SignatureV4 class sorts query string parameters incorrectly

[nazarii-kretovych]

Describe the bug

src/Signature/SignatureV4.php has the method getCanonicalizedQuery. It sorts query parameters by decoded keys and then by decoded values. But it is incorrect. It must sort them by encoded keys and encoded values. The aws4 NPM package sorts them correctly.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

The getCanonicalizedQuery function should sort query string parameters by encoded keys and encoded values.

Current Behavior

The getCanonicalizedQuery function sorts query parameters by decoded keys and decoded values, which is incorrect.

Reproduction Steps

To recreate the issue, generate the signature for the following URL
/smth?agent-role=SomeRole&agent%3Acontains=test

The function should return
agent%3Acontains=test&agent-role=SomeRole
because % comes before - in ASCII.
But it returns
agent-role=SomeRole&agent%3Acontains=test
because it sorts them by decoded keys and - comes before : in ASCII.

Possible Solution

$encKeyToEncValuesMap = [];
foreach ($query as $k => $v) {
  if (!is_array($v)) {
    $v = [$v];
  }
  $values = array_map(function ($v) { return rawurlencode($v !== null ? $v : ''); }, $v);
  sort($values);
  $encKeyToEncValuesMap[rawurlencode($k !== null ? $k : '')] = $values;
}

ksort($encKeyToEncValuesMap);

$qs = '';
$i = 0;
foreach ($encKeyToEncValuesMap as $encKey => $encValues) {
  if ($i++) {
    $qs .= '&';
  }
  foreach ($encValues as $encValue) {
    $qs .= $encKey . '=' . $encValue;
  }
}

return $qs;

Additional Information/Context

No response

SDK version used

3.343.23

Environment details (Version of PHP (php -v)? OS name and version, etc.)

php 8.2

[yenfryherrerafeliz]

Hi @nazarii-kretovych, thanks for opening this issue. Could you please let me know if other than the order of the parameters, do you get any errors when reaching the service? For example, if you use s3 to do a request, do you get any error back?, if so, could you please provide a code example that we can use to reproduce the error?

I look forward to your response.

Thank you!

[github-actions]

This issue has not recieved a response in 1 week. If you want to keep this issue open, please just
leave a comment below and auto-close will be canceled.

[nazarii-kretovych]

@yenfryherrerafeliz why is this issue closed? i've already given you enough information. The description contains the URL/query string you can use to recreate the issue. It does not matter which service to use. Healthlake FHIR has a lot of different query parameters. Some of them have ":". I've already given the code that fixes the issue.

If this issue is not fixed, I will create a support ticket on AWS website (Healthlake), asking them to interfere if they can. It is not normal that a very important class has such a bug in the official AWS SDK for PHP.

Here is how the code of AWS SDK for JS looks:

They sort encoded keys, which is correct. Same in Python.

[nazarii-kretovych]

@yenfryherrerafeliz AWS Signature 4 documentation is not ideal, to be honest, but I've found a page that explicitly says that we should sort query parameters by encoded keys/values.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv-create-signed-request.html

[stobrien89]

Hi @nazarii-kretovych,

Apologies for the confusion— typically our issues will auto-close if they are pending a response for a certain amount of time. Changing our behavior here is probably not backward-compatible, but we can explore an opt-in since it seems like you're having issues with an AWS service.

If you're seeing failed requests with HealthLake, could you send us some debug logs by attaching the output of a failed call in your next comment? You can enable debug logging by setting 'debug' => true in your client configuration. Please redact any sensitive information, like account numbers.