RUMM-2377 Add checks on intake request headers

[xgouchet]

What does this PR do?

Sanitize our intake request headers to be complient with the HTTP specification

Motivation

Before OkHttp version 4.9.2 (cf okhttp#6551), if a header value contains illegal characters (any non ASCII or Control character), the header would be printed as is in the logcat. This could potentially leak secrets (especially our customer's client token).

This is not a critical issue since:

• Client Tokens are generated by us and all match /pub[0-9a-f]+/, so they never have any invalid characters
• Only the invalid header is printed to the logcat, so even if another header was invalid, it would not print the client token

Additional Notes

We are still sanitizing every header that might contain value that we do not control.

• if the client token would lead to an error, we simply don't submit the request
• for other headers, we remove the illegal characters. It might lead to unexpected value but most of the data would still be there.

Review checklist (to be filled by reviewers)

• Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
• Make sure you discussed the feature or bugfix with the maintaining team in an Issue
• Make sure each commit and the PR mention the Issue number (cf the CONTRIBUTING doc)

[mariusc83]

not even sure if the sdkVersion should be sanitized at all

[xgouchet]

The sdkVersion will possibly be updatable from crossplatform SDKs, meaning it will be using public APIs. So in theory, it could have an invalid character yes

[codecov-commenter]

Codecov Report

Merging #1005 (ecb6433) into develop (72beeb9) will increase coverage by 0.03%.
The diff coverage is 81.82%.

@@             Coverage Diff             @@
##           develop    #1005      +/-   ##
===========================================
+ Coverage    83.19%   83.22%   +0.03%     
===========================================
  Files          270      270              
  Lines         9209     9212       +3     
  Branches      1463     1468       +5     
===========================================
+ Hits          7661     7666       +5     
+ Misses        1137     1134       -3     
- Partials       411      412       +1     

Impacted Files	Coverage Δ
.../android/core/internal/net/DataOkHttpUploaderV2.kt	97.62% <81.82%> (-1.15%)	⬇️
.../android/rum/internal/monitor/DatadogRumMonitor.kt	92.86% <0.00%> (-0.60%)	⬇️
...rc/main/java/com/datadog/opentracing/DDTracer.java	56.07% <0.00%> (+0.42%)	⬆️
...android/rum/internal/ndk/DatadogNdkCrashHandler.kt	87.57% <0.00%> (+0.54%)	⬆️
...ndroid/core/internal/persistence/file/EventMeta.kt	90.00% <0.00%> (+10.00%)	⬆️

[aparzio]

I got a couple of questions.

[aparzio]

A couple of questions:

1. isn't 7F a control char? shouldn't be excluded?
2. are you sure that \t doesn't trigger the vuln?

[xgouchet]

\t indeed is a valid character (all ascii whitespace chars are allowed : , \n and \t. But you're right 0x7f should be excluded.

[aparzio]

Curiosity: Why don't you trust SYSTEM_UA property but you trust your androidInfoProvider, which relays on Build class, which in turns take information from system properties?

[xgouchet]

Mostly because the syntax for User Agent can become very sketchy and more likely to have weird characters.
Also the Build.xxx will be already fetched from the app zygote, whereas the UA is retrieved at Runtime, making it possible for the host app to override it.

[aparzio]

Got your point. It is a good trade-off.

[aparzio]

LGTM.

[aparzio]

Got your point. It is a good trade-off.