Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

FR: implement URL tampering encoding (v3/Thumbor)

See original GitHub issue

In 3.x, I generated safe URLs by setting a SECURITY_KEY env var, which is used by Thumbor to create the encoded url: https://github.com/thumbor/thumbor/wiki/security

I could then use this same SECURITY_KEY to generate a valid url with another backend-system (eg PHP.

How can I do something similar with 4.x/Sharp?

Issue Analytics

State:
Created 4 years ago
Reactions:2
Comments:9 (2 by maintainers)

Top GitHub Comments

7reactions

hayesrycommented, Jun 26, 2019

@timkelty Thanks for adding this request, I’m copying it into our feature backlog to be looked into and addressed in a future release. Your feedback has been super helpful in the improvement of this solution!

2reactions

soupy1976commented, Jul 18, 2019

Due to the fact that AWS have updated the lambda execution environment, which caused our old thumbor implementation to break, we had to implement this ourselves. If anyone is interested, this is the code we have so far (this is not tested in production yet, so no guarantees…but maybe helpful to someone)

     /**
     * verifies that the security hash sent in the path is valid
     * @param {Object} event - The request body.
     * @param {String} security_key - The security key from environment variable.*     
     */
    verifySecurityHash(event, security_key) {
        var crypto = require('crypto');

        var path = event.path;
        const pathParts = path.split('/');
        var securityHash = pathParts[securityHashPathIndex];
        path = path.replace('/' + securityHash + '/', '');
        var hash = crypto.createHmac('sha1', security_key).update(path).digest('base64').replace(/\+/g, "-").replace(/\//g, "_");

        if (securityHash !== hash) {
            throw new Error('ThumborMapping::VerifySecurityHash::InvalidSecurityHash');
        }
        return true;
    }

securityHashPathIndex (for us at least) is 1. We get security_key from the environment variables (ie. process.env.SECURITY_KEY) and set that in the AWS lambda environment vars.

Here are a couple of unit tests we wrote for it, with the keys and paths removed:

// ----------------------------------------------------------------------------
// verifySecurityHash()
// ----------------------------------------------------------------------------
describe('verifySecurityHash()', function () {
    describe('001/validHash', function () {
        it(`Should pass if the security hash is being validated correctly`, function () {

                // Arrange
                var security_key = '{[[insert your security key here]]';
                var securityHash = '[[insert your 'correct' hash of the security key here]]';

                const event = {
                    path: '/' + securityHash +'[[insert your path which results in the above hash here]]'
                }
                // Act
                const thumborMapping = new ThumborMapping();
                var result = thumborMapping.verifySecurityHash(event, security_key);
                // Assert
                const expectedResult = true;
                assert.deepEqual(result, expectedResult);
            });
    });
    describe('002/InvalidHash', function () {
        it(`Should pass if it is throwing error for invalid security hash`, function () {

            // Arrange
			var security_key = '{[[insert your security key here]]';
			var securityHash = '[[insert your 'incorrect' hash of the security key here]]';

			const event = {
				path: '/' + securityHash +'[[insert your path which does not result in the above hash here]]'
			}
			
            // Act
            const thumborMapping = new ThumborMapping();
            // Assert
            assert.throws(function () {
                thumborMapping.verifySecurityHash(event, security_key);
            }, Error, 'ThumborMapping::VerifySecurityHash::InvalidSecurityHash');
        });
    });
});

Top Results From Across the Web

FR: implement URL tampering encoding (v3/Thumbor) #111

In 3.x, I generated safe URLs by setting a SECURITY_KEY env var, which is used by Thumbor to create the encoded url: ...

Web Parameter Tampering - OWASP Foundation

The Web Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data,...

Tamper-proof URL parameters with JWTs

Tamper -proof URL parameters with JWTs. URL parameters are straightforward to send information along in a request.

Preventing URL Tampering - Oracle Help Center

You can configure security attributes in two ways: Use a wizard and select a value for specific attribute categories. Those selections are then...

URL Encoded Attacks - CGISecurity

Using a mix of escaped-encoding and Unicode character representation, it is often possible for an attacker to craft requests that may be interpreted...