nic-6443 opened a new pull request, #13520: URL: https://github.com/apache/apisix/pull/13520
### Description When the aws-lambda plugin uses IAM authorization and the client request carries any query parameter that needs URL encoding (e.g. a space), AWS rejects the invocation with 403 `InvalidSignatureException`. The root cause is in the canonical query string construction: `core.request.get_uri_args()` already returns percent-decoded args, the plugin runs `ngx.unescape_uri()` over them and signs the decoded string, while the query actually sent on the wire is re-encoded by lua-resty-http (`ngx.encode_args` on the table). So the signature is computed over different bytes than what AWS receives, e.g. `with space=a/b c` is signed but `with%20space=a%2Fb%20c` is sent. The same lines also corrupt the canonical string for repeated args (the table value is stringified to `table: 0x...`) and for valueless args (`?flag` is signed as `flag=true` but sent as `flag`). This PR builds the canonical query string per the SigV4 spec: every name and value is percent-encoded with the RFC3986 unreserved set (AWS UriEncode rules), repeated args are expanded into one pair per value, a valueless arg gets an empty value, and the pairs are sorted by encoded name then encoded value. The plugin now also passes this exact string as `params.query` — lua-resty-http sends a string query through unmodified — so the signed query string and the wire query string are identical by construction. The new test emulates the AWS server-side validation: the mock rebuilds the canonical request from the request it actually received and recomputes the signature with the known secret key, so it catches any mismatch between what is signed and what is sent. #### Which issue(s) this PR fixes: Fixes #11097 ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [ ] I have updated the documentation to reflect this change - [x] I have verified that this change is backward compatible (If not, please discuss on the [APISIX mailing list](https://github.com/apache/apisix/tree/master#community) first) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
