Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Secure and unsafe URLs do not work as expected

See original GitHub issue

Secure URLs in version 3 are not secure.
- The new behaviour of v3 that changes the safe URLs from /<hash>/<path> to /<security_key>/<path> is incorrect and completely defeats the purpose of the safe URL. The security key cannot appear in the public url to an image, only the hash can appear in a public url.
- See https://github.com/awslabs/serverless-image-handler/issues/54#issuecomment-426752073
- See the official docs which support this: https://github.com/thumbor/thumbor/wiki/security
It is impossible to disable unsafe URLs using the ENV vars (in v2 or v3)

Below are examples from my deployments for each version to demonstrate the problem.
All urls were requested for the first time for these tests, so CloudFront cache was empty for each one.
Screenshots of the Lambda config for the v2 and v3 deployments are shown below.

v2

With hash: loads (good):

https://d3f24ahusl0vhu.cloudfront.net/UpwsFH4gS8sPRTzw6Adc0sHKGwQ=/onfLoZx7d

With no hash or unsafe: error (good)

https://d3f24ahusl0vhu.cloudfront.net/onfLoZx7d

With unsafe: loads (bad)

https://d3f24ahusl0vhu.cloudfront.net/unsafe/onfLoZx7d

v3

With hash: error (bad)

https://d18aelkez1p3a0.cloudfront.net/5jel0cJtBXmMLI1Rupih8M6eiPc=/8GKv8lk32m

With no hash or unsafe: error (good)

https://d18aelkez1p3a0.cloudfront.net/8GKv8lk32m

With unsafe: loads (bad)

https://d18aelkez1p3a0.cloudfront.net/unsafe/8GKv8lk32m

With secret key in URL: loads (bad)

https://d18aelkez1p3a0.cloudfront.net/<redacted>/8GKv8lk32m

v2

v3

Issue Analytics

State:
Created 5 years ago
Comments:10 (3 by maintainers)

Top GitHub Comments

1reaction

razor-xcommented, Oct 10, 2018

@timkelty I agree. If you wanted URLs with out unsafe or the HMAC I would expect having to handle it via rewrite rules.

For anyone coming to this thread, I’ve summarized what I understand the expected behaviour should be below. Given the above examples however we know actual behaviour does not currently match (gsingh04 identified there may be a bug in Thumbor to account for some, but not all, of the issues).

With ALLOW_UNSAFE_URL=Yes a. Not load: https://example.cloudfront.net/<imagePath>/500x500.png b. Load: https://example.cloudfront.net/unsafe/<imagePath>/500x500.png c. Not load: https://example.cloudfront.net/<any-other-value>/<imagePath>/500x500.png
With ALLOW_UNSAFE_URL=Yes and SECURITY_KEY="top-secret" a. Not load: https://example.cloudfront.net/<imagePath>/500x500.png b. Load: https://example.cloudfront.net/unsafe/<imagePath>/500x500.png c. Not load: https://example.cloudfront.net/top-secret/<imagePath>/500x500.png d. Load: https://example.cloudfront.net/<correct-hmac>/<imagePath>/500x500.png e. Not load: https://example.cloudfront.net/<any-other-value>/<imagePath>/500x500.png
With ALLOW_UNSAFE_URL=No and SECURITY_KEY="top-secret" a. Not load: https://example.cloudfront.net/<imagePath>/500x500.png b. Not Load: https://example.cloudfront.net/unsafe/<imagePath>/500x500.png c. Not load: https://example.cloudfront.net/top-secret/<imagePath>/500x500.png d. Load: https://example.cloudfront.net/<correct-hmac>/<imagePath>/500x500.png e. Not load: https://example.cloudfront.net/<any-other-value>/<imagePath>/500x500.png

0reactions

tschafftercommented, Dec 2, 2018

@gsingh04

please note you should provide ONLY one of the environment variables

either ALLOW_UNSAFE_URL=true: when you want to allow unsafe URLs or SECURITY_KEY=mysecuritykey: when you want to implement safe URLs resolving the issue

Why both variable can not be passed as environment variables? If ALLOW_UNSAFE_URL is set to True, isn’t SECURITY_KEY simply ignored by Thumbor?