ARSN-560: add ISO8601 check in extractQueryParams

Author: leif-scality

lib/auth/v4/validateInputs.ts

@@ -1,5 +1,6 @@
 import type { RequestLogger } from 'werelogs';
 import errors, { ArsenalError } from '../../../lib/errors';
+import { isValidISO8601Compact } from './timeUtils';
 import { type ArsenalRequestHeaders } from '../../types/ArsenalRequest';
 
 /**
@@ -103,7 +104,7 @@ export function extractQueryParams(
     }
 
     const timestamp = queryObj['X-Amz-Date'];
-    if (timestamp && timestamp.length === 16) {
+    if (timestamp && isValidISO8601Compact(timestamp)) {
         authParams.timestamp = timestamp;
     } else {
         log.warn('missing or invalid timestamp',

tests/unit/auth/v4/queryAuthCheck.spec.js

@@ -157,6 +157,16 @@ describe('v4 queryAuthCheck', () => {
         done();
     });
 
+    it('should return error if X-Amz-Date param is before epoch time', done => {
+        const alteredRequest = createAlteredRequest({
+            'X-Amz-Date': '19500707T215304Z',
+            'X-Amz-Credential': 'accessKey1/19500707/us-east-1/s3/aws4_request',
+        }, 'query', request, query);
+        const res = queryAuthCheck(alteredRequest, log, alteredRequest.query);
+        assert.deepStrictEqual(res.err, errors.InvalidArgument);
+        done();
+    });
+
     it('should return error if X-Amz-Date param is in the future', done => {
         // 2095 instead of 2016
         const alteredRequest = createAlteredRequest({