Skip to content

CLDSRV-849: don't crash if invalid Date header#6079

Merged
bert-e merged 3 commits intodevelopment/9.2from
bugfix/CLDSRV-849-dont-crash-if-invalid-Date-header
Feb 16, 2026
Merged

CLDSRV-849: don't crash if invalid Date header#6079
bert-e merged 3 commits intodevelopment/9.2from
bugfix/CLDSRV-849-dont-crash-if-invalid-Date-header

Conversation

@leif-scality
Copy link
Contributor

@leif-scality leif-scality commented Feb 11, 2026

Test that the arsenal bump fixed the invalid Date header crash.

Repro code:

curl -v -H "Date: BAD_DATE" -H "Authorization: AWS4-HMAC-SHA256 Credential=accessKey1/20260211/us-east-1/s3/aws4_request, SignedHeaders=host, Signature=d459d5b2a2395b4c65d8f8aa2729b22c5abb04614fafbd93ab4fe203e76d21a3" -H "X-Amz-Content-Sha256: fa8d015f89da2a769d1cea7e3bd77a5670d098d7844cda148a40c1304e5b778b" localhost:8000/leif-us-east-1/test-file.txt
2026-02-11T09:33:06.467Z: uncaughtException:
RangeError: Invalid time value
    at Date.toISOString (<anonymous>)
    at convertUTCtoISO8601 (/app/node_modules/arsenal/build/lib/auth/v4/timeUtils.js:26:43)
    at Object.check [as headers] (/app/node_modules/arsenal/build/lib/auth/v4/headerAuthCheck.js:98:57)
    at extractParams (/app/node_modules/arsenal/build/lib/auth/auth.js:122:47)
    at Object.doAuth (/app/node_modules/arsenal/build/lib/auth/auth.js:140:17)
    at /app/lib/api/api.js:238:33
    at nextTask (/app/node_modules/async/dist/async.js:5327:14)
    at Object.waterfall (/app/node_modules/async/dist/async.js:5337:5)
    at processRequest (/app/lib/api/api.js:237:22)
    at Object.callApiMethod (/app/lib/api/api.js:418:16)
{"name":"S3","time":1770802386467,"error":"Invalid time value","stack":"RangeError: Invalid time value\n    at Date.toISOString (<anonymous>)\n    at convertUTCtoISO8601 (/app/node_modules/arsenal/build/lib/auth/v4/timeUtils.js:26:43)\n    at Object.check [as headers] (/app/node_modules/arsenal/build/lib/auth/v4/headerAuthCheck.js:98:57)\n    at extractParams (/app/node_modules/arsenal/build/lib/auth/auth.js:122:47)\n    at Object.doAuth (/app/node_modules/arsenal/build/lib/auth/auth.js:140:17)\n    at /app/lib/api/api.js:238:33\n    at nextTask (/app/node_modules/async/dist/async.js:5327:14)\n    at Object.waterfall (/app/node_modules/async/dist/async.js:5337:5)\n    at processRequest (/app/lib/api/api.js:237:22)\n    at Object.callApiMethod (/app/lib/api/api.js:418:16)","level":"fatal","message":"caught error","hostname":"xps","pid":886}

@bert-e
Copy link
Contributor

bert-e commented Feb 11, 2026

Hello leif-scality,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options
name description privileged authored
/after_pull_request Wait for the given pull request id to be merged before continuing with the current one.
/bypass_author_approval Bypass the pull request author's approval
/bypass_build_status Bypass the build and test status
/bypass_commit_size Bypass the check on the size of the changeset TBA
/bypass_incompatible_branch Bypass the check on the source branch prefix
/bypass_jira_check Bypass the Jira issue check
/bypass_peer_approval Bypass the pull request peers' approval
/bypass_leader_approval Bypass the pull request leaders' approval
/approve Instruct Bert-E that the author has approved the pull request. ✍️
/create_pull_requests Allow the creation of integration pull requests.
/create_integration_branches Allow the creation of integration branches.
/no_octopus Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
/unanimity Change review acceptance criteria from one reviewer at least to all reviewers
/wait Instruct Bert-E not to run until further notice.
Available commands
name description privileged
/help Print Bert-E's manual in the pull request.
/status Print Bert-E's current status in the pull request TBA
/clear Remove all comments from Bert-E from the history TBA
/retry Re-start a fresh build TBA
/build Re-start a fresh build TBA
/force_reset Delete integration branches & pull requests, and restart merge process from the beginning.
/reset Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

@bert-e
Copy link
Contributor

bert-e commented Feb 11, 2026

Incorrect fix version

The Fix Version/s in issue CLDSRV-849 contains:

  • None

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

  • 9.2.26

  • 9.3.2

Please check the Fix Version/s of CLDSRV-849, or the target
branch of this pull request.

