Merge pull request #145 from livehigh/feat/1.3.6

carsonxu · web-flow · commit e5137686eef9 · 2022-04-13T16:25:00.000+08:00
feat：支持设置签名不计算host
diff --git a/demo/demo.js b/demo/demo.js
@@ -70,6 +70,7 @@ var getAuthorization = function (options, callback) {
             Pathname: options.Pathname,
             Query: options.Query,
             Headers: options.Headers,
+            ForceSignHost: options.ForceSignHost,
             Expires: 900,
         });
         callback({
diff --git a/dist/cos-js-sdk-v5.js b/dist/cos-js-sdk-v5.js
@@ -157,8 +157,11 @@ var getAuth = function (opt) {
         pathname.indexOf('/') !== 0 && (pathname = '/' + pathname);
     }
 
-    // 如果有传入存储桶，那么签名默认加 Host 参与计算，避免跨桶访问
-    if (!headers.Host && !headers.host && opt.Bucket && opt.Region) headers.Host = opt.Bucket + '.cos.' + opt.Region + '.myqcloud.com';
+    // ForceSignHost明确传入false才不加入host签名
+    var forceSignHost = opt.ForceSignHost === false ? false : true;
+
+    // 如果有传入存储桶且需要强制签名，那么签名默认加 Host 参与计算，避免跨桶访问
+    if (!headers.Host && !headers.host && opt.Bucket && opt.Region && forceSignHost) headers.Host = opt.Bucket + '.cos.' + opt.Region + '.myqcloud.com';
 
     if (!SecretId) throw new Error('missing param SecretId');
     if (!SecretKey) throw new Error('missing param SecretKey');
@@ -596,6 +599,7 @@ var apiWrapper = function (apiName, apiFn) {
         var formatResult = function (result) {
             if (result && result.headers) {
                 result.headers['x-cos-request-id'] && (result.RequestId = result.headers['x-cos-request-id']);
+                result.headers['x-ci-request-id'] && (result.RequestId = result.headers['x-ci-request-id']);
                 result.headers['x-cos-version-id'] && (result.VersionId = result.headers['x-cos-version-id']);
                 result.headers['x-cos-delete-marker'] && (result.DeleteMarker = result.headers['x-cos-delete-marker']);
             }
@@ -2442,7 +2446,8 @@ var defaultOptions = {
     UploadQueueSize: 10000,
     UploadAddMetaMd5: false,
     UploadIdCacheLimit: 50,
-    UseAccelerate: false
+    UseAccelerate: false,
+    ForceSignHost: true // 默认将host加入签名计算，关闭后可能导致越权风险，建议保持为true
 };
 
 // 对外暴露的类
@@ -2485,7 +2490,7 @@ COS.util = {
     json2xml: util.json2xml
 };
 COS.getAuthorization = util.getAuth;
-COS.version = '1.3.5';
+COS.version = '1.3.6';
 
 module.exports = COS;
 
@@ -7901,7 +7906,8 @@ function getObjectUrl(params, callback) {
         Expires: params.Expires,
         Headers: params.Headers,
         Query: params.Query,
-        SignHost: SignHost
+        SignHost: SignHost,
+        ForceSignHost: params.ForceSignHost === false ? false : self.options.ForceSignHost // getObjectUrl支持传参ForceSignHost
     }, function (err, AuthData) {
         if (!callback) return;
         if (err) {
@@ -8072,9 +8078,11 @@ function getAuthorizationAsync(params, callback) {
         (v === '' || ['content-type', 'cache-control', 'expires'].indexOf(k.toLowerCase()) > -1) && delete headers[k];
         if (k.toLowerCase() === 'host') headerHost = v;
     });
+    // ForceSignHost明确传入false才不加入host签名
+    var forceSignHost = params.ForceSignHost === false ? false : true;
 
     // Host 加入签名计算
-    if (!headerHost && params.SignHost) headers.Host = params.SignHost;
+    if (!headerHost && params.SignHost && forceSignHost) headers.Host = params.SignHost;
 
