Merge pull request #1005 from DataDog/xgouchet/RUMM-2377/sanitize_upl…

…oad_headers RUMM-2377 Add checks on intake request headers
DataDog · Aug 16, 2022 · 694b4b8 · 694b4b8
2 parents dccfa8a + ecb6433
commit 694b4b8
Show file tree

Hide file tree

Showing 6 changed files with 224 additions and 47 deletions.
diff --git a/dd-sdk-android/src/main/kotlin/com/datadog/android/core/internal/net/DataOkHttpUploaderV2.kt b/dd-sdk-android/src/main/kotlin/com/datadog/android/core/internal/net/DataOkHttpUploaderV2.kt
@@ -17,9 +17,9 @@ import okhttp3.RequestBody
 
 internal abstract class DataOkHttpUploaderV2(
     internal var intakeUrl: String,
-    internal val clientToken: String,
-    internal val source: String,
-    internal val sdkVersion: String,
+    rawClientToken: String,
+    rawSource: String,
+    rawSdkVersion: String,
     internal val callFactory: Call.Factory,
     internal val contentType: String,
     internal val androidInfoProvider: AndroidInfoProvider,
@@ -34,17 +34,18 @@ internal abstract class DataOkHttpUploaderV2(
 
     private val uploaderName = javaClass.simpleName
 
+    internal val clientToken = if (isValidHeaderValue(rawClientToken)) rawClientToken else ""
+    internal val source: String = sanitizeHeaderValue(rawSource)
+    internal val sdkVersion: String = sanitizeHeaderValue(rawSdkVersion)
+
     private val userAgent by lazy {
-        System.getProperty(SYSTEM_UA).let {
-            if (it.isNullOrBlank()) {
-                "Datadog/$sdkVersion " +
+        sanitizeHeaderValue(System.getProperty(SYSTEM_UA))
+            .ifBlank {
+                "Datadog/${sanitizeHeaderValue(sdkVersion)} " +
                     "(Linux; U; Android ${androidInfoProvider.osVersion}; " +
                     "${androidInfoProvider.deviceModel} " +
                     "Build/${androidInfoProvider.deviceBuildId})"
-            } else {
-                it
             }
-        }
     }
 
     // region DataUploader
@@ -88,6 +89,9 @@ internal abstract class DataOkHttpUploaderV2(
         data: ByteArray,
         requestId: String
     ): UploadStatus {
+        if (clientToken.isBlank()) {
+            return UploadStatus.INVALID_TOKEN_ERROR
+        }
         val request = buildRequest(data, requestId)
         val call = callFactory.newCall(request)
         val response = call.execute()
@@ -143,6 +147,20 @@ internal abstract class DataOkHttpUploaderV2(
         }
     }
 
+    private fun sanitizeHeaderValue(value: String?): String {
+        return value?.filter { isValidHeaderValueChar(it) }.orEmpty()
+    }
+
+    private fun isValidHeaderValue(value: String): Boolean {
+        return value.all { isValidHeaderValueChar(it) }
+    }
+
+    private fun isValidHeaderValueChar(c: Char): Boolean {
+        return c == '\t' || c in '\u0020' until '\u007F'
+    }
+
+    // endregion
+
     companion object {
 
         const val SYSTEM_UA = "http.agent"