From 4bf79e9f1a85bba15bfa2d9de6d9915815924cea Mon Sep 17 00:00:00 2001 From: Excitable Snowball Date: Wed, 6 Dec 2023 03:40:15 -0800 Subject: [PATCH] Sanitize Amazon CloudFront signature in imagery_used (#10007) --- modules/renderer/background_source.js | 2 +- test/spec/renderer/background_source.js | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/modules/renderer/background_source.js b/modules/renderer/background_source.js index 3aff58fe2..959b3e6c7 100644 --- a/modules/renderer/background_source.js +++ b/modules/renderer/background_source.js @@ -583,7 +583,7 @@ rendererBackgroundSource.Custom = function(template) { var parts = cleaned.split('?', 2); var qs = utilStringQs(parts[1]); - ['access_token', 'connectId', 'token'].forEach(function(param) { + ['access_token', 'connectId', 'token', 'Signature'].forEach(function(param) { if (qs[param]) { qs[param] = '{apikey}'; } diff --git a/test/spec/renderer/background_source.js b/test/spec/renderer/background_source.js index 7f3980295..e276b90d6 100644 --- a/test/spec/renderer/background_source.js +++ b/test/spec/renderer/background_source.js @@ -92,6 +92,10 @@ describe('iD.rendererBackgroundSource.Custom', function() { var source = iD.rendererBackgroundSource.Custom('http://example.com?token=MYTOKEN'); expect(source.imageryUsed()).to.eql('Custom (http://example.com?token={apikey} )'); }); + it('sanitizes `Signature` for CloudFront', function() { + var source = iD.rendererBackgroundSource.Custom('https://example.com/?Key-Pair-Id=foo&Policy=bar&Signature=baz'); + expect(source.imageryUsed()).to.eql('Custom (https://example.com/?Key-Pair-Id=foo&Policy=bar&Signature={apikey} )'); + }); it('sanitizes wms path `token`', function() { var source = iD.rendererBackgroundSource.Custom('http://example.com/wms/v1/token/MYTOKEN/1.0.0/layer'); expect(source.imageryUsed()).to.eql('Custom (http://example.com/wms/v1/token/{apikey}/1.0.0/layer )');