     // 获取凭证的回调，避免用户 callback 多次
     var cbDone = false;
@@ -8145,7 +8153,8 @@ function getAuthorizationAsync(params, callback) {
             Expires: params.Expires,
             UseRawKey: self.options.UseRawKey,
             SystemClockOffset: self.options.SystemClockOffset,
-            KeyTime: KeyTime
+            KeyTime: KeyTime,
+            ForceSignHost: self.options.ForceSignHost
         });
         var AuthData = {
             Authorization: Authorization,
@@ -8202,7 +8211,8 @@ function getAuthorizationAsync(params, callback) {
             Query: params.Query,
             Headers: headers,
             Scope: Scope,
-            SystemClockOffset: self.options.SystemClockOffset
+            SystemClockOffset: self.options.SystemClockOffset,
+            ForceSignHost: self.options.ForceSignHost
         }, function (AuthData) {
             if (typeof AuthData === 'string') AuthData = { Authorization: AuthData };
             var AuthError = checkAuthError(AuthData);
@@ -8245,7 +8255,8 @@ function getAuthorizationAsync(params, callback) {
                 Headers: headers,
                 Expires: params.Expires,
                 UseRawKey: self.options.UseRawKey,
-                SystemClockOffset: self.options.SystemClockOffset
+                SystemClockOffset: self.options.SystemClockOffset,
+                ForceSignHost: self.options.ForceSignHost
             });
             var AuthData = {
                 Authorization: Authorization,
@@ -8318,7 +8329,8 @@ function submitRequest(params, callback) {
             SignHost: SignHost,
             Action: params.Action,
             ResourceKey: params.ResourceKey,
-            Scope: params.Scope
+            Scope: params.Scope,
+            ForceSignHost: self.options.ForceSignHost
         }, function (err, AuthData) {
             if (err) {
                 callback(err);
diff --git a/dist/cos-js-sdk-v5.min.js b/dist/cos-js-sdk-v5.min.js
diff --git a/index.d.ts b/index.d.ts
@@ -145,11 +145,11 @@ declare namespace COS {
     ProgressInterval?: number,
     /** 上传队列最长大小，超出的任务如果状态不是 waiting、checking、uploading 会被清理，默认10000 */
     UploadQueueSize?: number,
-    /** 上传队列最长大小，超出的任务如果状态不是 waiting、checking、uploading 会被清理，默认10000 */
+    /** 调用操作存储桶和对象的 API 时自定义请求域名。可以使用模板，如"{Bucket}.cos.{Region}.myqcloud.com"，即在调用 API 时会使用参数中传入的 Bucket 和 Region 进行替换。 */
     Domain?: string,
-    /** 强制使用后缀式模式发请求。后缀式模式中 Bucket 会放在域名后的 pathname 里，并且 Bucket 会加入签名 pathname 计算，默认 false */
+    /** getService方法可以使用的自定义域名 */
     ServiceDomain?: string,
-    /** 强制使用后缀式模式发请求。后缀式模式中 Bucket 会放在域名后的 pathname 里，并且 Bucket 会加入签名 pathname 计算，默认 false */
+    /** http协议，枚举值'http:','https:'冒号必须 */
     Protocol?: string,
     /** 开启兼容模式，默认 false 不开启，兼容模式下不校验 Region 是否格式有误，在用于私有化 COS 时使用 */
     CompatibilityMode?: boolean,
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "cos-js-sdk-v5",
-  "version": "1.3.5",
+  "version": "1.3.6",
   "description": "JavaScript SDK for [腾讯云对象存储](https://cloud.tencent.com/product/cos)",
   "main": "index.js",
   "types": "index.d.ts",
diff --git a/src/base.js b/src/base.js
@@ -3027,6 +3027,7 @@ function getObjectUrl(params, callback) {
         Headers: params.Headers,
         Query: params.Query,
         SignHost: SignHost,
+        ForceSignHost: params.ForceSignHost === false ? false : self.options.ForceSignHost, // getObjectUrl支持传参ForceSignHost
     }, function (err, AuthData) {
         if (!callback) return;
         if (err) {
@@ -3207,9 +3208,11 @@ function getAuthorizationAsync(params, callback) {
         (v === '' || ['content-type', 'cache-control', 'expires'].indexOf(k.toLowerCase()) > -1) && delete headers[k];
         if (k.toLowerCase() === 'host') headerHost = v;
     });
+    // ForceSignHost明确传入false才不加入host签名
+    var forceSignHost = params.ForceSignHost === false ? false : true;
 
     // Host 加入签名计算
-    if (!headerHost && params.SignHost) headers.Host = params.SignHost;
+    if (!headerHost && params.SignHost && forceSignHost) headers.Host = params.SignHost;
 
