Mirror/MarginaliaSearch
1
0
Fork 0
mirror of https://github.com/MarginaliaSearch/MarginaliaSearch.git synced 2025-02-24 05:18:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Better request context

Browse Source
This commit is contained in:
Viktor Lofgren 2023-03-04 19:07:47 +01:00
parent 6b10413efe
commit 83c32dc1a6
2 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
common/service-client/src/main/java/nu/marginalia/client/Context.java
View File

@ -48,12 +48,12 @@ public class Context {
private static String anonymizeContext(Request request) { private static String anonymizeContext(Request request) {
String header = request.headers(CONTEXT_HEADER); String header = request.headers(CONTEXT_HEADER);
if (header != null && header.contains("-")) { if (header != null && header.contains("-") && !header.startsWith("#")) {
// The public X-Context header contains info that traces to the // The public X-Context header contains info that traces to the
// external user's IP. Anonymize this by running it through a // external user's IP. Anonymize this by running it through a
// hash code blender with rotating salt // hash code blender with rotating salt
return ContextScrambler.anonymize(header); return ContextScrambler.anonymize(header, request);
} }
else if (header != null) { else if (header != null) {
return header; return header;

8
common/service-client/src/main/java/nu/marginalia/client/ContextScrambler.java
View File

@ -3,6 +3,7 @@ package nu.marginalia.client;
import com.google.common.hash.HashFunction; import com.google.common.hash.HashFunction;
import com.google.common.hash.Hashing; import com.google.common.hash.Hashing;
import io.reactivex.rxjava3.schedulers.Schedulers; import io.reactivex.rxjava3.schedulers.Schedulers;
import spark.Request;
import java.util.Arrays; import java.util.Arrays;
import java.util.Objects; import java.util.Objects;
@ -31,7 +32,7 @@ public class ContextScrambler {
* This is probably not cryptographically secure, but should at least * This is probably not cryptographically secure, but should at least
* be fairly annoying to reverse-engineer. * be fairly annoying to reverse-engineer.
*/ */
public static String anonymize(String connectionInfo) { public static String anonymize(String connectionInfo, Request request) {
byte[] hashData = Arrays.copyOf(seed, seed.length+4); byte[] hashData = Arrays.copyOf(seed, seed.length+4);
int hashi = Objects.hash(connectionInfo.split("-", 2)[0]); int hashi = Objects.hash(connectionInfo.split("-", 2)[0]);
@ -42,7 +43,10 @@ public class ContextScrambler {
hashData[seed.length+3] = (byte)(hashi>>>24 & 0xFF); hashData[seed.length+3] = (byte)(hashi>>>24 & 0xFF);
} }
return String.format("#%x:%x", hf.hashBytes(hashData).asInt(), System.nanoTime() & 0xFFFFFFFFL); final int connHash = hf.hashBytes(hashData).asInt();
final int requestHash = Objects.hash(request.url(), request.queryString());
return String.format("#%08x:%08x", connHash, requestHash);
} }
/** Generate a humongous salt with as many moving parts as possible, /** Generate a humongous salt with as many moving parts as possible,