SECURITY-5161: pull in new test cases, fix tests

Co-authored-by: Laszlo Hammerl <[email protected]>
emartech · Jun 7, 2024 · ec253ba · SchroederSteffen · Jul 15, 2024 · ec253ba
1 parent 0b0aedd
commit ec253ba
Show file tree

Hide file tree

Showing 10 changed files with 20 additions and 1,544 deletions.
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
@@ -12,9 +12,9 @@ jobs:
     strategy:
       matrix:
         node: [
-          '12.22.5',
-          '14.17.5',
-          '16.7.0'
+          '16',
+          '18',
+          '20'
         ]
 
     name: Node JS ${{ matrix.node }}

diff --git a/.gitignore b/.gitignore
@@ -23,6 +23,7 @@ build/Release
 # Commenting this out is preferred by some people, see
 # https://www.npmjs.org/doc/misc/npm-faq.html#should-i-check-my-node_modules-folder-into-git-
 node_modules
+package-lock.json
 
 # Users Environment Variables
 .lock-wscript

diff --git a/.nvmrc b/.nvmrc
@@ -1 +1 @@
-v8.9.0
+v20.14.0
diff --git a/escher-test-cases b/escher-test-cases
diff --git a/lib/canonicalizer.js b/lib/canonicalizer.js
@@ -55,7 +55,7 @@ class Canonicalizer {
     const parsedUrl = Utils.parseUrl(preparedUrl, true);
     const headers = this._filterHeaders(Utils.normalizeHeaders(requestOptions.headers), headersToSign);
     const lines = [
-      requestOptions.method,
+      requestOptions.method.toUpperCase(),
       path.normalize(parsedUrl.pathname),
       this.canonicalizeQuery(parsedUrl.query),
       this._canonicalizeHeaders(headers).join('\n'),

diff --git a/lib/escher.js b/lib/escher.js
@@ -46,7 +46,7 @@ class Escher {
   signRequest(requestOptions, body, headersToSign) {
     const currentDate = new Date();
     this.validateRequest(requestOptions, body);
-    headersToSign = ['host', this._config.dateHeaderName.toLowerCase()].concat(headersToSign || []);
+    headersToSign = this.getHeadersToSign(headersToSign);
     const formattedDate =
       this._config.dateHeaderName.toLowerCase() === 'date'
         ? Utils.toHeaderDateFormat(currentDate)
@@ -60,6 +60,10 @@ class Escher {
     return requestOptions;
   }
 
+  getHeadersToSign(headersToSign) {
+    return ['host', this._config.dateHeaderName.toLowerCase()].concat(headersToSign || []);
+  }
+
   authenticate(request, keyDB, mandatorySignedHeaders) {
     const currentDate = new Date();
     this.validateRequest(request);
@@ -154,7 +158,7 @@ class Escher {
   }
 
   validateRequest(request, body) {
-    if (typeof request.method !== 'string' || !allowedRequestMethods.includes(request.method)) {
+    if (typeof request.method !== 'string' || !allowedRequestMethods.includes(request.method.toUpperCase())) {
       throw new Error('The request method is invalid');
     }
+0 −0		.conflict/signrequest-get-with-carets.json
+41 −0		emarsys_testsuite/authenticate-valid-lowercase-method.json
+21 −0		emarsys_testsuite/presignurl-valid-url-with-port.json
+8 −5		emarsys_testsuite/signrequest-date-header-should-be-signed-headers.json
+56 −0		emarsys_testsuite/signrequest-get-with-escaped-plus-signs.json
+1 −1		emarsys_testsuite/signrequest-get-with-parentheses.json
+56 −0		emarsys_testsuite/signrequest-get-with-plus-signs.json
+56 −0		emarsys_testsuite/signrequest-get-with-printable-characters.json
+56 −0		emarsys_testsuite/signrequest-get-with-spaces.json
+3 −3		emarsys_testsuite/signrequest-signedheaders-downcase.json
+3 −3		emarsys_testsuite/signrequest-support-custom-config.json