AMI fails to validate from Media page

Pipeline Integrations
1

Hello,

I’ve built a flask server to handle AMI requests. I followed this article to setup validation. That has been working great for most of our AMIs but now I’ve implemented a new AMI to download Versions. This validates fine when looking at the Version list page of a project. However, if you use the AMI from the Media page it fails to validate. It seems like my flask endpoint is being sent incomplete request form data. In the below logs “our signature” corresponds to the signature computed using the secret key and the request form data as described in the article above.

This first log is from an AMI request sent from a Versions list page and shows a successful validation.

Validating AMI Signature...
     our signature: 89251cdb6dd60acfc8c00529e090ede484e4370c
 request signature: 89251cdb6dd60acfc8c00529e090ede484e4370c
 request arguments: cols=image,entity,code
                    column_display_names=Thumbnail,Link,Version Name
                    entity_type=Version
                    ids=12178
                    page_id=11713
                    project_id=652
                    project_name=20-XXX-TEST_PROJECT_B
                    referrer_path=/detail/HumanUser/89
                    selected_ids=12178
                    server_hostname=#########################
                    session_uuid=#########################
                    sort_column=updated_at
                    sort_direction=desc
                    target_column=image
                    timestamp=2020-11-19T15:44:25Z
                    title=undefined
                    user_id=89
                    user_login=dan.bradham
                    view=Default

This next log is from an AMI request sent from the Media page showing a failed validation.

Validating AMI Signature...
     our signature: 4e9240dd3f742738dc34384a263662a6136007d6
 request signature: 1a071f8d9598e0873151cb530eb61b185e1746fb
 request arguments: cols=
                    column_display_names=
                    entity_type=Version
                    ids=12178
                    page_id=8331
                    project_id=652
                    project_name=20-XXX-TEST_PROJECT_B
                    referrer_path=/page/8331
                    selected_ids=12178
                    server_hostname=#########################
                    session_uuid=#########################
                    timestamp=2020-11-19T15:45:12Z
                    title=undefined
                    user_id=89
                    user_login=dan.bradham

As a temporary stop-gap I’ve disabled validation on this particular AMI, but I really don’t want to! Any ideas?

2

Hi @Dan_Bradham!

I am just here to confirm that AMI’s get incomplete data from Versions on the media pages. Would also like to see a fix for that. :slight_smile:

Cheers,
Fabian

3

Thanks @Fabian!

Good to know I’m not alone on this.

4

Okay, fixed it!

Turns out the example code provided may be missing a bit of logic. When building the string_to_verify from the request form data you need to make sure to skip any fields with no data.

I can’t confirm whether the example code in the documentation works for the Media page or not as I’m handling requests through a Flask app and not BaseHTTPHandler + cgi.FieldStorage.

For me the logic that worked would be equivalent to this in the format of the example code (addition in bold)…

sorted_params = []
for field in form.keys():
    if field != "signature" and form[field].value:
        sorted_params.append("%s=%s\r\n" % (field, form[field].value))
sorted_params.sort()
string_to_verify = ''.join(sorted_params)
5

I was fighting with this all day, and finding this solve my issue. Thank you!

I also opened another thread here: AMI Security with Non-Python (Node.js) which means it does work with the “skip empty” fix now.