Fix response signature verification

Author: const-cloudinary

lib/cloudinary/cloudinary_controller.rb

@@ -2,10 +2,12 @@ module Cloudinary::CloudinaryController
   protected
 
   def valid_cloudinary_response?
-    received_signature = request.query_parameters[:signature]
-    calculated_signature = Cloudinary::Utils.api_sign_request(
-      request.query_parameters.select{|key, value| [:public_id, :version].include?(key.to_sym)},
-      Cloudinary.config.api_secret)
-    return received_signature == calculated_signature
+    params = request.query_parameters.select { |key, value| [:public_id, :version, :signature].include?(key.to_sym) }.transform_keys(&:to_sym)
+    
+    Cloudinary::Utils.verify_api_response_signature(
+      params[:public_id],
+      params[:version],
+      params[:signature]
+    )
   end
 end

lib/cloudinary/preloaded_file.rb

@@ -9,8 +9,7 @@ def initialize(file_info)
 
   def valid?
     public_id = @resource_type == "raw" ? self.filename : self.public_id
-    expected_signature = Cloudinary::Utils.api_sign_request({:public_id=>public_id, :version=>version}, Cloudinary.config.api_secret)
-    @signature == expected_signature
+    Cloudinary::Utils.verify_api_response_signature(public_id, version, @signature)
   end
 
   def identifier

lib/cloudinary/uploader.rb

@@ -360,7 +360,8 @@ def self.call_api(action, options)
       api_key             = options[:api_key] || Cloudinary.config.api_key || raise(CloudinaryException, "Must supply api_key")
       api_secret          = options[:api_secret] || Cloudinary.config.api_secret || raise(CloudinaryException, "Must supply api_secret")
       signature_algorithm = options[:signature_algorithm]
-      params[:signature]  = Cloudinary::Utils.api_sign_request(params.reject { |k, v| non_signable.include?(k) }, api_secret, signature_algorithm)
+      signature_version   = options[:signature_version]
+      params[:signature]  = Cloudinary::Utils.api_sign_request(params.reject { |k, v| non_signable.include?(k) }, api_secret, signature_algorithm, signature_version)
       params[:api_key]    = api_key
     end
 

lib/cloudinary/utils.rb

@@ -504,13 +504,14 @@ def self.api_string_to_sign(params_to_sign, signature_version = 2)
   #
   # @param [Hash] params_to_sign Parameters to include in the signature
   # @param [String] api_secret API secret for signing
-  # @param [Symbol] signature_algorithm Hash algorithm to use (:sha1 or :sha256)
-  # @param [Integer] signature_version Version of signature algorithm to use:
+  # @param [Symbol|nil] signature_algorithm Hash algorithm to use (:sha1 or :sha256)
+  # @param [Integer|nil] signature_version Version of signature algorithm to use:
   #   - Version 1: Original behavior without parameter encoding
   #   - Version 2+ (default): Includes parameter encoding to prevent parameter smuggling
   # @return [String] Hexadecimal signature
   # @private
-  def self.api_sign_request(params_to_sign, api_secret, signature_algorithm = nil, signature_version = 2)
+  def self.api_sign_request(params_to_sign, api_secret, signature_algorithm = nil, signature_version = nil)
+    signature_version ||= Cloudinary.config.signature_version || 2
     to_sign = api_string_to_sign(params_to_sign, signature_version)
     hash("#{to_sign}#{api_secret}", signature_algorithm, :hexdigest)
   end
@@ -783,8 +784,9 @@ def self.sign_request(params, options={})
     api_key = options[:api_key] || Cloudinary.config.api_key || raise(CloudinaryException, "Must supply api_key")
     api_secret = options[:api_secret] || Cloudinary.config.api_secret || raise(CloudinaryException, "Must supply api_secret")
     signature_algorithm = options[:signature_algorithm]
+    signature_version = options[:signature_version]
     params = params.reject{|k, v| self.safe_blank?(v)}
-    params[:signature] = api_sign_request(params, api_secret, signature_algorithm)
+    params[:signature] = api_sign_request(params, api_secret, signature_algorithm, signature_version)
     params[:api_key] = api_key
     params
   end

