Merge pull request #631 from cloudinary/fix-url-signing-with-encoded-chars

fix: improved calculation of the signature in url

Author: cloudinary-pkoniu

lib-es5/utils/index.js

@@ -49,7 +49,6 @@ var encodeDoubleArray = require('./encoding/encodeDoubleArray');
 
 var config = require("../config");
 var generate_token = require("../auth_token");
-var utf8_encode = require('./utf8_encode');
 var crc32 = require('./crc32');
 var ensurePresenceOf = require('./ensurePresenceOf');
 var ensureOption = require('./ensureOption').defaults(config());
@@ -302,17 +301,19 @@ function process_layer(layer) {
     }
 
     if (!isEmpty(text)) {
-      var re = /\$\([a-zA-Z]\w*\)/g;
-      var start = 0;
-      var textSource = smart_escape(decodeURIComponent(text), /[,\/]/g);
-      text = "";
-      for (var res = re.exec(textSource); res; res = re.exec(textSource)) {
-        text += smart_escape(textSource.slice(start, res.index));
-        text += res[0];
-        start = res.index + res[0].length;
-      }
-      text += encodeURIComponent(textSource.slice(start));
-      components.push(text);
+      var variablesRegex = new RegExp(/(\$\([a-zA-Z]\w+\))/g);
+      var textDividedByVariables = text.split(variablesRegex).filter(function (x) {
+        return x;
+      });
+      var encodedParts = textDividedByVariables.map(function (subText) {
+        var matches = variablesRegex[Symbol.match](subText);
+        var isVariable = matches ? matches.length > 0 : false;
+        if (isVariable) {
+          return subText;
+        }
+        return encodeCurlyBraces(encodeURIComponent(smart_escape(subText, new RegExp(/([,\/])/g))));
+      });
+      components.push(encodedParts.join(''));
     }
   } else if (type === 'fetch') {
     var encodedUrl = base64EncodeURL(fetchUrl);
@@ -325,6 +326,16 @@ function process_layer(layer) {
   return components.join(':');
 }
 
+function replaceAllSubstrings(string, search) {
+  var replacement = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : '';
+
+  return string.split(search).join(replacement);
+}
+
+function encodeCurlyBraces(input) {
+  return replaceAllSubstrings(replaceAllSubstrings(input, '(', '%28'), ')', '%29');
+}
+
 /**
  * Parse radius options
  * @private
@@ -425,7 +436,8 @@ function build_upload_params(options) {
     quality_override: options.quality_override,
     accessibility_analysis: utils.as_safe_bool(options.accessibility_analysis),
     use_asset_folder_as_public_id_prefix: utils.as_safe_bool(options.use_asset_folder_as_public_id_prefix),
-    visual_search: utils.as_safe_bool(options.visual_search)
+    visual_search: utils.as_safe_bool(options.visual_search),
+    on_success: options.on_success
   };
   return utils.updateable_resource_params(options, params);
 }
@@ -928,16 +940,20 @@ function url(public_id) {
     var to_sign = [transformation, source_to_sign].filter(function (part) {
       return part != null && part !== '';
     }).join('/');
-    try {
-      for (var i = 0; to_sign !== decodeURIComponent(to_sign) && i < 10; i++) {
-        to_sign = decodeURIComponent(to_sign);
-      }
-      // eslint-disable-next-line no-empty
-    } catch (error) {}
-    var hash = compute_hash(to_sign + api_secret, signature_algorithm, 'base64');
-    signature = hash.replace(/\//g, '_').replace(/\+/g, '-').substring(0, long_url_signature ? 32 : 8);
-    signature = `s--${signature}--`;
+
+    var signatureConfig = {};
+    if (long_url_signature) {
+      signatureConfig.algorithm = 'sha256';
+      signatureConfig.signatureLength = 32;
+    } else {
+      signatureConfig.algorithm = signature_algorithm;
+      signatureConfig.signatureLength = 8;
+    }
+
+    var truncated = compute_hash(to_sign + api_secret, signatureConfig.algorithm, 'base64').slice(0, signatureConfig.signatureLength).replace(/\//g, '_').replace(/\+/g, '-');
+    signature = `s--${truncated}--`;
   }
+
   var prefix = build_distribution_domain(public_id, options);
   var resultUrl = [prefix, resource_type, type, signature, transformation, version, public_id].filter(function (part) {
     return part != null && part !== '';
@@ -1156,9 +1172,8 @@ function compute_hash(input, signature_algorithm, encoding) {
   if (!SUPPORTED_SIGNATURE_ALGORITHMS.includes(signature_algorithm)) {
     throw new Error(`Signature algorithm ${signature_algorithm} is not supported. Supported algorithms: ${SUPPORTED_SIGNATURE_ALGORITHMS.join(', ')}`);
   }
-  var hash = crypto.createHash(signature_algorithm);
-  hash.update(utf8_encode(input), 'binary');
-  return hash.digest(encoding);
+  var hash = crypto.createHash(signature_algorithm).update(input).digest();
+  return Buffer.from(hash).toString(encoding);
 }
 
