.search = Array.from(newURL.searchParams.entries())
     .concat(Object.entries(cloudfrontSignBuilder.createCloudfrontAttribute()))
     .filter(([, value]) => value !== undefined)
