Merge branch 'master' into feat/getObject-support-useAccelerate

livehigh · livehigh · commit 59e79fd5f2f4 · 2022-04-13T16:43:50.000+08:00
diff --git a/demo/demo.js b/demo/demo.js
@@ -70,6 +70,7 @@ var getAuthorization = function (options, callback) {
             Pathname: options.Pathname,
             Query: options.Query,
             Headers: options.Headers,
+            ForceSignHost: options.ForceSignHost,
             Expires: 900,
         });
         callback({
diff --git a/dist/cos-js-sdk-v5.js b/dist/cos-js-sdk-v5.js
@@ -157,8 +157,11 @@ var getAuth = function (opt) {
         pathname.indexOf('/') !== 0 && (pathname = '/' + pathname);
     }
 
-    // 如果有传入存储桶，那么签名默认加 Host 参与计算，避免跨桶访问
-    if (!headers.Host && !headers.host && opt.Bucket && opt.Region) headers.Host = opt.Bucket + '.cos.' + opt.Region + '.myqcloud.com';
+    // ForceSignHost明确传入false才不加入host签名
+    var forceSignHost = opt.ForceSignHost === false ? false : true;
+
+    // 如果有传入存储桶且需要强制签名，那么签名默认加 Host 参与计算，避免跨桶访问
+    if (!headers.Host && !headers.host && opt.Bucket && opt.Region && forceSignHost) headers.Host = opt.Bucket + '.cos.' + opt.Region + '.myqcloud.com';
 
     if (!SecretId) throw new Error('missing param SecretId');
     if (!SecretKey) throw new Error('missing param SecretKey');
@@ -596,6 +599,7 @@ var apiWrapper = function (apiName, apiFn) {
         var formatResult = function (result) {
             if (result && result.headers) {
                 result.headers['x-cos-request-id'] && (result.RequestId = result.headers['x-cos-request-id']);
+                result.headers['x-ci-request-id'] && (result.RequestId = result.headers['x-ci-request-id']);
                 result.headers['x-cos-version-id'] && (result.VersionId = result.headers['x-cos-version-id']);
                 result.headers['x-cos-delete-marker'] && (result.DeleteMarker = result.headers['x-cos-delete-marker']);
             }
@@ -2442,7 +2446,8 @@ var defaultOptions = {
     UploadQueueSize: 10000,
     UploadAddMetaMd5: false,
     UploadIdCacheLimit: 50,
-    UseAccelerate: false
+    UseAccelerate: false,
+    ForceSignHost: true // 默认将host加入签名计算，关闭后可能导致越权风险，建议保持为true
 };
 
 // 对外暴露的类
@@ -2485,7 +2490,7 @@ COS.util = {
     json2xml: util.json2xml
 };
 COS.getAuthorization = util.getAuth;
-COS.version = '2.0.0';
+COS.version = '1.3.6';
 
 module.exports = COS;
 
@@ -7866,12 +7871,13 @@ function getAuth(params) {
  */
 function getObjectUrl(params, callback) {
     var self = this;
+    var useAccelerate = params.UseAccelerate === undefined ? self.options.UseAccelerate : params.UseAccelerate;
     var url = getUrl({
         ForcePathStyle: self.options.ForcePathStyle,
         protocol: params.Protocol || self.options.Protocol,
         domain: params.Domain || self.options.Domain,
         bucket: params.Bucket,
-        region: params.Region,
+        region: useAccelerate ? 'accelerate' : params.Region,
         object: params.Key
     });
 