spec/carriewave_spec.rb

@@ -32,3 +32,83 @@ class SanitizedFile; end
     end
   end
 end
+
+RSpec.describe Cloudinary::PreloadedFile do
+  let(:test_api_secret) { "X7qLTrsES31MzxxkxPPA-pAGGfU" }
+  
+  before do
+    Cloudinary.config.update(:api_secret => test_api_secret)
+  end
+
+  describe "folder support" do
+    it "should allow to use folders in PreloadedFile" do
+      signature = Cloudinary::Utils.api_sign_request({ :public_id => "folder/file", :version => "1234" }, Cloudinary.config.api_secret)
+      preloaded = Cloudinary::PreloadedFile.new("image/upload/v1234/folder/file.jpg#" + signature)
+      expect(preloaded).to be_valid
+      [
+        [:filename, 'folder/file.jpg'],
+        [:version, '1234'],
+        [:public_id, 'folder/file'],
+        [:signature, signature],
+        [:resource_type, 'image'],
+        [:type, 'upload'],
+        [:format, 'jpg']
+      ].each do |attr, value|
+        expect(preloaded.send(attr)).to eq(value)
+      end
+    end
+  end
+
+  describe "signature verification" do
+    let(:public_id) { 'tests/logo.png' }
+    let(:test_version) { 1234 }
+
+    it "should correctly verify signature with proper parameter order" do
+      # PreloadedFile extracts public_id by removing the format extension
+      # So if filename is "tests/logo.png", public_id becomes "tests/logo"
+      filename_with_format = public_id
+      public_id_without_format = "tests/logo"  # public_id without .png extension
+      
+      # Generate a valid signature using the public_id without extension
+      # The version parsed from preloaded string will be a string, so we use string here too
+      version_string = test_version.to_s
+      expected_signature = Cloudinary::Utils.api_sign_request(
+        { :public_id => public_id_without_format, :version => version_string }, 
+        test_api_secret, 
+        nil, 
+        1 # verify_api_response_signature uses version 1
+      )
+      
+      # Create a preloaded file string  
+      preloaded_string = "image/upload/v#{version_string}/#{filename_with_format}##{expected_signature}"
+      preloaded_file = Cloudinary::PreloadedFile.new(preloaded_string)
+      
+      expect(preloaded_file).to be_valid
+    end
+
+    it "should fail verification with incorrect signature" do
+      wrong_signature = "wrongsignature"
+      preloaded_string = "image/upload/v#{test_version}/#{public_id}##{wrong_signature}"
+      preloaded_file = Cloudinary::PreloadedFile.new(preloaded_string)
+      
+      expect(preloaded_file).not_to be_valid
+    end
+
+    it "should handle raw resource type correctly" do
+      raw_filename = "document.pdf"
+      version_string = test_version.to_s
+      raw_signature = Cloudinary::Utils.api_sign_request(
+        { :public_id => raw_filename, :version => version_string }, 
+        test_api_secret, 
+        nil, 
+        1
+      )
+      
+      preloaded_string = "raw/upload/v#{version_string}/#{raw_filename}##{raw_signature}"
+      preloaded_file = Cloudinary::PreloadedFile.new(preloaded_string)
+      
+      expect(preloaded_file).to be_valid
+      expect(preloaded_file.resource_type).to eq('raw')
+    end
+  end
+end

