fix: improved calculation of the signature in url

Author: cloudinary-pkoniu

lib-es5/utils/index.js

@@ -49,7 +49,6 @@ var encodeDoubleArray = require('./encoding/encodeDoubleArray');
 
 var config = require("../config");
 var generate_token = require("../auth_token");
-var utf8_encode = require('./utf8_encode');
 var crc32 = require('./crc32');
 var ensurePresenceOf = require('./ensurePresenceOf');
 var ensureOption = require('./ensureOption').defaults(config());
@@ -425,7 +424,8 @@ function build_upload_params(options) {
     quality_override: options.quality_override,
     accessibility_analysis: utils.as_safe_bool(options.accessibility_analysis),
     use_asset_folder_as_public_id_prefix: utils.as_safe_bool(options.use_asset_folder_as_public_id_prefix),
-    visual_search: utils.as_safe_bool(options.visual_search)
+    visual_search: utils.as_safe_bool(options.visual_search),
+    on_success: options.on_success
   };
   return utils.updateable_resource_params(options, params);
 }
@@ -928,16 +928,20 @@ function url(public_id) {
     var to_sign = [transformation, source_to_sign].filter(function (part) {
       return part != null && part !== '';
     }).join('/');
-    try {
-      for (var i = 0; to_sign !== decodeURIComponent(to_sign) && i < 10; i++) {
-        to_sign = decodeURIComponent(to_sign);
-      }
-      // eslint-disable-next-line no-empty
-    } catch (error) {}
-    var hash = compute_hash(to_sign + api_secret, signature_algorithm, 'base64');
-    signature = hash.replace(/\//g, '_').replace(/\+/g, '-').substring(0, long_url_signature ? 32 : 8);
-    signature = `s--${signature}--`;
+
+    var signatureConfig = {};
+    if (long_url_signature) {
+      signatureConfig.algorithm = 'sha256';
+      signatureConfig.signatureLength = 32;
+    } else {
+      signatureConfig.algorithm = signature_algorithm;
+      signatureConfig.signatureLength = 8;
+    }
+
+    var truncated = compute_hash(to_sign + api_secret, signatureConfig.algorithm, 'base64').slice(0, signatureConfig.signatureLength).replace(/\//g, '_').replace(/\+/g, '-');
+    signature = `s--${truncated}--`;
   }
+
   var prefix = build_distribution_domain(public_id, options);
   var resultUrl = [prefix, resource_type, type, signature, transformation, version, public_id].filter(function (part) {
     return part != null && part !== '';
@@ -1156,9 +1160,8 @@ function compute_hash(input, signature_algorithm, encoding) {
   if (!SUPPORTED_SIGNATURE_ALGORITHMS.includes(signature_algorithm)) {
     throw new Error(`Signature algorithm ${signature_algorithm} is not supported. Supported algorithms: ${SUPPORTED_SIGNATURE_ALGORITHMS.join(', ')}`);
   }
-  var hash = crypto.createHash(signature_algorithm);
-  hash.update(utf8_encode(input), 'binary');
-  return hash.digest(encoding);
+  var hash = crypto.createHash(signature_algorithm).update(input).digest();
+  return Buffer.from(hash).toString(encoding);
 }
 
 function clear_blank(hash) {

lib/utils/index.js

@@ -38,7 +38,6 @@ const encodeDoubleArray = require('./encoding/encodeDoubleArray');
 