@@ -7891,7 +7897,7 @@ function getObjectUrl(params, callback) {
     }
 
     // 签名加上 Host，避免跨桶访问
-    var SignHost = getSignHost.call(this, { Bucket: params.Bucket, Region: params.Region, Url: url });
+    var SignHost = getSignHost.call(this, { Bucket: params.Bucket, Region: params.Region, UseAccelerate: params.UseAccelerate, Url: url });
     var AuthData = getAuthorizationAsync.call(this, {
         Action: (params.Method || '').toUpperCase() === 'PUT' ? 'name/cos:PutObject' : 'name/cos:GetObject',
         Bucket: params.Bucket || '',
@@ -7901,7 +7907,8 @@ function getObjectUrl(params, callback) {
         Expires: params.Expires,
         Headers: params.Headers,
         Query: params.Query,
-        SignHost: SignHost
+        SignHost: SignHost,
+        ForceSignHost: params.ForceSignHost === false ? false : self.options.ForceSignHost // getObjectUrl支持传参ForceSignHost
     }, function (err, AuthData) {
         if (!callback) return;
         if (err) {
@@ -8051,12 +8058,13 @@ function getUrl(params) {
 
 var getSignHost = function (opt) {
     if (!opt.Bucket || !opt.Region) return '';
+    var useAccelerate = opt.UseAccelerate === undefined ? this.options.UseAccelerate : opt.UseAccelerate;
     var url = opt.Url || getUrl({
         ForcePathStyle: this.options.ForcePathStyle,
         protocol: this.options.Protocol,
         domain: this.options.Domain,
         bucket: opt.Bucket,
-        region: this.options.UseAccelerate ? 'accelerate' : opt.Region
+        region: useAccelerate ? 'accelerate' : opt.Region
     });
     var urlHost = url.replace(/^https?:\/\/([^/]+)(\/.*)?$/, '$1');
     var standardHostReg = new RegExp('^([a-z\\d-]+-\\d+\\.)?(cos|cosv6|ci|pic)\\.([a-z\\d-]+)\\.myqcloud\\.com$');
@@ -8072,9 +8080,11 @@ function getAuthorizationAsync(params, callback) {
         (v === '' || ['content-type', 'cache-control', 'expires'].indexOf(k.toLowerCase()) > -1) && delete headers[k];
         if (k.toLowerCase() === 'host') headerHost = v;
     });
+    // ForceSignHost明确传入false才不加入host签名
+    var forceSignHost = params.ForceSignHost === false ? false : true;
 
     // Host 加入签名计算
-    if (!headerHost && params.SignHost) headers.Host = params.SignHost;
+    if (!headerHost && params.SignHost && forceSignHost) headers.Host = params.SignHost;
 
