-
Notifications
You must be signed in to change notification settings - Fork 551
Fix URL signing api for URLs containing special characters #12435
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
ErykKul
wants to merge
16
commits into
develop
Choose a base branch
from
fix-url-signing-special-characters
base: develop
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
16 commits
Select commit
Hold shift + click to select a range
f911647
Fix URL signing api for URLs containing special characters
ErykKul 2c94dc8
Merge branch 'develop' into fix-url-signing-special-characters
ErykKul 96be125
Extra URL signing tests to prevent regression
ErykKul 8812582
More URL signing tests
ErykKul 9cb852a
Clean up URL signing tests and comments
ErykKul 12216ba
Merge branch 'develop' into fix-url-signing-special-characters
ErykKul 942f3cf
updated the release note
ErykKul 4387ee9
Clarify URL-signing release note and comment
ErykKul 8b1ab7b
Return 500 instead of 400 when signing secret is not configured
ErykKul 4bbb576
Merge branch 'develop' into fix-url-signing-special-characters
ErykKul 4e8b6ff
Require signing secret for guestbook-response signed download URLs to…
ErykKul 77ba0c8
Centralize signing-secret requirement across all API-token-based URL …
ErykKul 9a4d41f
Merge remote-tracking branch 'refs/remotes/origin/fix-url-signing-spe…
ErykKul 96ec148
Merge branch 'develop' into fix-url-signing-special-characters
ErykKul 5706157
Address review findings: earlier signing-secret gate, byte-exact stri…
ErykKul ddcf8ff
URL signing secret: extra polish and clarificatoin
ErykKul File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| ### Signed URLs work again for URLs with special characters | ||
|
|
||
| Requesting a signed URL (e.g. via `/api/admin/requestSignedUrl`, used by external tools, the Globus | ||
| integration and third-party integrations such as the `rdm-integration` connector) was broken in 6.10 | ||
| for URLs whose query contained special characters — most notably persistent IDs such as | ||
| `doi:10.5072/FK2/ABC` (which contain `:` and `/`), as well as spaces, percent-encoded values and | ||
| non-ASCII characters. In 6.10 the signing step began re-encoding/normalizing the URL (for example | ||
| percent-encoding `:` and `/`) before computing the signature, while the request is validated against | ||
| the URL the caller actually presents back. The re-encoded signature no longer matched, so validation | ||
| failed with 401 "Bad signed URL" authentication errors. | ||
|
|
||
| Signing no longer re-encodes the URL: it is signed exactly as provided, with only the reserved | ||
| signing parameters (`until`, `user`, `method`, `token`, `key`, `signed`) stripped out; the rest of | ||
| the URL is left untouched, character for character. | ||
|
|
||
| **This restores the URL-signing behavior used before 6.10, so it is compatible with older versions | ||
| and with existing integrations.** Clients and connectors that build or consume signed URLs the way | ||
| they did before 6.10 keep working unchanged, signatures are computed the same way as before the | ||
| regression, and URLs containing special characters validate again. No client-side changes are | ||
| required. | ||
|
|
||
| Note that, as before 6.10, the `url` submitted to `/api/admin/requestSignedUrl` (and any URL consumed | ||
| as a signed URL) must be in its URL-decoded form: the signature is computed over the URL exactly as | ||
| provided, but the server validates it against the URL-decoded request. Passing a percent-encoded URL | ||
| (e.g. `persistentId=doi%3A10.5072%2FFK2%2FABC` instead of `persistentId=doi:10.5072/FK2/ABC`) and then | ||
| using it verbatim will therefore fail validation. | ||
|
|
||
| ### A signing secret is now required for signed URLs | ||
|
|
||
| Separately from the fix above, Dataverse no longer falls back to a weak signing key when | ||
| `dataverse.api.signing-secret` is unset. Previously, with no secret configured, signed URLs were | ||
| signed using only the user's API token (or, for a guest, a value derived from the public URL), which | ||
| is too weak to be a signing key. A non-empty `dataverse.api.signing-secret` is now required wherever | ||
| URLs are signed with a key based on a user's API token: | ||
|
|
||
| - The endpoints that issue a signed URL on request - `/api/admin/requestSignedUrl` and the `POST` | ||
| guestbook-response download endpoints under `/api/access` (`datafile/{id}`, `datafiles/{ids}`, | ||
| `dataset/{id}` and `dataset/{id}/versions/{versionId}`) - return an error instead of issuing a | ||
| weakly-signed URL. | ||
| - External tool launches send their callback unsigned (with a warning logged) rather than weakly | ||
| signed. Such an unsigned callback only allows anonymous access to public data; it cannot be used to | ||
| access draft datasets or restricted files. | ||
| - Globus transfers are effectively disabled without a signing secret: the callbacks the | ||
| dataverse-globus app relies on require an authenticated, signed request, so Globus upload (and | ||
| download of restricted or unpublished files) fails with an authorization error. Installations that | ||
| use Globus must set `dataverse.api.signing-secret`. | ||
| - The permissions-history CSV download links on the permission management pages are not offered | ||
| (a warning is logged). | ||
|
|
||
| Remote and Globus overlay stores are unaffected: they sign with their own per-store secret key, not | ||
| `dataverse.api.signing-secret`. | ||
|
|
||
| **Upgrade note:** installations that rely on signed URLs - including the `rdm-integration` connector, | ||
| signed guestbook-response downloads, and external tools or Globus transfers that use signed callbacks - | ||
| must set `dataverse.api.signing-secret`. See the | ||
| [Configuration Guide](https://guides.dataverse.org/en/latest/installation/config.html#dataverse-api-signing-secret). | ||
| Treat the value like a password. Because the signing secret is part of the signing key, setting (or | ||
| later changing) it invalidates previously issued signed URLs: any existing signed URLs that have not | ||
| yet expired will stop working, and clients/integrations will need to request new ones. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.