spec/uploader_spec.rb

@@ -764,4 +764,31 @@
     expect(pdf_result["url"]).to include("w_111")
     expect(pdf_result["url"]).to end_with(".pdf")
   end
+
+  describe "signature_version parameter support" do
+    it "should use signature_version from config when not specified" do
+      original_signature_version = Cloudinary.config.signature_version
+      Cloudinary.config.signature_version = 1
+
+      begin
+        # Test that configuration signature_version affects signing
+        upload_result = Cloudinary::Uploader.upload(TEST_IMG, :tags => [TEST_TAG, TIMESTAMP_TAG])
+        public_id = upload_result["public_id"]
+        version = upload_result["version"]
+
+        # Verify the signature was created with version 1
+        expected_signature_v1 = Cloudinary::Utils.api_sign_request(
+          { :public_id => public_id, :version => version },
+          Cloudinary.config.api_secret,
+          nil,
+          1
+        )
+
+        expect(upload_result["signature"]).to eq(expected_signature_v1)
+      ensure
+        # Reset config to original value
+        Cloudinary.config.signature_version = original_signature_version
+      end
+    end
+  end
 end

spec/utils_spec.rb

@@ -907,22 +907,7 @@
             .and empty_options
   end
 
-  it "should allow to use folders in PreloadedFile" do
-    signature = Cloudinary::Utils.api_sign_request({ :public_id => "folder/file", :version => "1234" }, Cloudinary.config.api_secret)
-    preloaded = Cloudinary::PreloadedFile.new("image/upload/v1234/folder/file.jpg#" + signature)
-    expect(preloaded).to be_valid
-    [
-      [:filename, 'folder/file.jpg'],
-      [:version, '1234'],
-      [:public_id, 'folder/file'],
-      [:signature, signature],
-      [:resource_type, 'image'],
-      [:type, 'upload'],
-      [:format, 'jpg']
-    ].each do |attr, value|
-      expect(preloaded.send(attr)).to eq(value)
-    end
-  end
+
 
   it "should escape public_ids" do
     [
@@ -1484,6 +1469,51 @@
     expect(parameters["signature"]).not_to be_nil
   end
 
+  describe "Response signature verification fixes" do
+    let(:public_id) { 'tests/logo.png' }
+    let(:test_version) { 1234 }
+    let(:test_api_secret) { SIGNATURE_VERIFICATION_API_SECRET }
+    
+    before do
+      Cloudinary.config.update(:api_secret => test_api_secret)
+    end
+
+    describe "api_sign_request signature_version parameter support" do
+      it "should support signature_version parameter in api_sign_request" do
+        params = { :public_id => public_id, :version => test_version }
+        
+        signature_v1 = Cloudinary::Utils.api_sign_request(params, test_api_secret, nil, 1)
+        signature_v2 = Cloudinary::Utils.api_sign_request(params, test_api_secret, nil, 2)
+        
+        expect(signature_v1).to be_a(String)
+        expect(signature_v2).to be_a(String)
+        expect(signature_v1).to eq(signature_v2) # No & in values, so should be the same
+      end
+
+      it "should use default signature_version from config" do
+        Cloudinary.config.signature_version = 2
+        params = { :public_id => public_id, :version => test_version }
+        
+        signature_with_nil = Cloudinary::Utils.api_sign_request(params, test_api_secret, nil, nil)
+        signature_with_v2 = Cloudinary::Utils.api_sign_request(params, test_api_secret, nil, 2)
+        
+        expect(signature_with_nil).to eq(signature_with_v2)
+      end
+
+      it "should default to version 2 when no config is set" do
+        Cloudinary.config.signature_version = nil
+        params = { :public_id => public_id, :version => test_version }
+        
+        signature_with_nil = Cloudinary::Utils.api_sign_request(params, test_api_secret, nil, nil)
+        signature_with_v2 = Cloudinary::Utils.api_sign_request(params, test_api_secret, nil, 2)
+        
+        expect(signature_with_nil).to eq(signature_with_v2)
+      end
+    end
+
+
+  end
+
   it "should download multi" do
     multi_test_tag = "multi_test_tag_#{UNIQUE_TEST_ID}"
     url1           = "https://res.cloudinary.com/demo/image/upload/sample"