fix: use RFC3689 encoding for S3 signature v4 (#793)

itslenny · web-flow · commit 0f7b2cd7797c · 2025-11-01T08:54:01.000+01:00
diff --git a/src/storage/protocols/s3/signature-v4.ts b/src/storage/protocols/s3/signature-v4.ts
@@ -412,11 +412,27 @@ export class SignatureV4 {
     return `${method}\n${canonicalUri}\n${canonicalQueryString}\n${canonicalHeaders}\n${signedHeadersString}\n${payloadHash}`
   }
 
+  /**
+   * Encodes a URI component according to RFC 3986, as required by AWS Signature V4.
+   * This differs from encodeURIComponent which doesn't encode certain characters
+   * like parentheses that AWS requires to be percent-encoded.
+   */
+  protected encodeRFC3986URIComponent(str: string): string {
+    return encodeURIComponent(str).replace(/[!'()*]/g, (c) => {
+      return '%' + c.charCodeAt(0).toString(16).toUpperCase()
+    })
+  }
+
   protected constructCanonicalQueryString(query: Record<string, string>) {
     return Object.keys(query)
       .filter((key) => !(key in ALWAYS_UNSIGNABLE_QUERY_PARAMS))
       .sort()
-      .map((key) => `${encodeURIComponent(key)}=${encodeURIComponent(query[key] as string)}`)
+      .map(
+        (key) =>
+          `${this.encodeRFC3986URIComponent(key)}=${this.encodeRFC3986URIComponent(
+            query[key] as string
+          )}`
+      )
       .join('&')
   }
 
diff --git a/src/test/s3-protocol.test.ts b/src/test/s3-protocol.test.ts
@@ -292,6 +292,47 @@ describe('S3 Protocol', () => {
         expect(resp.Contents?.length).toBe(3)
       })
 
+      it('list objects with aws specific uri encoding', async () => {
+        const bucket = await createBucket(client)
+        const testObject1 = 'test (1).jpg'
+        const testObject2 = `prefix-1/test-1!'(123)*.jpg`
+
+        await Promise.all([testObject1, testObject2].map((v) => uploadFile(client, bucket, v, 1)))
+
+        const resp = await client.send(
+          new ListObjectsV2Command({
+            Bucket: bucket,
+          })
+        )
+        expect(resp.Contents?.length).toBe(2)
+
+        const resp2 = await client.send(
+          new ListObjectsV2Command({
+            Bucket: bucket,
+            Prefix: 'test (',
+          })
+        )
+        expect(resp2.Contents?.length).toBe(1)
+        expect(resp2.Contents).toEqual([
+          expect.objectContaining({
+            Key: testObject1,
+          }),
+        ])
+
+        const resp3 = await client.send(
+          new ListObjectsV2Command({
+            Bucket: bucket,
+            Prefix: `prefix-1/test-1!'(123)*`,
+          })
+        )
+        expect(resp3.Contents?.length).toBe(1)
+        expect(resp3.Contents).toEqual([
+          expect.objectContaining({
+            Key: testObject2,
+          }),
+        ])
+      })
+
       it('list keys and common prefixes', async () => {
         const bucket = await createBucket(client)
         const listBuckets = new ListObjectsV2Command({
