From 4a29047fd27b2d387f14662c96a6a1f67ec1d8cb Mon Sep 17 00:00:00 2001 From: StekPerepolnen Date: Thu, 31 Oct 2024 15:49:54 +0000 Subject: [PATCH 1/3] return cookie names --- ydb/library/actors/http/http.h | 77 ++++++++++++++++++++++++--------- ydb/library/actors/http/ya.make | 1 + 2 files changed, 57 insertions(+), 21 deletions(-) diff --git a/ydb/library/actors/http/http.h b/ydb/library/actors/http/http.h index d499c7788fba..e5a0aed0ba4c 100644 --- a/ydb/library/actors/http/http.h +++ b/ydb/library/actors/http/http.h @@ -6,6 +6,7 @@ #include #include #include +#include #include "http_config.h" // TODO(xenoxeno): hide in implementation @@ -208,40 +209,74 @@ class THttpBase : public HeaderType, public BufferType { public: TString GetObfuscatedData() const { THeaders headers(HeaderType::Headers); - TStringBuf authorization(headers["Authorization"]); - TStringBuf cookie(headers["Cookie"]); - TStringBuf set_cookie(headers["Set-Cookie"]); - TStringBuf x_ydb_auth_ticket(headers["x-ydb-auth-ticket"]); - TStringBuf x_yacloud_subjecttoken(headers["x-yacloud-subjecttoken"]); + TStringBuf authorizationHeader(headers["Authorization"]); + TStringBuf cookieHeader(headers["Cookie"]); + TStringBuf setCookieHeader(headers["Set-Cookie"]); + TStringBuf xYdbAuthTicketHeader(headers["x-ydb-auth-ticket"]); + TStringBuf xYacloudSubjecttokenHeader(headers["x-yacloud-subjecttoken"]); TString data(GetRawData()); - if (!authorization.empty()) { - auto pos = data.find(authorization); + if (!authorizationHeader.empty()) { + auto pos = data.find(authorizationHeader); if (pos != TString::npos) { - data.replace(pos, authorization.size(), TString("")); + data.replace(pos, authorizationHeader.size(), TString("")); } } - if (!cookie.empty()) { - auto pos = data.find(cookie); + if (!cookieHeader.empty()) { + Cerr << "iiii cookieHeader: " << cookieHeader << Endl; + TString obfuscated = TString(cookieHeader); + NHttp::TCookies cookies(headers.Get("Cookie")); + for (auto& [name, value] : cookies.Cookies) { + Cerr << "i old value: " << value << Endl; + TString obfuscatedValue = NKikimr::MaskTicket(value); + auto posValue = obfuscated.find(value); + if (posValue != TString::npos) { + Cerr << "i found!" << Endl; + obfuscated.replace(posValue, value.size(), obfuscatedValue); + } + Cerr << "i new value: " << value << Endl; + } + Cerr << "iiii obfuscated: " << obfuscated << Endl; + auto pos = data.find(cookieHeader); if (pos != TString::npos) { - data.replace(pos, cookie.size(), TString("")); + data.replace(pos, cookieHeader.size(), obfuscated); } } - if (!set_cookie.empty()) { - auto pos = data.find(set_cookie); - if (pos != TString::npos) { - data.replace(pos, set_cookie.size(), TString("")); + if (!setCookieHeader.empty()) { + Cerr << "iiii setCookieHeader: " << setCookieHeader << Endl; + TStringBuf setCookieParser(setCookieHeader); + TStringBuf name = setCookieParser.NextTok('='); + TStringBuf value = setCookieParser.NextTok(';'); + Cerr << "iiii name: " << name << Endl; + if (!name.empty()) { + TString obfuscatedValue = NKikimr::MaskTicket(value); + TString obfuscated = TString(setCookieHeader); + Cerr << "i old header: " << obfuscated << Endl; + Cerr << "i old value: " << value << Endl; + Cerr << "i new value: " << obfuscatedValue << Endl; + auto posValue = obfuscated.find(value); + if (posValue != TString::npos) { + Cerr << "i found!" << Endl; + obfuscated.replace(posValue, value.size(), obfuscatedValue); + Cerr << "i new header: " << obfuscated << Endl; + } + Cerr << "iiii obfuscated: " << obfuscated << Endl; + auto pos = data.find(setCookieHeader); + if (pos != TString::npos) { + Cerr << "iiii found!" << Endl; + data.replace(pos, setCookieHeader.size(), obfuscated); + } } } - if (!x_ydb_auth_ticket.empty()) { - auto pos = data.find(x_ydb_auth_ticket); + if (!xYdbAuthTicketHeader.empty()) { + auto pos = data.find(xYdbAuthTicketHeader); if (pos != TString::npos) { - data.replace(pos, x_ydb_auth_ticket.size(), TString("")); + data.replace(pos, xYdbAuthTicketHeader.size(), TString("")); } } - if (!x_yacloud_subjecttoken.empty()) { - auto pos = data.find(x_yacloud_subjecttoken); + if (!xYacloudSubjecttokenHeader.empty()) { + auto pos = data.find(xYacloudSubjecttokenHeader); if (pos != TString::npos) { - data.replace(pos, x_yacloud_subjecttoken.size(), TString("")); + data.replace(pos, xYacloudSubjecttokenHeader.size(), TString("")); } } return data; diff --git a/ydb/library/actors/http/ya.make b/ydb/library/actors/http/ya.make index bd1bbd7ebe5c..5943cad80116 100644 --- a/ydb/library/actors/http/ya.make +++ b/ydb/library/actors/http/ya.make @@ -24,6 +24,7 @@ PEERDIR( contrib/libs/zlib ydb/library/actors/core ydb/library/actors/interconnect + ydb/library/security library/cpp/dns library/cpp/monlib/metrics library/cpp/string_utils/quote From c7e7b32a5d700cc6d840d1404115dcbcb41d2b85 Mon Sep 17 00:00:00 2001 From: StekPerepolnen Date: Fri, 1 Nov 2024 15:51:55 +0000 Subject: [PATCH 2/3] remove logs --- ydb/library/actors/http/http.h | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/ydb/library/actors/http/http.h b/ydb/library/actors/http/http.h index e5a0aed0ba4c..dd8a840d76a8 100644 --- a/ydb/library/actors/http/http.h +++ b/ydb/library/actors/http/http.h @@ -222,47 +222,33 @@ class THttpBase : public HeaderType, public BufferType { } } if (!cookieHeader.empty()) { - Cerr << "iiii cookieHeader: " << cookieHeader << Endl; TString obfuscated = TString(cookieHeader); NHttp::TCookies cookies(headers.Get("Cookie")); for (auto& [name, value] : cookies.Cookies) { - Cerr << "i old value: " << value << Endl; TString obfuscatedValue = NKikimr::MaskTicket(value); auto posValue = obfuscated.find(value); if (posValue != TString::npos) { - Cerr << "i found!" << Endl; obfuscated.replace(posValue, value.size(), obfuscatedValue); } - Cerr << "i new value: " << value << Endl; } - Cerr << "iiii obfuscated: " << obfuscated << Endl; auto pos = data.find(cookieHeader); if (pos != TString::npos) { data.replace(pos, cookieHeader.size(), obfuscated); } } if (!setCookieHeader.empty()) { - Cerr << "iiii setCookieHeader: " << setCookieHeader << Endl; TStringBuf setCookieParser(setCookieHeader); TStringBuf name = setCookieParser.NextTok('='); TStringBuf value = setCookieParser.NextTok(';'); - Cerr << "iiii name: " << name << Endl; if (!name.empty()) { TString obfuscatedValue = NKikimr::MaskTicket(value); TString obfuscated = TString(setCookieHeader); - Cerr << "i old header: " << obfuscated << Endl; - Cerr << "i old value: " << value << Endl; - Cerr << "i new value: " << obfuscatedValue << Endl; auto posValue = obfuscated.find(value); if (posValue != TString::npos) { - Cerr << "i found!" << Endl; obfuscated.replace(posValue, value.size(), obfuscatedValue); - Cerr << "i new header: " << obfuscated << Endl; } - Cerr << "iiii obfuscated: " << obfuscated << Endl; auto pos = data.find(setCookieHeader); if (pos != TString::npos) { - Cerr << "iiii found!" << Endl; data.replace(pos, setCookieHeader.size(), obfuscated); } } From e6ba78fefc959366143081332cf3097f902a18fb Mon Sep 17 00:00:00 2001 From: StekPerepolnen Date: Fri, 1 Nov 2024 16:43:28 +0000 Subject: [PATCH 3/3] changed to StringBuilder --- ydb/library/actors/http/http.h | 29 +++++++++++++---------------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/ydb/library/actors/http/http.h b/ydb/library/actors/http/http.h index dd8a840d76a8..ea8f91f5214f 100644 --- a/ydb/library/actors/http/http.h +++ b/ydb/library/actors/http/http.h @@ -222,14 +222,15 @@ class THttpBase : public HeaderType, public BufferType { } } if (!cookieHeader.empty()) { - TString obfuscated = TString(cookieHeader); - NHttp::TCookies cookies(headers.Get("Cookie")); - for (auto& [name, value] : cookies.Cookies) { - TString obfuscatedValue = NKikimr::MaskTicket(value); - auto posValue = obfuscated.find(value); - if (posValue != TString::npos) { - obfuscated.replace(posValue, value.size(), obfuscatedValue); + TStringBuf cookieParser(cookieHeader); + TStringBuilder obfuscated; + for (TStringBuf param = cookieParser.NextTok(';'); !param.empty(); param = cookieParser.NextTok(';')) { + param.SkipPrefix(" "); + TStringBuf name = param.NextTok('='); + if (!obfuscated.empty()) { + obfuscated << ' '; } + obfuscated << name << '=' << NKikimr::MaskTicket(param) << ';'; } auto pos = data.find(cookieHeader); if (pos != TString::npos) { @@ -237,16 +238,12 @@ class THttpBase : public HeaderType, public BufferType { } } if (!setCookieHeader.empty()) { - TStringBuf setCookieParser(setCookieHeader); - TStringBuf name = setCookieParser.NextTok('='); - TStringBuf value = setCookieParser.NextTok(';'); + TStringBuf cookieParser(setCookieHeader); + TStringBuf name = cookieParser.NextTok('='); + TStringBuf value = cookieParser.NextTok(';'); if (!name.empty()) { - TString obfuscatedValue = NKikimr::MaskTicket(value); - TString obfuscated = TString(setCookieHeader); - auto posValue = obfuscated.find(value); - if (posValue != TString::npos) { - obfuscated.replace(posValue, value.size(), obfuscatedValue); - } + TStringBuilder obfuscated; + obfuscated << name << '=' << NKikimr::MaskTicket(value) << ';' << cookieParser; auto pos = data.find(setCookieHeader); if (pos != TString::npos) { data.replace(pos, setCookieHeader.size(), obfuscated);