[Security] HTTP Signature Verification: Missing Body Digest Validation #18

New issue

Open

opened 2026-02-11 18:49:18 +00:00 by thabeta · 0 comments

thabeta commented 2026-02-11 18:49:18 +00:00

Owner

Copy link

The Verifier.VerifyRequest function in internal/httpsig/verifier.go lacks explicit validation of the request body's digest. While it creates an httpsig.NewVerifier(r), it does not verify that the body content actually matches the Digest header if one is provided in the signature headers. This could lead to a scenario where the request headers (including the signature) are valid, but the body has been tampered with. Proposed Fix: If maxBodyBytes is provided and the request has a body, calculate the digest of the body and ensure it matches the Digest header provided in the request before calling verifier.Verify.

The Verifier.VerifyRequest function in internal/httpsig/verifier.go lacks explicit validation of the request body's digest. While it creates an httpsig.NewVerifier(r), it does not verify that the body content actually matches the Digest header if one is provided in the signature headers. This could lead to a scenario where the request headers (including the signature) are valid, but the body has been tampered with. Proposed Fix: If maxBodyBytes is provided and the request has a body, calculate the digest of the body and ensure it matches the Digest header provided in the request before calling verifier.Verify.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

support-socks5

development

test

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

geomind_code/webgateway#18

No description provided.