 function clear_blank(hash) {

lib/utils/index.js

@@ -38,7 +38,6 @@ const encodeDoubleArray = require('./encoding/encodeDoubleArray');
 
 const config = require("../config");
 const generate_token = require("../auth_token");
-const utf8_encode = require('./utf8_encode');
 const crc32 = require('./crc32');
 const ensurePresenceOf = require('./ensurePresenceOf');
 const ensureOption = require('./ensureOption').defaults(config());
@@ -286,17 +285,17 @@ function process_layer(layer) {
     }
 
     if (!isEmpty(text)) {
-      let re = /\$\([a-zA-Z]\w*\)/g;
-      let start = 0;
-      let textSource = smart_escape(decodeURIComponent(text), /[,\/]/g);
-      text = "";
-      for (let res = re.exec(textSource); res; res = re.exec(textSource)) {
-        text += smart_escape(textSource.slice(start, res.index));
-        text += res[0];
-        start = res.index + res[0].length;
-      }
-      text += encodeURIComponent(textSource.slice(start));
-      components.push(text);
+      const variablesRegex = new RegExp(/(\$\([a-zA-Z]\w+\))/g);
+      const textDividedByVariables = text.split(variablesRegex).filter(x => x);
+      const encodedParts = textDividedByVariables.map(subText => {
+        const matches = variablesRegex[Symbol.match](subText);
+        const isVariable = matches ? matches.length > 0 : false;
+        if (isVariable) {
+          return subText;
+        }
+        return encodeCurlyBraces(encodeURIComponent(smart_escape(subText, new RegExp(/([,\/])/g))));
+      });
+      components.push(encodedParts.join(''));
     }
   } else if (type === 'fetch') {
     const encodedUrl = base64EncodeURL(fetchUrl);
@@ -309,6 +308,14 @@ function process_layer(layer) {
   return components.join(':');
 }
 
+function replaceAllSubstrings(string, search, replacement = '') {
+  return string.split(search).join(replacement);
+}
+
+function encodeCurlyBraces(input) {
+  return replaceAllSubstrings(replaceAllSubstrings(input, '(', '%28'), ')', '%29');
+}
+
 /**
  * Parse radius options
  * @private
@@ -856,17 +863,23 @@ function url(public_id, options = {}) {
     let to_sign = [transformation, source_to_sign].filter(function (part) {
       return (part != null) && part !== '';
     }).join('/');
-    try {
-      for (let i = 0; to_sign !== decodeURIComponent(to_sign) && i < 10; i++) {
-        to_sign = decodeURIComponent(to_sign);
-      }
-      // eslint-disable-next-line no-empty
-    } catch (error) {
+
+    const signatureConfig = {};
+    if (long_url_signature) {
+      signatureConfig.algorithm = 'sha256';
+      signatureConfig.signatureLength = 32;
+    } else {
+      signatureConfig.algorithm = signature_algorithm;
+      signatureConfig.signatureLength = 8;
     }
-    let hash = compute_hash(to_sign + api_secret, signature_algorithm, 'base64');
-    signature = hash.replace(/\//g, '_').replace(/\+/g, '-').substring(0, long_url_signature ? 32 : 8);
-    signature = `s--${signature}--`;
+
+    const truncated = compute_hash(to_sign + api_secret, signatureConfig.algorithm, 'base64')
+      .slice(0, signatureConfig.signatureLength)
+      .replace(/\//g, '_')
+      .replace(/\+/g, '-');
+    signature = `s--${truncated}--`;
   }
+
   let prefix = build_distribution_domain(public_id, options);
   let resultUrl = [prefix, resource_type, type, signature, transformation, version, public_id].filter(function (part) {
     return (part != null) && part !== '';
@@ -1080,9 +1093,8 @@ function compute_hash(input, signature_algorithm, encoding) {
   if (!SUPPORTED_SIGNATURE_ALGORITHMS.includes(signature_algorithm)) {
     throw new Error(`Signature algorithm ${signature_algorithm} is not supported. Supported algorithms: ${SUPPORTED_SIGNATURE_ALGORITHMS.join(', ')}`);
   }
-  let hash = crypto.createHash(signature_algorithm);
-  hash.update(utf8_encode(input), 'binary');
-  return hash.digest(encoding);
+  const hash = crypto.createHash(signature_algorithm).update(input).digest();
+  return Buffer.from(hash).toString(encoding);
 }
 
