CLDSRV-932: validate x-amz-content-sha256 by leif-scality · Pull Request #6208 · scality/cloudserver

leif-scality · 2026-06-26T05:23:33Z

Reject a SigV4 request if the sha256 of the body does not match the x-amz-content-sha256 header

bert-e · 2026-06-26T05:23:37Z

Hello leif-scality,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options

name	description	privileged	authored
`/after_pull_request`	Wait for the given pull request id to be merged before continuing with the current one.
`/bypass_author_approval`	Bypass the pull request author's approval	⭐
`/bypass_build_status`	Bypass the build and test status	⭐
`/bypass_commit_size`	Bypass the check on the size of the changeset `TBA`	⭐
`/bypass_incompatible_branch`	Bypass the check on the source branch prefix	⭐
`/bypass_jira_check`	Bypass the Jira issue check	⭐
`/bypass_peer_approval`	Bypass the pull request peers' approval	⭐
`/bypass_leader_approval`	Bypass the pull request leaders' approval	⭐
`/approve`	Instruct Bert-E that the author has approved the pull request.		✍️
`/create_pull_requests`	Allow the creation of integration pull requests.
`/create_integration_branches`	Allow the creation of integration branches.
`/no_octopus`	Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
`/unanimity`	Change review acceptance criteria from `one reviewer at least` to `all reviewers`
`/wait`	Instruct Bert-E not to run until further notice.

Available commands

name	description	privileged
`/help`	Print Bert-E's manual in the pull request.
`/status`	Print Bert-E's current status in the pull request `TBA`
`/clear`	Remove all comments from Bert-E from the history `TBA`
`/retry`	Re-start a fresh build `TBA`
`/build`	Re-start a fresh build `TBA`
`/force_reset`	Delete integration branches & pull requests, and restart merge process from the beginning.
`/reset`	Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

bert-e · 2026-06-26T05:23:43Z

Incorrect fix version

The Fix Version/s in issue CLDSRV-932 contains:

None

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

9.4.0

Please check the Fix Version/s of CLDSRV-932, or the target
branch of this pull request.

claude · 2026-06-26T05:27:27Z

        "@opentelemetry/instrumentation-mongodb": "~0.69.0",
        "@smithy/node-http-handler": "^3.0.0",
-        "arsenal": "git+https://github.com/scality/arsenal#8.5.0",
+        "arsenal": "git+https://github.com/scality/arsenal#improvement/ARSN-602-add-XAmzContentSHA256Mismatch-error",


Arsenal is pinned to a branch (improvement/ARSN-602-add-XAmzContentSHA256Mismatch-error), not a tag. Git-based deps must pin to a release tag before merging.

codecov · 2026-06-26T05:36:21Z

Codecov Report

❌ Patch coverage is 96.93878% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.52%. Comparing base (13d5670) to head (28a36c3).
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
lib/api/apiUtils/object/validatePayloadProtocol.js	83.33%	2 Missing ⚠️
lib/api/apiUtils/integrity/validateChecksums.js	97.50%	1 Missing ⚠️

Additional details and impacted files

Files with missing lines	Coverage Δ
lib/api/apiUtils/object/prepareStream.js	`100.00% <100.00%> (ø)`
lib/api/apiUtils/object/storeObject.js	`97.29% <100.00%> (+0.32%)`	⬆️
lib/api/objectPut.js	`94.35% <100.00%> (ø)`
lib/api/objectPutPart.js	`88.83% <100.00%> (+0.48%)`	⬆️
lib/auth/streamingV4/ContentSHA256Transform.js	`100.00% <100.00%> (ø)`
lib/api/apiUtils/integrity/validateChecksums.js	`98.66% <97.50%> (-0.18%)`	⬇️
lib/api/apiUtils/object/validatePayloadProtocol.js	`83.33% <83.33%> (ø)`

... and 1 file with indirect coverage changes

@@                 Coverage Diff                 @@
##           development/9.4    #6208      +/-   ##
===================================================
+ Coverage            85.51%   85.52%   +0.01%     
===================================================
  Files                  210      211       +1     
  Lines                14239    14312      +73     
===================================================
+ Hits                 12177    12241      +64     
- Misses                2062     2071       +9

Flag	Coverage Δ
file-ft-tests	`69.27% <88.77%> (+0.09%)`	⬆️
kmip-ft-tests	`28.11% <64.28%> (+0.18%)`	⬆️
mongo-v0-ft-tests	`70.40% <88.77%> (+0.08%)`	⬆️
mongo-v1-ft-tests	`70.39% <88.77%> (+0.01%)`	⬆️
multiple-backend	`36.19% <64.28%> (+0.14%)`	⬆️
sur-tests	`35.10% <66.32%> (+0.12%)`	⬆️
sur-tests-inflights	`37.87% <66.32%> (+0.10%)`	⬆️
unit	`72.78% <94.89%> (+0.11%)`	⬆️
utapi-v2-tests	`35.34% <67.34%> (+0.14%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

…ject, UploadPart)

leif-scality changed the title ~~CLDSRV-932: validate x-amz content sha256~~ CLDSRV-932: validate x-amz-content-sha256 Jun 26, 2026

github-advanced-security AI found potential problems Jun 26, 2026

View reviewed changes

Comment thread lib/auth/streamingV4/ContentSHA256Transform.js Dismissed

Comment thread lib/auth/streamingV4/ContentSHA256Transform.js Dismissed