Return ErrContentSHA256Mismatch when sha256sum is invalid (#5188)

2025-01-11 15:03:22 -05:00 · 2017-11-16 19:13:04 +00:00 · 2017-11-16 19:13:04 +00:00 · 2a0a62b78d
commit 2a0a62b78d
parent 67f66c40c1
3 changed files with 24 additions and 15 deletions
--- a/cmd/signature-v4.go
+++ b/cmd/signature-v4.go
@ -289,7 +289,7 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
 	/// Verify finally if signature is same.

 	// Get canonical request.
-	presignedCanonicalReq := getCanonicalRequest(extractedSignedHeaders, unsignedPayload, encodedQuery, req.URL.Path, req.Method)
+	presignedCanonicalReq := getCanonicalRequest(extractedSignedHeaders, hashedPayload, encodedQuery, req.URL.Path, req.Method)

 	// Get string to sign from canonical request.
 	presignedStringToSign := getStringToSign(presignedCanonicalReq, t, pSignValues.Credential.getScope())
--- a/pkg/hash/reader.go
+++ b/pkg/hash/reader.go
@ -26,6 +26,8 @@ import (
 	"io"
 )

+var errNestedReader = errors.New("Nesting of Reader detected, not allowed")
+
 // Reader writes what it reads from an io.Reader to an MD5 and SHA256 hash.Hash.
 // Reader verifies that the content of the io.Reader matches the expected checksums.
 type Reader struct {
@ -40,17 +42,17 @@ type Reader struct {
 // SHA256 sum (if set) of the provided io.Reader at EOF.
 func NewReader(src io.Reader, size int64, md5Hex, sha256Hex string) (*Reader, error) {
 	if _, ok := src.(*Reader); ok {
-		return nil, errors.New("Nesting of Reader detected, not allowed")
+		return nil, errNestedReader
 	}

 	sha256sum, err := hex.DecodeString(sha256Hex)
 	if err != nil {
-		return nil, err
+		return nil, SHA256Mismatch{}
 	}

 	md5sum, err := hex.DecodeString(md5Hex)
 	if err != nil {
-		return nil, err
+		return nil, BadDigest{}
 	}

 	var sha256Hash hash.Hash
--- a/pkg/hash/reader_test.go
+++ b/pkg/hash/reader_test.go
@ -114,6 +114,7 @@ func TestHashReaderInvalidArguments(t *testing.T) {
 		size              int64
 		md5hex, sha256hex string
 		success           bool
+		expectedErr       error
 	}{
 		// Invalid md5sum NewReader() will fail.
 		{
@ -121,6 +122,7 @@ func TestHashReaderInvalidArguments(t *testing.T) {
 			size:        4,
 			md5hex:      "invalid-md5",
 			success:     false,
+			expectedErr: BadDigest{},
 		},
 		// Invalid sha256 NewReader() will fail.
 		{
@ -128,12 +130,14 @@ func TestHashReaderInvalidArguments(t *testing.T) {
 			size:        4,
 			sha256hex:   "invalid-sha256",
 			success:     false,
+			expectedErr: SHA256Mismatch{},
 		},
 		// Nested hash reader NewReader() will fail.
 		{
 			src:         &Reader{src: bytes.NewReader([]byte("abcd"))},
 			size:        4,
 			success:     false,
+			expectedErr: errNestedReader,
 		},
 		// Expected inputs, NewReader() will succeed.
 		{
@ -151,5 +155,8 @@ func TestHashReaderInvalidArguments(t *testing.T) {
 		if err == nil && !testCase.success {
 			t.Errorf("Test %d: Expected error, but got success", i+1)
 		}
+		if err != testCase.expectedErr {
+			t.Errorf("Test %d: Expected error %v, but got %v", i+1, testCase.expectedErr, err)
+		}
 	}
 }