upd：host参与签名计算

livehigh · livehigh · commit 1444bd8d6bb9 · 2021-11-22T14:49:37.000+08:00
diff --git a/src/base.js b/src/base.js
@@ -35,11 +35,17 @@ function getService(params, callback) {
         domain = protocol + '//service.cos.myqcloud.com';
     }
 
+    var SignHost = '';
+    var standardHost = region ? 'cos.' + region + '.myqcloud.com' : 'service.cos.myqcloud.com';
+    var urlHost = domain.replace(/^https?:\/\/([^/]+)(\/.*)?$/, '$1');
+    if (standardHost === urlHost) SignHost = standardHost;
+
     submitRequest.call(this, {
         Action: 'name/cos:GetService',
         url: domain,
         method: 'GET',
         headers: params.Headers,
+        SignHost: SignHost,
     }, function (err, data) {
         if (err) return callback(err);
         var buckets = (data && data.ListAllMyBucketsResult && data.ListAllMyBucketsResult.Buckets
@@ -2958,6 +2964,8 @@ function getAuth(params) {
     return util.getAuth({
         SecretId: params.SecretId || this.options.SecretId || '',
         SecretKey: params.SecretKey || this.options.SecretKey || '',
+        Bucket: params.Bucket,
+        Region: params.Region,
         Method: params.Method,
         Key: params.Key,
         Query: params.Query,
@@ -2999,13 +3007,21 @@ function getObjectUrl(params, callback) {
       queryParamsStr += (queryParamsStr ? '&' : '') + params.QueryString;
     }
 
+    // 签名加上 Host，避免跨桶访问
+    var SignHost = '';
+    var standardHost = 'cos.' + params.Region + '.myqcloud.com';
+    if (!self.options.ForcePathStyle) standardHost = params.Bucket + '.' + standardHost;
+    var urlHost = url.replace(/^https?:\/\/([^/]+)(\/.*)?$/, '$1');
+    if (standardHost === urlHost) SignHost = standardHost;
+
     var syncUrl = url;
     if (params.Sign !== undefined && !params.Sign) {
         queryParamsStr && (syncUrl += '?' + queryParamsStr);
         callback(null, {Url: syncUrl});
         return syncUrl;
     }
-
+    
+    var SignHost = getSignHost.call(this, {Bucket: params.Bucket, Region: params.Region, Url: url});
     var AuthData = getAuthorizationAsync.call(this, {
         Action: ((params.Method || '').toUpperCase() === 'PUT' ? 'name/cos:PutObject' : 'name/cos:GetObject'),
         Bucket: params.Bucket || '',
@@ -3015,6 +3031,7 @@ function getObjectUrl(params, callback) {
         Expires: params.Expires,
         Headers: params.Headers,
         Query: params.Query,
+        SignHost: SignHost,
     }, function (err, AuthData) {
         if (!callback) return;
         if (err) {
@@ -3033,7 +3050,6 @@ function getObjectUrl(params, callback) {
             callback(null, {Url: signUrl});
         });
     });
-
     if (AuthData) {
         syncUrl += '?' + AuthData.Authorization +
             (AuthData.SecurityToken ? '&x-cos-security-token=' + AuthData.SecurityToken : '');
@@ -3044,7 +3060,6 @@ function getObjectUrl(params, callback) {
     return syncUrl;
 }
 
-
 /**
  * 私有方法
  */
@@ -3163,14 +3178,35 @@ function getUrl(params) {
     return url;
 }
 
+var getSignHost = function (opt) {
+    if (!opt.Bucket || !opt.Bucket) return '';
+    var url = opt.Url || getUrl({
+        ForcePathStyle: this.options.ForcePathStyle,
+        protocol: this.options.Protocol,
+        domain: this.options.Domain,
+        bucket: opt.Bucket,
+        region: opt.Region,
+    });
+    var urlHost = url.replace(/^https?:\/\/([^/]+)(\/.*)?$/, '$1');
+    var standardHostReg = new RegExp('^([a-z\\d-]+-\\d+\\.)?(cos|cosv6|ci|pic)\\.([a-z\\d-]+)\\.myqcloud\\.com$');
+    if (standardHostReg.test(urlHost)) return urlHost;
+    return '';
+}
+
+
 // 异步获取签名
 function getAuthorizationAsync(params, callback) {
 
     var headers = util.clone(params.Headers);
+    var headerHost = '';
     util.each(headers, function (v, k) {
         (v === '' || ['content-type', 'cache-control', 'expires'].indexOf(k.toLowerCase()) > -1) && delete headers[k];
+        if (k.toLowerCase() === 'host') headerHost = v;
     });
 
+    // Host 加入签名计算
+    if (!headerHost && params.SignHost) headers.Host = params.SignHost;
+
     // 获取凭证的回调，避免用户 callback 多次
     var cbDone = false;
     var cb = function (err, AuthData) {
@@ -3405,6 +3441,8 @@ function submitRequest(params, callback) {
     var Query = util.clone(params.qs);
     params.action && (Query[params.action] = '');
 
+    var paramsUrl = params.url || params.Url;
+    var SignHost = params.SignHost || getSignHost.call(this, {Bucket: params.Bucket, Region: params.Region, Url: paramsUrl});
     var next = function (tryTimes) {
         var oldClockOffset = self.options.SystemClockOffset;
         getAuthorizationAsync.call(self, {
@@ -3414,6 +3452,7 @@ function submitRequest(params, callback) {
             Key: params.Key,
             Query: Query,
             Headers: params.headers,
+            SignHost: SignHost,
             Action: params.Action,
             ResourceKey: params.ResourceKey,
             Scope: params.Scope,
diff --git a/src/util.js b/src/util.js
@@ -62,6 +62,9 @@ var getAuth = function (opt) {
         pathname.indexOf('/') !== 0 && (pathname = '/' + pathname);
     }
 
+    // 如果有传入存储桶，那么签名默认加 Host 参与计算，避免跨桶访问
+    if (!headers.Host && !headers.host && opt.Bucket && opt.Region) headers.Host = opt.Bucket + '.cos.' + opt.Region + '.myqcloud.com';
+
     if (!SecretId) throw new Error('missing param SecretId');
     if (!SecretKey) throw new Error('missing param SecretKey');
 

Original file line number	Diff line number	Diff line change
`@@ -62,6 +62,9 @@ var getAuth = function (opt) {`
`62`	`62`	`pathname.indexOf('/') !== 0 && (pathname = '/' + pathname);`
`63`	`63`	`}`
`64`	`64`
	`65`	`+ // 如果有传入存储桶，那么签名默认加 Host 参与计算，避免跨桶访问`
	`66`	`+ if (!headers.Host && !headers.host && opt.Bucket && opt.Region) headers.Host = opt.Bucket + '.cos.' + opt.Region + '.myqcloud.com';`
	`67`	`+`
`65`	`68`	`if (!SecretId) throw new Error('missing param SecretId');`
`66`	`69`	`if (!SecretKey) throw new Error('missing param SecretKey');`
`67`	`70`