Skip to content

Commit 490a18b

Browse files
s3: drop an unused Readable import; de-flake the tampered-signature test
The test overwrote the first signature hex char with a fixed '0', a no-op 1 time in 16 when the real signature already starts with 0 — flip the char instead so the tamper is guaranteed.
1 parent c3639a2 commit 490a18b

2 files changed

Lines changed: 4 additions & 2 deletions

File tree

s3/plugin.js

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,6 @@
6464
// no weaker than Bearer, but it is NOT a true secret — documented.
6565

6666
import crypto from 'node:crypto';
67-
import { Readable } from 'node:stream';
6867

6968
const XML_TYPE = 'application/xml';
7069
const S3_MAX_KEYS = 1000; // hard cap on a single ListObjectsV2 page

s3/test.js

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -261,7 +261,10 @@ describe('s3 plugin', () => {
261261
it('a tampered signature is refused with SignatureDoesNotMatch (403)', async () => {
262262
const url = s3('/sigbucket/obj.txt');
263263
const headers = sign({ method: 'GET', url, host, token });
264-
headers.authorization = headers.authorization.replace(/Signature=./, 'Signature=0');
264+
// flip (not overwrite) the first hex char — a fixed replacement is a
265+
// no-op 1 time in 16, when the real signature already starts with it
266+
headers.authorization = headers.authorization.replace(
267+
/Signature=(.)/, (_, c) => `Signature=${c === '0' ? '1' : '0'}`);
265268
const res = await fetch(url, { headers });
266269
assert.strictEqual(res.status, 403);
267270
assert.ok((await res.text()).includes('<Code>SignatureDoesNotMatch</Code>'));

0 commit comments

Comments
 (0)