From cc559ed9d7901138e91eeadb81526396606c478d Mon Sep 17 00:00:00 2001 From: Leif Henriksen Date: Wed, 11 Feb 2026 14:30:36 +0100 Subject: [PATCH 1/3] CLDSRV-849: test that a bad Date header returns the correct error and does not crash cloudserver --- .../raw-node/test/malformedDateHeader.js | 80 +++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 tests/functional/raw-node/test/malformedDateHeader.js diff --git a/tests/functional/raw-node/test/malformedDateHeader.js b/tests/functional/raw-node/test/malformedDateHeader.js new file mode 100644 index 0000000000..eb9a1bcedc --- /dev/null +++ b/tests/functional/raw-node/test/malformedDateHeader.js @@ -0,0 +1,80 @@ +const assert = require('assert'); +const http = require('http'); + +const bucket = 'test-bucket'; +const objectKey = 'test-file.txt'; + +describe('malformed Date header:', () => { + it('should return AccessDenied for bad date with x-amz-content-sha256 header', done => { + const options = { + hostname: 'localhost', + port: 8000, + path: `/${bucket}/${objectKey}`, + method: 'GET', + headers: { + 'Date': 'BAD_DATE', + 'Authorization': 'AWS4-HMAC-SHA256 Credential=accessKey1/20260211/us-east-1/s3/aws4_request, ' + + 'SignedHeaders=host, Signature=d459d5b2a2395b4c65d8f8aa2729b22c5abb04614fafbd93ab4fe203e76d21a3', + 'X-Amz-Content-Sha256': 'fa8d015f89da2a769d1cea7e3bd77a5670d098d7844cda148a40c1304e5b778b', + 'Host': 'localhost:8000' + } + }; + + const req = http.request(options, res => { + let body = ''; + res.on('data', chunk => { + body += chunk; + }); + res.on('end', () => { + assert.strictEqual(res.statusCode, 403, 'Server should return 403 AccessDenied for malformed Date'); + assert(body.includes('AccessDenied'), 'Response should contain AccessDenied'); + assert(body.includes('Authentication requires a valid Date or x-amz-date header')); + done(); + }); + }); + + req.on('error', err => { + // If we get ECONNRESET or similar, it means the server crashed + assert.fail(`Server crashed or connection error: ${err.message}`); + }); + + req.end(); + }); + + it('should return AccessDenied for bad x-amz-date with x-amz-content-sha256 header', done => { + const options = { + hostname: 'localhost', + port: 8000, + path: `/${bucket}/${objectKey}`, + method: 'GET', + headers: { + 'X-Amz-Date': 'BAD_DATE', + 'Authorization': 'AWS4-HMAC-SHA256 Credential=accessKey1/20260211/us-east-1/s3/aws4_request, ' + + 'SignedHeaders=host;x-amz-date, ' + + 'Signature=d459d5b2a2395b4c65d8f8aa2729b22c5abb04614fafbd93ab4fe203e76d21a3', + 'X-Amz-Content-Sha256': 'fa8d015f89da2a769d1cea7e3bd77a5670d098d7844cda148a40c1304e5b778b', + 'Host': 'localhost:8000' + } + }; + + const req = http.request(options, res => { + let body = ''; + res.on('data', chunk => { + body += chunk; + }); + res.on('end', () => { + assert.strictEqual(res.statusCode, 403, 'Server should return 403 AccessDenied for malformed Date'); + assert(body.includes('AccessDenied'), 'Response should contain AccessDenied'); + assert(body.includes('Authentication requires a valid Date or x-amz-date header')); + done(); + }); + }); + + req.on('error', err => { + // If we get ECONNRESET or similar, it means the server crashed + assert.fail(`Server crashed or connection error: ${err.message}`); + }); + + req.end(); + }); +}); From 13eb2cef2a5c771706f5045210e20e0ceccc2330 Mon Sep 17 00:00:00 2001 From: Leif Henriksen Date: Fri, 13 Feb 2026 14:58:17 +0100 Subject: [PATCH 2/3] CLDSRV-847: bump arsenal version --- package.json | 2 +- yarn.lock | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package.json b/package.json index ed1e412505..9a03b963b4 100644 --- a/package.json +++ b/package.json @@ -21,7 +21,7 @@ "dependencies": { "@azure/storage-blob": "^12.28.0", "@hapi/joi": "^17.1.1", - "arsenal": "git+https://github.com/scality/arsenal#8.2.45", + "arsenal": "git+https://github.com/scality/arsenal#8.2.46", "async": "2.6.4", "aws-sdk": "^2.1692.0", "bucketclient": "scality/bucketclient#8.2.7", diff --git a/yarn.lock b/yarn.lock index 7f7c2d1403..8713ff7865 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1527,9 +1527,9 @@ arraybuffer.prototype.slice@^1.0.4: optionalDependencies: ioctl "^2.0.2" -"arsenal@git+https://github.com/scality/arsenal#8.2.45": - version "8.2.45" - resolved "git+https://github.com/scality/arsenal#af610f2510084a6e12a7c4c38b85eeb24a0e468c" +"arsenal@git+https://github.com/scality/arsenal#8.2.46": + version "8.2.46" + resolved "git+https://github.com/scality/arsenal#f241d4e2f292944d6bdb40789eec6085aa5fe7a2" dependencies: "@azure/identity" "^4.13.0" "@azure/storage-blob" "^12.28.0" From 9b836b82d069234dda8306cc24e50efd577846a4 Mon Sep 17 00:00:00 2001 From: Leif Henriksen Date: Mon, 16 Feb 2026 15:39:36 +0100 Subject: [PATCH 3/3] CLDSRV-849: bump package.json to 9.2.28 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 9a03b963b4..17447ff98b 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@zenko/cloudserver", - "version": "9.2.27", + "version": "9.2.28", "description": "Zenko CloudServer, an open-source Node.js implementation of a server handling the Amazon S3 protocol", "main": "index.js", "engines": {