Add IMGPROXY_TRUSTED_SIGNATURES config

2025-09-27 12:07:59 +02:00 · 2024-02-22 17:33:52 +03:00
parent 33506eba4d
commit 73c54abd4e
4 changed files with 26 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,7 @@

 ## [Unreleased]
 ### Add
+- Add the [IMGPROXY_TRUSTED_SIGNATURES](https://docs.imgproxy.net/latest/configuration/options#IMGPROXY_TRUSTED_SIGNATURES) config.
 - (pro) Add the [hashsum](https://docs.imgproxy.net/latest/usage/processing#hashsum) processing and info options.
 - (pro) Add the [calc_hashsums](https://docs.imgproxy.net/latest/usage/getting_info#calc-hashsums) info option.
 - (pro) Add the [IMGPROXY_VIDEO_THUMBNAIL_TILE_AUTO_KEYFRAMES](https://docs.imgproxy.net/latest/configuration/options#IMGPROXY_VIDEO_THUMBNAIL_TILE_AUTO_KEYFRAMES) config.
--- a/config/config.go
+++ b/config/config.go
@@ -74,9 +74,10 @@ var (
 	UseLinearColorspace bool
 	DisableShrinkOnLoad bool

-	Keys          [][]byte
-	Salts         [][]byte
-	SignatureSize int
+	Keys              [][]byte
+	Salts             [][]byte
+	SignatureSize     int
+	TrustedSignatures []string

 	Secret string

@@ -275,6 +276,7 @@ func Reset() {
 	Keys = make([][]byte, 0)
 	Salts = make([][]byte, 0)
 	SignatureSize = 32
+	TrustedSignatures = make([]string, 0)

 	Secret = ""

@@ -483,6 +485,7 @@ func Configure() error {
 		return err
 	}
 	configurators.Int(&SignatureSize, "IMGPROXY_SIGNATURE_SIZE")
+	configurators.StringSlice(&TrustedSignatures, "IMGPROXY_TRUSTED_SIGNATURES")

 	if err := configurators.HexSliceFile(&Keys, keyPath); err != nil {
 		return err
--- a/security/signature.go
+++ b/security/signature.go
@@ -19,6 +19,12 @@ func VerifySignature(signature, path string) error {
 		return nil
 	}

+	for _, s := range config.TrustedSignatures {
+		if s == signature {
+			return nil
+		}
+	}
+
 	messageMAC, err := base64.RawURLEncoding.DecodeString(signature)
 	if err != nil {
 		return ErrInvalidSignatureEncoding
--- a/security/signature_test.go
+++ b/security/signature_test.go
@@ -51,6 +51,19 @@ func (s *SignatureTestSuite) TestVerifySignatureMultiplePairs() {
 	require.Error(s.T(), err)
 }

+func (s *SignatureTestSuite) TestVerifySignatureTrusted() {
+	config.TrustedSignatures = []string{"truested"}
+	defer func() {
+		config.TrustedSignatures = []string{}
+	}()
+
+	err := VerifySignature("truested", "asd")
+	require.Nil(s.T(), err)
+
+	err = VerifySignature("untrusted", "asd")
+	require.Error(s.T(), err)
+}
+
 func TestSignature(t *testing.T) {
 	suite.Run(t, new(SignatureTestSuite))
 }