Skip to content

fix: broken Content-MD5 header for S3 upload#527

Merged
mwbrooks merged 2 commits intomainfrom
mwbrooks-snyk-fix-s3-md5
May 7, 2026
Merged

fix: broken Content-MD5 header for S3 upload#527
mwbrooks merged 2 commits intomainfrom
mwbrooks-snyk-fix-s3-md5

Conversation

@mwbrooks
Copy link
Copy Markdown
Member

@mwbrooks mwbrooks commented May 7, 2026
edited
Loading

Changelog

Fix the S3 Content-MD5 header when deploy a Deno app to Slack.

Summary

This pull request removes the MD5 hash computation and Content-MD5 header from S3 presigned POST uploads.

  • Flagged by Snyk as [LOW] Use of Password Hash With Insufficient Computational Effort for using crypto/md5 in internal/api/s3_upload.go.
  • The hash was also bugged - it was always 0 bytes and produced an empty content digest (1B2M2Y8AsgTpgAmY7PhCfg==) because it was hashed over an already-exhausted io.Reader.
  • Content-MD5 is optional for S3 presigned POST uploads since integrity is enforced by the signed policy.
  • The tests were testing for a 0 byte empty content hash (1B2M2Y8AsgTpgAmY7PhCfg==) 🤷🏻

Preview

N/A

Testing

# Create Deno app
$ slack create my-app
# -> Select Automation App -> Deno SDK

$ cd my-app/

# Deploy the app
$ slack deploy

# Test the app
# -> Copy & paste trigger in Slack

# Clean up
$ slack delete -f
$ cd ../
$ rm -rf my-app/

Requirements

@mwbrooks
fix: remove broken MD5 Content-MD5 header from S3 upload
af9b7ca 
The MD5 hash was computed over an already-exhausted file reader,
always producing a hash of empty content. Since Content-MD5 is
optional for S3 presigned POST uploads and the signed policy
already enforces integrity, remove it entirely.
@codecov
Copy link
Copy Markdown

codecov Bot commented May 7, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 71.30%. Comparing base (1e9c53e) to head (e4ca14d).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #527   +/-   ##
=======================================
  Coverage   71.29%   71.30%           
=======================================
  Files         222      222           
  Lines       18682    18677    -5     
=======================================
- Hits        13320    13318    -2     
+ Misses       4185     4184    -1     
+ Partials     1177     1175    -2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@mwbrooks mwbrooks changed the title fix: remove broken MD5 Content-MD5 header from S3 upload fix: MD5 Content-MD5 header for S3 upload May 7, 2026
@mwbrooks mwbrooks changed the title fix: MD5 Content-MD5 header for S3 upload fix: Content-MD5 header for S3 upload May 7, 2026
@mwbrooks mwbrooks changed the title fix: Content-MD5 header for S3 upload fix: broken Content-MD5 header for S3 upload May 7, 2026
@mwbrooks mwbrooks self-assigned this May 7, 2026
@mwbrooks mwbrooks added bug M-T: confirmed bug report. Issues are confirmed when the reproduction steps are documented changelog Use on updates to be included in the release notes security Use on pull requests related to security semver:patch Use on pull requests to describe the release version increment labels May 7, 2026
@mwbrooks mwbrooks added this to the Next Release milestone May 7, 2026
@mwbrooks mwbrooks marked this pull request as ready for review May 7, 2026 22:43
@mwbrooks mwbrooks requested a review from a team as a code owner May 7, 2026 22:43
zimeg
zimeg approved these changes May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@zimeg zimeg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mwbrooks Amazing find! I'm glad we have tools that help us improve code health since this is not obvious to me otherwise 📸

@mwbrooks mwbrooks enabled auto-merge (squash) May 7, 2026 23:00
@mwbrooks
Copy link
Copy Markdown
Member Author

mwbrooks commented May 7, 2026

Thanks for the super quick review @zimeg!

@mwbrooks mwbrooks merged commit 178670f into main May 7, 2026
8 checks passed
@mwbrooks mwbrooks deleted the mwbrooks-snyk-fix-s3-md5 branch May 7, 2026 23:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zimeg zimeg zimeg approved these changes

Assignees

@mwbrooks mwbrooks

Labels

bug M-T: confirmed bug report. Issues are confirmed when the reproduction steps are documented changelog Use on updates to be included in the release notes security Use on pull requests related to security semver:patch Use on pull requests to describe the release version increment

Projects

None yet

Milestone

Next Release

Development

Successfully merging this pull request may close these issues.

2 participants

@mwbrooks @zimeg