@codecov
Copy link

codecov bot commented Feb 11, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.17%. Comparing base (81944ba) to head (9b836b8).
⚠️ Report is 3 commits behind head on development/9.2.
✅ All tests successful. No failed tests found.

Additional details and impacted files

Impacted file tree graph
see 2 files with indirect coverage changes

@@                 Coverage Diff                 @@
##           development/9.2    #6079      +/-   ##
===================================================
- Coverage            84.19%   84.17%   -0.03%     
===================================================
  Files                  204      204              
  Lines                13124    13124              
===================================================
- Hits                 11050    11047       -3     
- Misses                2074     2077       +3     
Flag Coverage Δ
file-ft-tests 67.62% <ø> (ø)
kmip-ft-tests 28.19% <ø> (ø)
mongo-v0-ft-tests 68.86% <ø> (ø)
mongo-v1-ft-tests 68.85% <ø> (-0.07%) ⬇️
multiple-backend 35.24% <ø> (ø)
sur-tests 35.75% <ø> (-0.04%) ⬇️
sur-tests-inflights 37.60% <ø> (ø)
unit 69.71% <ø> (ø)
utapi-v2-tests 34.50% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@leif-scality leif-scality force-pushed the bugfix/CLDSRV-849-dont-crash-if-invalid-Date-header branch from eae4ba3 to a801a95 Compare February 11, 2026 15:35
@leif-scality leif-scality force-pushed the bugfix/CLDSRV-849-dont-crash-if-invalid-Date-header branch from a801a95 to 5b20578 Compare February 12, 2026 13:04
@bert-e
Copy link
Contributor

bert-e commented Feb 12, 2026

Incorrect fix version

The Fix Version/s in issue CLDSRV-849 contains:

  • None

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

  • 9.2.28

  • 9.3.3

Please check the Fix Version/s of CLDSRV-849, or the target
branch of this pull request.

const bucket = 'test-bucket';
const objectKey = 'test-file.txt';

describe('malformed Date header should not crash server:', () => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should you have the same test with X-Amz-Date header as well ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A bad X-Amz-Date did not crash before, but I added a test anyways

Copy link
Contributor

@BourgoisMickael BourgoisMickael Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To prevent duplication, you could use an array to generate the same test for 2 different date headers

['Date', 'X-Amz-Date'].forEach(
  dateHeader => it(`should return ...${dateHeader}...`, done => {
    // ...
    headers: {
      [dateHeader]: 'BAD_DATE'
    }
  }
)

method: 'GET',
headers: {
'Date': 'BAD_DATE',
'Authorization': 'AWS4-HMAC-SHA256 Credential=accessKey1/20260211/us-east-1/s3/aws4_request, ' +
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With the fixed date in the authorization is it going to work any other day ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We test the Date, before the Authorization so it does not matter

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also check the error string Authentication requires a valid Date or x-amz-date header, so it we fail for another reason we would find out

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can put that comment direct into code so we know when we read it next time

@leif-scality leif-scality force-pushed the bugfix/CLDSRV-849-dont-crash-if-invalid-Date-header branch 2 times, most recently from af0269d to 286f7ed Compare February 13, 2026 13:58
@leif-scality leif-scality force-pushed the bugfix/CLDSRV-849-dont-crash-if-invalid-Date-header branch from 286f7ed to 13eb2ce Compare February 16, 2026 14:36
@bert-e
Copy link
Contributor

bert-e commented Feb 16, 2026

Request integration branches

Waiting for integration branch creation to be requested by the user.

To request integration branches, please comment on this pull request with the following command:

/create_integration_branches

Alternatively, the /approve and /create_pull_requests commands will automatically
create the integration branches.