 const config = require("../config");
 const generate_token = require("../auth_token");
-const utf8_encode = require('./utf8_encode');
 const crc32 = require('./crc32');
 const ensurePresenceOf = require('./ensurePresenceOf');
 const ensureOption = require('./ensureOption').defaults(config());
@@ -856,17 +855,23 @@ function url(public_id, options = {}) {
     let to_sign = [transformation, source_to_sign].filter(function (part) {
       return (part != null) && part !== '';
     }).join('/');
-    try {
-      for (let i = 0; to_sign !== decodeURIComponent(to_sign) && i < 10; i++) {
-        to_sign = decodeURIComponent(to_sign);
-      }
-      // eslint-disable-next-line no-empty
-    } catch (error) {
+
+    const signatureConfig = {};
+    if (long_url_signature) {
+      signatureConfig.algorithm = 'sha256';
+      signatureConfig.signatureLength = 32;
+    } else {
+      signatureConfig.algorithm = signature_algorithm;
+      signatureConfig.signatureLength = 8;
     }
-    let hash = compute_hash(to_sign + api_secret, signature_algorithm, 'base64');
-    signature = hash.replace(/\//g, '_').replace(/\+/g, '-').substring(0, long_url_signature ? 32 : 8);
-    signature = `s--${signature}--`;
+
+    const truncated = compute_hash(to_sign + api_secret, signatureConfig.algorithm, 'base64')
+      .slice(0, signatureConfig.signatureLength)
+      .replace(/\//g, '_')
+      .replace(/\+/g, '-');
+    signature = `s--${truncated}--`;
   }
+
   let prefix = build_distribution_domain(public_id, options);
   let resultUrl = [prefix, resource_type, type, signature, transformation, version, public_id].filter(function (part) {
     return (part != null) && part !== '';
@@ -1080,9 +1085,8 @@ function compute_hash(input, signature_algorithm, encoding) {
   if (!SUPPORTED_SIGNATURE_ALGORITHMS.includes(signature_algorithm)) {
     throw new Error(`Signature algorithm ${signature_algorithm} is not supported. Supported algorithms: ${SUPPORTED_SIGNATURE_ALGORITHMS.join(', ')}`);
   }
-  let hash = crypto.createHash(signature_algorithm);
-  hash.update(utf8_encode(input), 'binary');
-  return hash.digest(encoding);
+  const hash = crypto.createHash(signature_algorithm).update(input).digest();
+  return Buffer.from(hash).toString(encoding);
 }
 
 function clear_blank(hash) {

test/unit/url/sign_url_spec.js

@@ -0,0 +1,110 @@
+const cloudinary = require('../../../lib/cloudinary');
+const assert = require('assert');
+
+const TEST_CLOUD_NAME = 'test123';
+const TEST_API_KEY = '1234';
+const TEST_API_SECRET = 'b';
+
+
+describe("URL for authenticated asset", () => {
+  before(function () {
+    cloudinary.config({
+      cloud_name: TEST_CLOUD_NAME,
+      api_key: TEST_API_KEY,
+      api_secret: TEST_API_SECRET
+    });
+  });
+
+  let TEST_PUBLIC_ID = 'image.jpg';
+  it('should have signature for transformation and version', () => {
+    const signedUrl = cloudinary.utils.url(TEST_PUBLIC_ID, {
+      version: 1234,
+      transformation: {
+        crop: "crop",
+        width: 10,
+        height: 20
+      },
+      sign_url: true
+    });
+
+    assert.strictEqual(signedUrl, 'http://res.cloudinary.com/test123/image/upload/s--Ai4Znfl3--/c_crop,h_20,w_10/v1234/image.jpg');
+  });
+
+  it('should have signature for version', () => {
+    const signedUrl = cloudinary.utils.url(TEST_PUBLIC_ID, {
+      version: 1234,
+      sign_url: true
+    });
+
+    assert.strictEqual(signedUrl, 'http://res.cloudinary.com/test123/image/upload/s----SjmNDA--/v1234/image.jpg');
+  });
+
+  it('should have signature for transformation', () => {
+    const signedUrl = cloudinary.utils.url(TEST_PUBLIC_ID, {
+      transformation: {
+        crop: "crop",
+        width: 10,
+        height: 20
+      },
+      sign_url: true
+    });
+
+    assert.strictEqual(signedUrl, 'http://res.cloudinary.com/test123/image/upload/s--Ai4Znfl3--/c_crop,h_20,w_10/image.jpg');
+  });
+
+  it('should have signature for authenticated asset with transformation', () => {
+    const signedUrl = cloudinary.utils.url(TEST_PUBLIC_ID, {
+      type: 'authenticated',
+      transformation: {
+        crop: "crop",
+        width: 10,
+        height: 20
+      },
+      sign_url: true
+    });
+
+    assert.strictEqual(signedUrl, 'http://res.cloudinary.com/test123/image/authenticated/s--Ai4Znfl3--/c_crop,h_20,w_10/image.jpg');
+  });
+
+  it('should have signature for fetched asset', () => {
+    const signedUrl = cloudinary.utils.url('http://google.com/path/to/image.png', {
+      type: 'fetch',
+      version: 1234,
+      sign_url: true
+    });
+
+    assert.strictEqual(signedUrl, 'http://res.cloudinary.com/test123/image/fetch/s--hH_YcbiS--/v1234/http://google.com/path/to/image.png');
+  });
+
+  it('should have signature for authenticated asset with text overlay transformation including encoded text', () => {
+    const signedUrl = cloudinary.utils.url(TEST_PUBLIC_ID, {
+      type: 'authenticated',
+      sign_url: true,
+      secure: true,
+      transformation: {
+        color: 'red',
+        overlay: {
+          text: 'Cool%25F0%259F%2598%258D',
+          font_family: 'Times',
+          font_size: 70,
+          font_weight: 'bold'
+        }
+      }
+    });
+
+    assert.strictEqual(signedUrl, 'https://res.cloudinary.com/test123/image/authenticated/s--Uqk1a-5W--/co_red,l_text:Times_70_bold:Cool%25F0%259F%2598%258D/image.jpg');
+  });
+
+  it('should have signature for raw transformation string', () => {
+    const signedUrl = cloudinary.utils.url(TEST_PUBLIC_ID, {
+      type: 'authenticated',
+      sign_url: true,
+      secure: true,
+      transformation: {
+        raw_transformation: 'co_red,l_text:Times_70_bold:Cool%25F0%259F%2598%258D'
+      }
+    });
+
+    assert.strictEqual(signedUrl, 'https://res.cloudinary.com/test123/image/authenticated/s--Uqk1a-5W--/co_red,l_text:Times_70_bold:Cool%25F0%259F%2598%258D/image.jpg');
+  });
+})

