signature: forbid arguments after signature (#35059)

passerelle/base/signature.py

@@ -44,12 +44,17 @@ def check_url(url, key, known_nonce=None, timedelta=30):
 
 def check_query(query, key, known_nonce=None, timedelta=30):
     parsed = urlparse.parse_qs(query)
+    if not ('signature' in parsed and 'algo' in parsed and
+            'timestamp' in parsed and 'nonce' in parsed):
+        return False
+    unsigned_query, signature_content = query.split('&signature=', 1)
+    if '&' in signature_content:
+        return False  # signature must be the last parameter
     signature = base64.b64decode(parsed['signature'][0])
     algo = parsed['algo'][0]
     timestamp = parsed['timestamp'][0]
     timestamp = datetime.datetime.strptime(timestamp, '%Y-%m-%dT%H:%M:%SZ')
     nonce = parsed['nonce']
-    unsigned_query = query.split('&signature=')[0]
     if known_nonce is not None and known_nonce(nonce):
         return False
     if abs(datetime.datetime.utcnow() - timestamp) > datetime.timedelta(seconds=timedelta):

tests/test_api_access.py

@@ -71,6 +71,12 @@ def test_access_with_signature(app, oxyd):
     resp = app.post_json(url, params={}, status=403)
     assert resp.json['err'] == 1
     assert resp.json['err_class'] == 'django.core.exceptions.PermissionDenied'
+    # add garbage after signature
+    url = signature.sign_url(endpoint_url + '?orig=eservices', '12345')
+    url = '%s&foo=bar' % url
+    resp = app.post_json(url, params={}, status=403)
+    assert resp.json['err'] == 1
+    assert resp.json['err_class'] == 'django.core.exceptions.PermissionDenied'
 
     # trusted user (from settings.KNOWN_SERVICES)
     url = signature.sign_url(endpoint_url + '?orig=wcs1', 'abcde')