     // 获取凭证的回调，避免用户 callback 多次
     var cbDone = false;
@@ -8145,7 +8155,8 @@ function getAuthorizationAsync(params, callback) {
             Expires: params.Expires,
             UseRawKey: self.options.UseRawKey,
             SystemClockOffset: self.options.SystemClockOffset,
-            KeyTime: KeyTime
+            KeyTime: KeyTime,
+            ForceSignHost: self.options.ForceSignHost
         });
         var AuthData = {
             Authorization: Authorization,
@@ -8202,7 +8213,8 @@ function getAuthorizationAsync(params, callback) {
             Query: params.Query,
             Headers: headers,
             Scope: Scope,
-            SystemClockOffset: self.options.SystemClockOffset
+            SystemClockOffset: self.options.SystemClockOffset,
+            ForceSignHost: self.options.ForceSignHost
         }, function (AuthData) {
             if (typeof AuthData === 'string') AuthData = { Authorization: AuthData };
             var AuthError = checkAuthError(AuthData);
@@ -8245,7 +8257,8 @@ function getAuthorizationAsync(params, callback) {
                 Headers: headers,
                 Expires: params.Expires,
                 UseRawKey: self.options.UseRawKey,
-                SystemClockOffset: self.options.SystemClockOffset
+                SystemClockOffset: self.options.SystemClockOffset,
+                ForceSignHost: self.options.ForceSignHost
             });
             var AuthData = {
                 Authorization: Authorization,
@@ -8318,7 +8331,8 @@ function submitRequest(params, callback) {
             SignHost: SignHost,
             Action: params.Action,
             ResourceKey: params.ResourceKey,
-            Scope: params.Scope
+            Scope: params.Scope,
+            ForceSignHost: self.options.ForceSignHost
         }, function (err, AuthData) {
             if (err) {
                 callback(err);
diff --git a/dist/cos-js-sdk-v5.min.js b/dist/cos-js-sdk-v5.min.js
diff --git a/index.d.ts b/index.d.ts
@@ -145,11 +145,11 @@ declare namespace COS {
     ProgressInterval?: number,
     /** 上传队列最长大小，超出的任务如果状态不是 waiting、checking、uploading 会被清理，默认10000 */
     UploadQueueSize?: number,
-    /** 上传队列最长大小，超出的任务如果状态不是 waiting、checking、uploading 会被清理，默认10000 */
+    /** 调用操作存储桶和对象的 API 时自定义请求域名。可以使用模板，如"{Bucket}.cos.{Region}.myqcloud.com"，即在调用 API 时会使用参数中传入的 Bucket 和 Region 进行替换。 */
     Domain?: string,
-    /** 强制使用后缀式模式发请求。后缀式模式中 Bucket 会放在域名后的 pathname 里，并且 Bucket 会加入签名 pathname 计算，默认 false */
+    /** getService方法可以使用的自定义域名 */
     ServiceDomain?: string,
-    /** 强制使用后缀式模式发请求。后缀式模式中 Bucket 会放在域名后的 pathname 里，并且 Bucket 会加入签名 pathname 计算，默认 false */
+    /** http协议，枚举值'http:','https:'冒号必须 */
     Protocol?: string,
     /** 开启兼容模式，默认 false 不开启，兼容模式下不校验 Region 是否格式有误，在用于私有化 COS 时使用 */
     CompatibilityMode?: boolean,
@@ -1137,7 +1137,7 @@ declare namespace COS {
   // getObject
   /** getObject 接口参数 */
   interface GetObjectParams extends ObjectParams {
-    BodyType?: 'text' | 'blob' | 'arraybuffer',
+    DataType?: 'text' | 'blob' | 'arraybuffer',
     /** 请求里的 Url Query 参数，传入该值中的 key/value 将会被 URLEncode */
     Query?: Query,
     /** 请求里的 Url Query 参数。传入该值将直接拼接在 Url 上，不会对其进行 URLEncode */
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "cos-js-sdk-v5",
-  "version": "2.0.0",
+  "version": "1.3.6",
   "description": "JavaScript SDK for [腾讯云对象存储](https://cloud.tencent.com/product/cos)",
   "main": "index.js",
   "types": "index.d.ts",
diff --git a/src/base.js b/src/base.js
@@ -3028,6 +3028,7 @@ function getObjectUrl(params, callback) {
         Headers: params.Headers,
         Query: params.Query,
         SignHost: SignHost,
+        ForceSignHost: params.ForceSignHost === false ? false : self.options.ForceSignHost, // getObjectUrl支持传参ForceSignHost
     }, function (err, AuthData) {
         if (!callback) return;
         if (err) {
@@ -3209,9 +3210,11 @@ function getAuthorizationAsync(params, callback) {
         (v === '' || ['content-type', 'cache-control', 'expires'].indexOf(k.toLowerCase()) > -1) && delete headers[k];
         if (k.toLowerCase() === 'host') headerHost = v;
     });
+    // ForceSignHost明确传入false才不加入host签名
+    var forceSignHost = params.ForceSignHost === false ? false : true;
 
     // Host 加入签名计算
-    if (!headerHost && params.SignHost) headers.Host = params.SignHost;
+    if (!headerHost && params.SignHost && forceSignHost) headers.Host = params.SignHost;
 
