26697336554
89%

Ran 30 May 2026 11:07PM UTC

Jobs 5

Files 103

Run time 1min

Badge

Embed ▾

Committed 30 May 2026 11:05PM UTC coverage: 88.919% (+0.02%) from 88.901%

Build # 26697336554

Build Type

push

github

Committed by

marcelometal

Commit Message

fix(security): strip URL hash from prefix only to prevent signature bypass

The hash was removed from the URL before HMAC validation using
str.replace(), which replaces all occurrences. An attacker could inject
the valid hash at arbitrary positions in the image path so that both
occurrences were stripped, reconstructing the original signed URL while
the actual request pointed at a different host or path. Replace the
replace() chain with a startswith() prefix strip so the hash is only
removed from the one position where it is legitimately expected. Add two
regression tests covering the plain-hash and URL-encoded-hash injection
variants.

Coverage Stats

8 of 8 new or added lines in 1 file covered. (100.0%)

3940 of 4431 relevant lines covered (88.92%)

4.45 hits per line

Jobs

ID	Job ID	Ran	Files	Coverage
1	run-3.13 - 26697336554.1	30 May 2026 11:07PM UTC	103	88.92	GitHub Action Run
2	run-3.14 - 26697336554.2	30 May 2026 11:07PM UTC	103	88.92	GitHub Action Run
3	run-3.12 - 26697336554.3	30 May 2026 11:07PM UTC	103	88.92	GitHub Action Run
4	run-3.11 - 26697336554.4	30 May 2026 11:08PM UTC	103	88.92	GitHub Action Run
5	run-3.10 - 26697336554.5	30 May 2026 11:07PM UTC	103	88.92	GitHub Action Run

thumbor / thumbor / 26697336554
89%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 26697336554

thumbor / thumbor / 26697336554 89%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 26697336554

thumbor / thumbor / 26697336554
89%

README BADGES
x