 function clear_blank(hash) {

test/unit/url/overlay_underlay_spec.js

@@ -0,0 +1,36 @@
+const assert = require('assert');
+const cloudinary = require('../../../lib/cloudinary');
+
+describe('URL utils with transformation parameters', () => {
+  const CLOUD_NAME = 'test-cloud';
+
+  before(() => {
+    cloudinary.config({
+      cloud_name: CLOUD_NAME
+    });
+  });
+
+  it('should create a correct link with overlay string', () => {
+    const url = cloudinary.utils.url('test', {
+      overlay: {
+        font_family: "arial",
+        font_size: "30",
+        text: "abc,αβγ/אבג"
+      }
+    });
+
+    assert.strictEqual(url, `http://res.cloudinary.com/${CLOUD_NAME}/image/upload/l_text:arial_30:abc%252C%CE%B1%CE%B2%CE%B3%252F%D7%90%D7%91%D7%92/test`);
+  });
+
+  it('should create a correct link with underlay string', () => {
+    const url = cloudinary.utils.url('test', {
+      underlay: {
+        font_family: "arial",
+        font_size: "30",
+        text: "abc,αβγ/אבג"
+      }
+    });
+
+    assert.strictEqual(url, `http://res.cloudinary.com/${CLOUD_NAME}/image/upload/u_text:arial_30:abc%252C%CE%B1%CE%B2%CE%B3%252F%D7%90%D7%91%D7%92/test`);
+  });
+});

test/unit/url/sign_url_spec.js

@@ -0,0 +1,108 @@
+const cloudinary = require('../../../lib/cloudinary');
+const assert = require('assert');
+
+const TEST_CLOUD_NAME = 'test123';
+const TEST_API_KEY = '1234';
+const TEST_API_SECRET = 'b';
+
+
+describe("URL for authenticated asset", () => {
+  before(function () {
+    cloudinary.config({
+      cloud_name: TEST_CLOUD_NAME,
+      api_key: TEST_API_KEY,
+      api_secret: TEST_API_SECRET
+    });
+  });
+
+  let TEST_PUBLIC_ID = 'image.jpg';
+  it('should have signature for transformation and version', () => {
+    const signedUrl = cloudinary.utils.url(TEST_PUBLIC_ID, {
+      version: 1234,
+      transformation: {
+        crop: "crop",
+        width: 10,
+        height: 20
+      },
+      sign_url: true
+    });
+
+    assert.strictEqual(signedUrl, 'http://res.cloudinary.com/test123/image/upload/s--Ai4Znfl3--/c_crop,h_20,w_10/v1234/image.jpg');
+  });
+
+  it('should have signature for version', () => {
+    const signedUrl = cloudinary.utils.url(TEST_PUBLIC_ID, {
+      version: 1234,
+      sign_url: true
+    });
+
+    assert.strictEqual(signedUrl, 'http://res.cloudinary.com/test123/image/upload/s----SjmNDA--/v1234/image.jpg');
+  });
+
+  it('should have signature for transformation', () => {
+    const signedUrl = cloudinary.utils.url(TEST_PUBLIC_ID, {
+      transformation: {
+        crop: "crop",
+        width: 10,
+        height: 20
+      },
+      sign_url: true
+    });
+
+    assert.strictEqual(signedUrl, 'http://res.cloudinary.com/test123/image/upload/s--Ai4Znfl3--/c_crop,h_20,w_10/image.jpg');
+  });
+
+  it('should have signature for authenticated asset with transformation', () => {
+    const signedUrl = cloudinary.utils.url(TEST_PUBLIC_ID, {
+      type: 'authenticated',
+      transformation: {
+        crop: "crop",
+        width: 10,
+        height: 20
+      },
+      sign_url: true
+    });
+
+    assert.strictEqual(signedUrl, 'http://res.cloudinary.com/test123/image/authenticated/s--Ai4Znfl3--/c_crop,h_20,w_10/image.jpg');
+  });
+
+  it('should have signature for fetched asset', () => {
+    const signedUrl = cloudinary.utils.url('http://google.com/path/to/image.png', {
+      type: 'fetch',
+      version: 1234,
+      sign_url: true
+    });
+
+    assert.strictEqual(signedUrl, 'http://res.cloudinary.com/test123/image/fetch/s--hH_YcbiS--/v1234/http://google.com/path/to/image.png');
+  });
+
+  it('should have signature for authenticated asset with text overlay transformation including encoded emoji', () => {
+    const signedUrl = cloudinary.utils.url(TEST_PUBLIC_ID, {
+      type: 'authenticated',
+      sign_url: true,
+      transformation: {
+        color: 'red',
+        overlay: {
+          text: 'Cool%F0%9F%98%8D',
+          font_family: 'Times',
+          font_size: 70,
+          font_weight: 'bold'
+        }
+      }
+    });
+
+    assert.strictEqual(signedUrl, 'http://res.cloudinary.com/test123/image/authenticated/s--Uqk1a-5W--/co_red,l_text:Times_70_bold:Cool%25F0%259F%2598%258D/image.jpg');
+  });
+
+  it('should have signature for raw transformation string', () => {
+    const signedUrl = cloudinary.utils.url(TEST_PUBLIC_ID, {
+      type: 'authenticated',
+      sign_url: true,
+      transformation: {
+        raw_transformation: 'co_red,l_text:Times_70_bold:Cool%25F0%259F%2598%258D'
+      }
+    });
+
+    assert.strictEqual(signedUrl, 'http://res.cloudinary.com/test123/image/authenticated/s--Uqk1a-5W--/co_red,l_text:Times_70_bold:Cool%25F0%259F%2598%258D/image.jpg');
+  });
+})