     // 获取凭证的回调，避免用户 callback 多次
     var cbDone = false;
@@ -3282,7 +3285,8 @@ function getAuthorizationAsync(params, callback) {
             Expires: params.Expires,
             UseRawKey: self.options.UseRawKey,
             SystemClockOffset: self.options.SystemClockOffset,
-            KeyTime: KeyTime
+            KeyTime: KeyTime,
+            ForceSignHost: self.options.ForceSignHost,
         });
         var AuthData = {
             Authorization: Authorization,
@@ -3346,6 +3350,7 @@ function getAuthorizationAsync(params, callback) {
             Headers: headers,
             Scope: Scope,
             SystemClockOffset: self.options.SystemClockOffset,
+            ForceSignHost: self.options.ForceSignHost,
         }, function (AuthData) {
             if (typeof AuthData === 'string') AuthData = {Authorization: AuthData};
             var AuthError = checkAuthError(AuthData);
@@ -3387,6 +3392,7 @@ function getAuthorizationAsync(params, callback) {
                 Expires: params.Expires,
                 UseRawKey: self.options.UseRawKey,
                 SystemClockOffset: self.options.SystemClockOffset,
+                ForceSignHost: self.options.ForceSignHost,
             });
             var AuthData = {
                 Authorization: Authorization,
@@ -3462,6 +3468,7 @@ function submitRequest(params, callback) {
             Action: params.Action,
             ResourceKey: params.ResourceKey,
             Scope: params.Scope,
+            ForceSignHost: self.options.ForceSignHost,
         }, function (err, AuthData) {
             if (err) {
                 callback(err);
diff --git a/src/cos.js b/src/cos.js
@@ -35,6 +35,7 @@ var defaultOptions = {
     UploadAddMetaMd5: false,
     UploadIdCacheLimit: 50,
     UseAccelerate: false,
+    ForceSignHost: true, // 默认将host加入签名计算，关闭后可能导致越权风险，建议保持为true
 };
 
 // 对外暴露的类
@@ -77,6 +78,6 @@ COS.util = {
     json2xml: util.json2xml,
 };
 COS.getAuthorization = util.getAuth;
-COS.version = '2.0.0';
+COS.version = '1.3.6';
 
 module.exports = COS;
diff --git a/src/util.js b/src/util.js
@@ -86,8 +86,11 @@ var getAuth = function (opt) {
         pathname.indexOf('/') !== 0 && (pathname = '/' + pathname);
     }
 
-    // 如果有传入存储桶，那么签名默认加 Host 参与计算，避免跨桶访问
-    if (!headers.Host && !headers.host && opt.Bucket && opt.Region) headers.Host = opt.Bucket + '.cos.' + opt.Region + '.myqcloud.com';
+    // ForceSignHost明确传入false才不加入host签名
+    var forceSignHost = opt.ForceSignHost === false ? false : true;
+
+    // 如果有传入存储桶且需要强制签名，那么签名默认加 Host 参与计算，避免跨桶访问
+    if (!headers.Host && !headers.host && opt.Bucket && opt.Region && forceSignHost) headers.Host = opt.Bucket + '.cos.' + opt.Region + '.myqcloud.com';
 
     if (!SecretId) throw new Error('missing param SecretId');
     if (!SecretKey) throw new Error('missing param SecretKey');
@@ -534,6 +537,7 @@ var apiWrapper = function (apiName, apiFn) {
         var formatResult = function (result) {
             if (result && result.headers) {
                 result.headers['x-cos-request-id'] && (result.RequestId = result.headers['x-cos-request-id']);
+                result.headers['x-ci-request-id'] && (result.RequestId = result.headers['x-ci-request-id']);
                 result.headers['x-cos-version-id'] && (result.VersionId = result.headers['x-cos-version-id']);
                 result.headers['x-cos-delete-marker'] && (result.DeleteMarker = result.headers['x-cos-delete-marker']);
             }
diff --git a/test/test.js b/test/test.js
@@ -66,6 +66,7 @@ var getAuthorization = function (options, callback) {
             TmpSecretKey: credentials.tmpSecretKey,
             SecurityToken: credentials.sessionToken,
             ExpiredTime: data.expiredTime, // SDK 在 ExpiredTime 时间前，不会再次调用 getAuthorization
+            ForceSignHost: options.ForceSignHost,
         });
     };
     xhr.send();

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "cos-js-sdk-v5",`
`3`		`- "version": "2.0.0",`
	`3`	`+ "version": "1.3.6",`
`4`	`4`	`"description": "JavaScript SDK for [腾讯云对象存储](https://cloud.tencent.com/product/cos)",`
`5`	`5`	`"main": "index.js",`
`6`	`6`	`"types": "index.d.ts",`