From fff53191780ccada8a2464add531cb3bfcea6126 Mon Sep 17 00:00:00 2001 From: adimiz1 Date: Wed, 11 Jun 2025 12:37:21 +0300 Subject: [PATCH 1/3] Fix signature with escaping characters --- api/lib/uploader/utils.dart | 18 +++++++++++++----- api/test/uploader_test.dart | 11 +++++++++++ 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/api/lib/uploader/utils.dart b/api/lib/uploader/utils.dart index fac3cce..36de88e 100644 --- a/api/lib/uploader/utils.dart +++ b/api/lib/uploader/utils.dart @@ -10,19 +10,21 @@ class Utils { 'filename', ]; - static String apiSignRequest( - Map paramsMap, String apiSecret) { + static String apiSignRequest(Map paramsMap, String apiSecret) { List paramsArr = []; + paramsMap.removeWhere((key, value) => value == null); - paramsMap.removeWhere( - (key, value) => value == null || _excludeKeys.contains(key)); + paramsMap.removeWhere((key, value) => _excludeKeys.contains(key)); + var sortedParams = paramsMap.keys.whereType().toList()..sort(); + for (var key in sortedParams) { var value = paramsMap[key]; String? paramValue; + if (value is List) { if (value.isNotEmpty) { - paramValue = value.toString(); //.join(','); + paramValue = value.toString(); // original behavior } else { continue; } @@ -31,10 +33,16 @@ class Utils { paramValue = value.toString(); } } + if (paramValue != null) { + if (paramValue.contains('&')) { + return ''; + } + paramsArr.add('$key=${paramValue.replaceAll(r'\', '')}'); } } + var toSign = '${paramsArr.join('&')}$apiSecret'; return hex.encode(sha1.convert(utf8.encode(toSign)).bytes); } diff --git a/api/test/uploader_test.dart b/api/test/uploader_test.dart index fca7a85..72d9a1a 100644 --- a/api/test/uploader_test.dart +++ b/api/test/uploader_test.dart @@ -549,6 +549,17 @@ void main() { var result = resultOrThrow(response?.data); assert(result.playbackUrl != null); }); + + test('Test signature with escaping characters', () { + final toSign = { + 'public_id': 'publicid&tags=blabla', + }; + + final apiSecret = 'your_api_secret'; // Replace with actual secret or mock + final signature = Utils.apiSignRequest(toSign, apiSecret); + + expect(signature, equals('')); + }); } validateSignature(UploadResult result) { From 4377ecf6d64634cad211991700ee0ed9130c891a Mon Sep 17 00:00:00 2001 From: adimiz1 Date: Wed, 11 Jun 2025 14:17:50 +0300 Subject: [PATCH 2/3] Add more escaping characters --- api/lib/uploader/utils.dart | 40 ++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 21 deletions(-) diff --git a/api/lib/uploader/utils.dart b/api/lib/uploader/utils.dart index 36de88e..3559d5b 100644 --- a/api/lib/uploader/utils.dart +++ b/api/lib/uploader/utils.dart @@ -11,39 +11,37 @@ class Utils { ]; static String apiSignRequest(Map paramsMap, String apiSecret) { - List paramsArr = []; + final escapePattern = RegExp(r'[&=%+#]'); + final paramsArr = []; - paramsMap.removeWhere((key, value) => value == null); - paramsMap.removeWhere((key, value) => _excludeKeys.contains(key)); + paramsMap.removeWhere((key, value) => value == null || _excludeKeys.contains(key)); - var sortedParams = paramsMap.keys.whereType().toList()..sort(); + if (paramsMap.containsKey('public_id')) { + final publicId = paramsMap['public_id'].toString(); + if (escapePattern.hasMatch(publicId)) { + return ''; + } + } - for (var key in sortedParams) { - var value = paramsMap[key]; + final sortedKeys = paramsMap.keys.whereType().toList()..sort(); + + for (final key in sortedKeys) { + final value = paramsMap[key]; String? paramValue; - if (value is List) { - if (value.isNotEmpty) { - paramValue = value.toString(); // original behavior - } else { - continue; - } + if (value is List) { + if (value.isEmpty) continue; + paramValue = value.join(','); } else { - if (value != null) { - paramValue = value.toString(); - } + paramValue = value?.toString(); } if (paramValue != null) { - if (paramValue.contains('&')) { - return ''; - } - - paramsArr.add('$key=${paramValue.replaceAll(r'\', '')}'); + paramsArr.add('$key=$paramValue'); } } - var toSign = '${paramsArr.join('&')}$apiSecret'; + final toSign = '${paramsArr.join('&')}$apiSecret'; return hex.encode(sha1.convert(utf8.encode(toSign)).bytes); } From a468270247fe50d3bbf2bce4efdcb2bd7e3ed208 Mon Sep 17 00:00:00 2001 From: adimiz1 Date: Wed, 11 Jun 2025 14:21:32 +0300 Subject: [PATCH 3/3] Fix signature function --- api/lib/uploader/utils.dart | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/api/lib/uploader/utils.dart b/api/lib/uploader/utils.dart index 3559d5b..2037040 100644 --- a/api/lib/uploader/utils.dart +++ b/api/lib/uploader/utils.dart @@ -14,8 +14,10 @@ class Utils { final escapePattern = RegExp(r'[&=%+#]'); final paramsArr = []; - paramsMap.removeWhere((key, value) => value == null || _excludeKeys.contains(key)); + paramsMap.removeWhere((key, value) => value == null); + paramsMap.removeWhere((key, value) => _excludeKeys.contains(key)); + // Escape check for public_id only (extended) if (paramsMap.containsKey('public_id')) { final publicId = paramsMap['public_id'].toString(); if (escapePattern.hasMatch(publicId)) { @@ -25,19 +27,25 @@ class Utils { final sortedKeys = paramsMap.keys.whereType().toList()..sort(); - for (final key in sortedKeys) { - final value = paramsMap[key]; + for (var key in sortedKeys) { + var value = paramsMap[key]; String? paramValue; - if (value is List) { - if (value.isEmpty) continue; - paramValue = value.join(','); + if (value is List) { + if (value.isNotEmpty) { + paramValue = value.toString(); // KEEP original behavior (e.g. [a, b]) + } else { + continue; + } } else { - paramValue = value?.toString(); + if (value != null) { + paramValue = value.toString(); + } } if (paramValue != null) { - paramsArr.add('$key=$paramValue'); + // KEEP original backslash-stripping behavior + paramsArr.add('$key=${paramValue.replaceAll(r'\', '')}'); } }