Host 参与签名计算

Author: carsonxu

index.d.ts

@@ -196,6 +196,10 @@ declare namespace COS {
     SecretId: string,
     /** 计算签名用的密钥 SecretKey，必选 */
     SecretKey: string,
+    /** 请求的存储桶，如果传入了 Bucket、Region，签名会默认加上 Host 字段，可选 */
+    Bucket?: Bucket,
+    /** 请求的地域，如果传入了 Bucket、Region，签名会默认加上 Host 字段，可选 */
+    Region?: Region,
     /** 请求方法，可选 */
     Method?: Method,
     /** 请求路径，最前面带 /，例如 /images/1.jpg，可选 */
@@ -1877,6 +1881,10 @@ Bulk：批量模式，恢复时间为24 - 48小时。 */
     SecretId?: string,
     /** 计算签名用的密钥 SecretKey，如果不传会用实例本身的凭证，可选 */
     SecretKey?: string,
+    /** 请求的存储桶，如果传入了 Bucket、Region，签名会默认加上 Host 字段，可选 */
+    Bucket?: Bucket,
+    /** 请求的地域，如果传入了 Bucket、Region，签名会默认加上 Host 字段，可选 */
+    Region?: Region,
     /** 请求方法 */
     Method?: Method,
     /** 请求的对象键，最前面不带 /，例如 images/1.jpg */

package.json

@@ -1,6 +1,6 @@
 {
   "name": "cos-nodejs-sdk-v5",
-  "version": "2.9.21",
+  "version": "2.10.0",
   "description": "cos nodejs sdk v5",
   "main": "index.js",
   "types": "index.d.ts",

sdk/base.js

@@ -39,11 +39,17 @@ function getService(params, callback) {
         domain = protocol + '//service.cos.myqcloud.com';
     }
 
+    var SignHost = '';
+    var standardHost = region ? 'cos.' + region + '.myqcloud.com' : 'service.cos.myqcloud.com';
+    var urlHost = domain.replace(/^https?:\/\/([^/]+)(\/.*)?$/, '$1');
+    if (standardHost === urlHost) SignHost = standardHost;
+
     submitRequest.call(this, {
         Action: 'name/cos:GetService',
         url: domain,
         method: 'GET',
         headers: params.Headers,
+        SignHost: SignHost,
     }, function (err, data) {
         if (err) return callback(err);
         var buckets = (data && data.ListAllMyBucketsResult && data.ListAllMyBucketsResult.Buckets
@@ -3022,6 +3028,8 @@ function getAuth(params) {
     return util.getAuth({
         SecretId: params.SecretId || this.options.SecretId || '',
         SecretKey: params.SecretKey || this.options.SecretKey || '',
+        Bucket: params.Bucket,
+        Region: params.Region,
         Method: params.Method,
         Key: params.Key,
         Query: params.Query,
@@ -3067,19 +3075,27 @@ function getObjectUrl(params, callback) {
 
     var queryParamsStr = '';
     if(params.Query){
-      queryParamsStr += util.obj2str(params.Query);
+        queryParamsStr += util.obj2str(params.Query);
     }
     if(params.QueryString){
-      queryParamsStr += (queryParamsStr ? '&' : '') + params.QueryString;
+        queryParamsStr += (queryParamsStr ? '&' : '') + params.QueryString;
     }
 
+    // 签名加上 Host，避免跨桶访问
+    var SignHost = '';
+    var standardHost = 'cos.' + params.Region + '.myqcloud.com';
+    if (!self.options.ForcePathStyle) standardHost = params.Bucket + '.' + standardHost;
+    var urlHost = url.replace(/^https?:\/\/([^/]+)(\/.*)?$/, '$1');
+    if (standardHost === urlHost) SignHost = standardHost;
+
     var syncUrl = url;
     if (params.Sign !== undefined && !params.Sign) {
         queryParamsStr && (syncUrl += '?' + queryParamsStr);
         callback(null, {Url: syncUrl});
         return syncUrl;
     }
 
+    var SignHost = getSignHost.call(this, {Bucket: params.Bucket, Region: params.Region, Url: url});
     var AuthData = getAuthorizationAsync.call(this, {
         Action: ((params.Method || '').toUpperCase() === 'PUT' ? 'name/cos:PutObject' : 'name/cos:GetObject'),
         Bucket: params.Bucket || '',
@@ -3088,7 +3104,8 @@ function getObjectUrl(params, callback) {
         Key: params.Key,
         Expires: params.Expires,
         Headers: params.Headers,
-        Query: params.Query
+        Query: params.Query,
+        SignHost: SignHost,
     }, function (err, AuthData) {
         if (!callback) return;
         if (err) {
@@ -3234,14 +3251,36 @@ function getUrl(params) {
     return url;
 }
 
+var getSignHost = function (opt) {
+    if (!opt.Bucket || !opt.Bucket) return '';
+    var ps = this.options.ForcePathStyle;
+    var url = opt.Url || getUrl({
+        ForcePathStyle: ps,
+        protocol: this.options.Protocol,
+        domain: this.options.Domain,
+        bucket: opt.Bucket,
+        region: opt.Region,
+    });
+    var standardHost = (ps ? '' : opt.Bucket + '.') + 'cos.' + opt.Region + '.myqcloud.com';
+    var urlHost = url.replace(/^https?:\/\/([^/]+)(\/.*)?$/, '$1');
+    if (standardHost === urlHost) return standardHost;
+    return '';
+}
+
 // 异步获取签名
 function getAuthorizationAsync(params, callback) {
 
     var headers = util.clone(params.Headers);
+    var headerHost = '';
     util.each(headers, function (v, k) {
         (v === '' || ['content-type', 'cache-control', 'expires'].indexOf(k.toLowerCase()) > -1) && delete headers[k];
+        if (k.toLowerCase() === 'host') headerHost = v;
     });
 
+    // Host 加入签名计算
+    if (!headerHost && params.SignHost) headers.Host = params.SignHost;
+
+
     // 获取凭证的回调，避免用户 callback 多次
     var cbDone = false;
     var cb = function (err, AuthData) {
@@ -3479,6 +3518,7 @@ function submitRequest(params, callback) {
     var Query = util.clone(params.qs);
     params.action && (Query[params.action] = '');
 
+    var SignHost = params.SignHost || getSignHost.call(this, {Bucket: params.Bucket, Region: params.Region});
     var next = function (tryTimes) {
         var oldClockOffset = self.options.SystemClockOffset;
         getAuthorizationAsync.call(self, {
@@ -3488,6 +3528,7 @@ function submitRequest(params, callback) {
             Key: params.Key,
             Query: Query,
             Headers: params.headers,
+            SignHost: SignHost,
             Action: params.Action,
             ResourceKey: params.ResourceKey,
             Scope: params.Scope,

sdk/util.js

@@ -63,6 +63,9 @@ var getAuth = function (opt) {
         pathname.indexOf('/') !== 0 && (pathname = '/' + pathname);
     }
 
+    // 如果有传入存储桶，那么签名默认加 Host 参与计算，避免跨桶访问
+    if (!headers.Host && !headers.host && opt.Bucket && opt.Region) headers.Host = opt.Bucket + '.cos.' + opt.Region + '.myqcloud.com';
+
     if (!SecretId) throw new Error('missing param SecretId');
     if (!SecretKey) throw new Error('missing param SecretKey');