     // 获取凭证的回调，避免用户 callback 多次
     var cbDone = false;
@@ -3280,7 +3283,8 @@ function getAuthorizationAsync(params, callback) {
             Expires: params.Expires,
             UseRawKey: self.options.UseRawKey,
             SystemClockOffset: self.options.SystemClockOffset,
-            KeyTime: KeyTime
+            KeyTime: KeyTime,
+            ForceSignHost: self.options.ForceSignHost,
         });
         var AuthData = {
             Authorization: Authorization,
@@ -3344,6 +3348,7 @@ function getAuthorizationAsync(params, callback) {
             Headers: headers,
             Scope: Scope,
             SystemClockOffset: self.options.SystemClockOffset,
+            ForceSignHost: self.options.ForceSignHost,
         }, function (AuthData) {
             if (typeof AuthData === 'string') AuthData = {Authorization: AuthData};
             var AuthError = checkAuthError(AuthData);
@@ -3385,6 +3390,7 @@ function getAuthorizationAsync(params, callback) {
                 Expires: params.Expires,
                 UseRawKey: self.options.UseRawKey,
                 SystemClockOffset: self.options.SystemClockOffset,
+                ForceSignHost: self.options.ForceSignHost,
             });
             var AuthData = {
                 Authorization: Authorization,
@@ -3460,6 +3466,7 @@ function submitRequest(params, callback) {
             Action: params.Action,
             ResourceKey: params.ResourceKey,
             Scope: params.Scope,
+            ForceSignHost: self.options.ForceSignHost,
         }, function (err, AuthData) {
             if (err) {
                 callback(err);
diff --git a/src/cos.js b/src/cos.js
@@ -35,6 +35,7 @@ var defaultOptions = {
     UploadAddMetaMd5: false,
     UploadIdCacheLimit: 50,
     UseAccelerate: false,
+    ForceSignHost: true, // 默认将host加入签名计算，关闭后可能导致越权风险，建议保持为true
 };
 
 // 对外暴露的类
@@ -77,6 +78,6 @@ COS.util = {
     json2xml: util.json2xml,
 };
 COS.getAuthorization = util.getAuth;
-COS.version = '1.3.5';
+COS.version = '1.3.6';
 
 module.exports = COS;
diff --git a/src/util.js b/src/util.js
@@ -86,8 +86,11 @@ var getAuth = function (opt) {
         pathname.indexOf('/') !== 0 && (pathname = '/' + pathname);
     }
 
-    // 如果有传入存储桶，那么签名默认加 Host 参与计算，避免跨桶访问
-    if (!headers.Host && !headers.host && opt.Bucket && opt.Region) headers.Host = opt.Bucket + '.cos.' + opt.Region + '.myqcloud.com';
+    // ForceSignHost明确传入false才不加入host签名
+    var forceSignHost = opt.ForceSignHost === false ? false : true;
+
+    // 如果有传入存储桶且需要强制签名，那么签名默认加 Host 参与计算，避免跨桶访问
+    if (!headers.Host && !headers.host && opt.Bucket && opt.Region && forceSignHost) headers.Host = opt.Bucket + '.cos.' + opt.Region + '.myqcloud.com';
 
     if (!SecretId) throw new Error('missing param SecretId');
     if (!SecretKey) throw new Error('missing param SecretKey');
@@ -534,6 +537,7 @@ var apiWrapper = function (apiName, apiFn) {
         var formatResult = function (result) {
             if (result && result.headers) {
                 result.headers['x-cos-request-id'] && (result.RequestId = result.headers['x-cos-request-id']);
+                result.headers['x-ci-request-id'] && (result.RequestId = result.headers['x-ci-request-id']);
                 result.headers['x-cos-version-id'] && (result.VersionId = result.headers['x-cos-version-id']);
                 result.headers['x-cos-delete-marker'] && (result.DeleteMarker = result.headers['x-cos-delete-marker']);
             }
diff --git a/test/test.js b/test/test.js
@@ -66,6 +66,7 @@ var getAuthorization = function (options, callback) {
             TmpSecretKey: credentials.tmpSecretKey,
             SecurityToken: credentials.sessionToken,
             ExpiredTime: data.expiredTime, // SDK 在 ExpiredTime 时间前，不会再次调用 getAuthorization
+            ForceSignHost: options.ForceSignHost,
         });
     };
     xhr.send();

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "cos-js-sdk-v5",`
`3`		`- "version": "1.3.5",`
	`3`	`+ "version": "1.3.6",`
`4`	`4`	`"description": "JavaScript SDK for [腾讯云对象存储](https://cloud.tencent.com/product/cos)",`
`5`	`5`	`"main": "index.js",`
`6`	`6`	`"types": "index.d.ts",`