localstack · bentsku · Jan 23, 2025 · Jan 22, 2025 · Jan 22, 2025 · silv-io
diff --git a/localstack-core/localstack/services/s3/presigned_url.py b/localstack-core/localstack/services/s3/presigned_url.py
@@ -658,7 +658,11 @@ def _get_signed_headers_and_filtered_query_string(
                     # specially in the old JS SDK v2
                     headers.add(qs_param_low, qs_value)
                 else:
-                    query_args_to_headers[qs_param_low] = qs_value
+                    # The JS SDK is adding the `x-amz-checksum-crc32` header to query parameters, even though it cannot
+                    # know in advance the actual checksum. Those are ignored by AWS, if they're not put in the
+                    # SignedHeaders
+                    if not qs_param_low.startswith("x-amz-checksum-"):
+                        query_args_to_headers[qs_param_low] = qs_value
 
             new_query_args[qs_parameter] = qs_value
 

diff --git a/tests/aws/services/s3/test_s3.py b/tests/aws/services/s3/test_s3.py
@@ -7486,7 +7486,6 @@ def test_presigned_url_signature_authentication_multi_part(
         assert response.content == data
 
     @pytest.mark.skipif(condition=TEST_S3_IMAGE, reason="Lambda not enabled in S3 image")
-    @pytest.mark.skip(reason="flaky")
     @markers.aws.validated
     def test_presigned_url_v4_x_amz_in_qs(
         self,
@@ -7544,6 +7543,8 @@ def test_presigned_url_v4_x_amz_in_qs(
         # assert that the Javascript SDK hoists it in the URL, unlike Boto
         assert StorageClass.STANDARD in presigned_url
         assert "bar-complicated-no-random" in presigned_url
+        # the JS SDK also adds a default checksum now even for pre-signed URLs
+        assert "x-amz-checksum-crc32=AAAAAA%3D%3D" in presigned_url
 
         # missing Content-MD5
         response = requests.put(presigned_url, verify=False, data=b"123456")
@@ -7559,8 +7560,20 @@ def test_presigned_url_v4_x_amz_in_qs(
         )
         assert response.status_code == 200
 
+        # assert that the checksum-crc-32 value is still validated and important for the signature
+        bad_presigned_url = presigned_url.replace("crc32=AAAAAA%3D%3D", "crc32=BBBBBB%3D%3D")
+        response = requests.put(
+            bad_presigned_url,
+            data=b"123456",
+            verify=False,
+            headers={"Content-MD5": "4QrcOUm6Wau+VuBX8g+IPg=="},
+        )
+        assert response.status_code == 403
+
         # verify that we properly saved the data
-        head_object = aws_client.s3.head_object(Bucket=function_name, Key=object_key)
+        head_object = aws_client.s3.head_object(
+            Bucket=function_name, Key=object_key, ChecksumMode="ENABLED"
+        )
         snapshot.match("head-object", head_object)
 
     @pytest.mark.skipif(condition=TEST_S3_IMAGE, reason="Lambda not enabled in S3 image")

diff --git a/tests/aws/services/s3/test_s3.snapshot.json b/tests/aws/services/s3/test_s3.snapshot.json
@@ -11773,7 +11773,7 @@
     }
   },
   "tests/aws/services/s3/test_s3.py::TestS3PresignedUrl::test_presigned_url_v4_x_amz_in_qs": {
-    "recorded-date": "21-01-2025, 18:25:21",
+    "recorded-date": "22-01-2025, 18:21:12",
     "recorded-content": {
       "head-object": {
         "AcceptRanges": "bytes",

diff --git a/tests/aws/services/s3/test_s3.validation.json b/tests/aws/services/s3/test_s3.validation.json
@@ -708,7 +708,7 @@
     "last_validated_date": "2025-01-21T18:25:34+00:00"
   },
   "tests/aws/services/s3/test_s3.py::TestS3PresignedUrl::test_presigned_url_v4_x_amz_in_qs": {
-    "last_validated_date": "2025-01-21T18:25:21+00:00"
+    "last_validated_date": "2025-01-22T18:21:12+00:00"
   },
   "tests/aws/services/s3/test_s3.py::TestS3PresignedUrl::test_presigned_url_with_different_user_credentials": {
     "last_validated_date": "2025-01-21T18:23:55+00:00"