-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RUMM-2377 Add checks on intake request headers #1005
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -17,9 +17,9 @@ import okhttp3.RequestBody | |
|
||
internal abstract class DataOkHttpUploaderV2( | ||
internal var intakeUrl: String, | ||
internal val clientToken: String, | ||
internal val source: String, | ||
internal val sdkVersion: String, | ||
rawClientToken: String, | ||
rawSource: String, | ||
rawSdkVersion: String, | ||
internal val callFactory: Call.Factory, | ||
internal val contentType: String, | ||
internal val androidInfoProvider: AndroidInfoProvider, | ||
|
@@ -34,17 +34,18 @@ internal abstract class DataOkHttpUploaderV2( | |
|
||
private val uploaderName = javaClass.simpleName | ||
|
||
internal val clientToken = if (isValidHeaderValue(rawClientToken)) rawClientToken else "" | ||
internal val source: String = sanitizeHeaderValue(rawSource) | ||
internal val sdkVersion: String = sanitizeHeaderValue(rawSdkVersion) | ||
|
||
private val userAgent by lazy { | ||
System.getProperty(SYSTEM_UA).let { | ||
if (it.isNullOrBlank()) { | ||
"Datadog/$sdkVersion " + | ||
sanitizeHeaderValue(System.getProperty(SYSTEM_UA)) | ||
.ifBlank { | ||
"Datadog/${sanitizeHeaderValue(sdkVersion)} " + | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. not even sure if the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The |
||
"(Linux; U; Android ${androidInfoProvider.osVersion}; " + | ||
"${androidInfoProvider.deviceModel} " + | ||
"Build/${androidInfoProvider.deviceBuildId})" | ||
} else { | ||
it | ||
} | ||
} | ||
} | ||
|
||
// region DataUploader | ||
|
@@ -88,6 +89,9 @@ internal abstract class DataOkHttpUploaderV2( | |
data: ByteArray, | ||
requestId: String | ||
): UploadStatus { | ||
if (clientToken.isBlank()) { | ||
return UploadStatus.INVALID_TOKEN_ERROR | ||
} | ||
val request = buildRequest(data, requestId) | ||
val call = callFactory.newCall(request) | ||
val response = call.execute() | ||
|
@@ -143,6 +147,20 @@ internal abstract class DataOkHttpUploaderV2( | |
} | ||
} | ||
|
||
private fun sanitizeHeaderValue(value: String?): String { | ||
return value?.filter { isValidHeaderValueChar(it) }.orEmpty() | ||
} | ||
|
||
private fun isValidHeaderValue(value: String): Boolean { | ||
return value.all { isValidHeaderValueChar(it) } | ||
} | ||
|
||
private fun isValidHeaderValueChar(c: Char): Boolean { | ||
return c == '\t' || c in '\u0020' until '\u007F' | ||
} | ||
|
||
// endregion | ||
|
||
companion object { | ||
|
||
const val SYSTEM_UA = "http.agent" | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Curiosity: Why don't you trust
SYSTEM_UA
property but you trust yourandroidInfoProvider
, which relays onBuild
class, which in turns take information from system properties?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mostly because the syntax for User Agent can become very sketchy and more likely to have weird characters.
Also the
Build.xxx
will be already fetched from the app zygote, whereas the UA is retrieved at Runtime, making it possible for the host app to override it.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got your point. It is a good trade-off.