test/utils/get_sdk_versionID_spec.js

@@ -1558,52 +1558,6 @@ describe("utils", function () {
       ).to.eql(false);
     });
   });
-  context("sign URLs", function () {
-    beforeEach(function () {
-      cloudinary.config({
-        cloud_name: 'test123',
-        api_key: "1234",
-        api_secret: "b"
-      });
-    });
-    it("should correctly sign URLs", function () {
-      test_cloudinary_url("image.jpg", {
-        version: 1234,
-        transformation: {
-          crop: "crop",
-          width: 10,
-          height: 20
-        },
-        sign_url: true
-      }, "http://res.cloudinary.com/test123/image/upload/s--Ai4Znfl3--/c_crop,h_20,w_10/v1234/image.jpg", {});
-      test_cloudinary_url("image.jpg", {
-        version: 1234,
-        sign_url: true
-      }, "http://res.cloudinary.com/test123/image/upload/s----SjmNDA--/v1234/image.jpg", {});
-      test_cloudinary_url("image.jpg", {
-        transformation: {
-          crop: "crop",
-          width: 10,
-          height: 20
-        },
-        sign_url: true
-      }, "http://res.cloudinary.com/test123/image/upload/s--Ai4Znfl3--/c_crop,h_20,w_10/image.jpg", {});
-      test_cloudinary_url("image.jpg", {
-        transformation: {
-          crop: "crop",
-          width: 10,
-          height: 20
-        },
-        type: 'authenticated',
-        sign_url: true
-      }, "http://res.cloudinary.com/test123/image/authenticated/s--Ai4Znfl3--/c_crop,h_20,w_10/image.jpg", {});
-      test_cloudinary_url("http://google.com/path/to/image.png", {
-        type: "fetch",
-        version: 1234,
-        sign_url: true
-      }, "http://res.cloudinary.com/test123/image/fetch/s--hH_YcbiS--/v1234/http://google.com/path/to/image.png", {});
-    });
-  });
   context("sign requests", function () {
     var configBck = void 0;
     before(function () {