161sh/CatgirlIntelligenceAgency
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Better request context

Browse Source
This commit is contained in:
Viktor Lofgren 2023-03-04 19:07:47 +01:00
parent 6b10413efe
commit 83c32dc1a6
2 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
common/service-client/src/main/java/nu/marginalia/client/Context.java
View File

@ -48,12 +48,12 @@ public class Context {
private static String anonymizeContext(Request request) {
String header = request.headers(CONTEXT_HEADER);
if (header != null && header.contains("-")) {
if (header != null && header.contains("-") && !header.startsWith("#")) {
// The public X-Context header contains info that traces to the
// external user's IP. Anonymize this by running it through a
// hash code blender with rotating salt
return ContextScrambler.anonymize(header);
return ContextScrambler.anonymize(header, request);
}
else if (header != null) {
return header;

8
common/service-client/src/main/java/nu/marginalia/client/ContextScrambler.java
View File

@ -3,6 +3,7 @@ package nu.marginalia.client;
import com.google.common.hash.HashFunction;
import com.google.common.hash.Hashing;
import io.reactivex.rxjava3.schedulers.Schedulers;
import spark.Request;
import java.util.Arrays;
import java.util.Objects;
@ -31,7 +32,7 @@ public class ContextScrambler {
* This is probably not cryptographically secure, but should at least
* be fairly annoying to reverse-engineer.
*/
public static String anonymize(String connectionInfo) {
public static String anonymize(String connectionInfo, Request request) {
byte[] hashData = Arrays.copyOf(seed, seed.length+4);
int hashi = Objects.hash(connectionInfo.split("-", 2)[0]);
@ -42,7 +43,10 @@ public class ContextScrambler {
hashData[seed.length+3] = (byte)(hashi>>>24 & 0xFF);
}
return String.format("#%x:%x", hf.hashBytes(hashData).asInt(), System.nanoTime() & 0xFFFFFFFFL);
final int connHash = hf.hashBytes(hashData).asInt();
final int requestHash = Objects.hash(request.url(), request.queryString());
return String.format("#%08x:%08x", connHash, requestHash);
}
/** Generate a humongous salt with as many moving parts as possible,