@leif-scality
Copy link
Contributor Author

/create_integration_branches

@bert-e
Copy link
Contributor

bert-e commented Feb 16, 2026

Conflict

A conflict has been raised during the creation of
integration branch w/9.3/bugfix/CLDSRV-849-dont-crash-if-invalid-Date-header with contents from bugfix/CLDSRV-849-dont-crash-if-invalid-Date-header
and development/9.3.

I have not created the integration branch.

Here are the steps to resolve this conflict:

 git fetch
 git checkout -B w/9.3/bugfix/CLDSRV-849-dont-crash-if-invalid-Date-header origin/development/9.3
 git merge origin/bugfix/CLDSRV-849-dont-crash-if-invalid-Date-header
 # <intense conflict resolution>
 git commit
 git push -u origin w/9.3/bugfix/CLDSRV-849-dont-crash-if-invalid-Date-header

The following options are set: create_integration_branches

@leif-scality
Copy link
Contributor Author

ping

@bert-e
Copy link
Contributor

bert-e commented Feb 16, 2026

Waiting for approval

The following approvals are needed before I can proceed with the merge:

  • the author

  • 2 peers

The following options are set: create_integration_branches

@leif-scality
Copy link
Contributor Author

/approve

@bert-e
Copy link
Contributor

bert-e commented Feb 16, 2026

Build failed

The build for commit did not succeed in branch w/9.3/bugfix/CLDSRV-849-dont-crash-if-invalid-Date-header

The following options are set: approve, create_integration_branches

@bert-e
Copy link
Contributor

bert-e commented Feb 16, 2026

Unknown command

I didn't understand this comment by @leif-scality:

/delete_integration_branches

I don't know what delete_integration_branches means.

Please edit or delete the corresponding comment so I can move on.

The following options are set: approve, create_integration_branches

@leif-scality
Copy link
Contributor Author

/help

@bert-e
Copy link
Contributor

bert-e commented Feb 16, 2026

Build failed

The build for commit did not succeed in branch w/9.3/bugfix/CLDSRV-849-dont-crash-if-invalid-Date-header

The following options are set: approve, create_integration_branches

@leif-scality
Copy link
Contributor Author

/create_integration_branches

1 similar comment
@leif-scality
Copy link
Contributor Author

/create_integration_branches

@bert-e
Copy link
Contributor

bert-e commented Feb 16, 2026

Conflict

A conflict has been raised during the creation of
integration branch w/9.3/bugfix/CLDSRV-849-dont-crash-if-invalid-Date-header with contents from bugfix/CLDSRV-849-dont-crash-if-invalid-Date-header
and development/9.3.

I have not created the integration branch.

Here are the steps to resolve this conflict:

 git fetch
 git checkout -B w/9.3/bugfix/CLDSRV-849-dont-crash-if-invalid-Date-header origin/development/9.3
 git merge origin/bugfix/CLDSRV-849-dont-crash-if-invalid-Date-header
 # <intense conflict resolution>
 git commit
 git push -u origin w/9.3/bugfix/CLDSRV-849-dont-crash-if-invalid-Date-header

The following options are set: approve, create_integration_branches

@bert-e
Copy link
Contributor

bert-e commented Feb 16, 2026

Build failed

The build for commit did not succeed in branch w/9.3/bugfix/CLDSRV-849-dont-crash-if-invalid-Date-header

The following options are set: approve, create_integration_branches

@bert-e
Copy link
Contributor

bert-e commented Feb 16, 2026

Build failed

The build for commit did not succeed in branch w/9.3/bugfix/CLDSRV-849-dont-crash-if-invalid-Date-header

The following options are set: approve, create_integration_branches

@bert-e
Copy link
Contributor

bert-e commented Feb 16, 2026

I have successfully merged the changeset of this pull request
into targetted development branches:

  • ✔️ development/9.2

  • ✔️ development/9.3

The following branches have NOT changed:

  • development/7.10
  • development/7.4
  • development/7.70
  • development/8.8
  • development/9.0
  • development/9.1

Please check the status of the associated issue CLDSRV-849.

Goodbye leif-scality.

The following options are set: approve, create_integration_branches

@bert-e bert-e merged commit 9b836b8 into development/9.2 Feb 16, 2026
50 of 51 checks passed
@bert-e bert-e deleted the bugfix/CLDSRV-849-dont-crash-if-invalid-Date-header branch February 16, 2026 17:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants