[Tails-dev] Locking down stream-events in onion-grater

Delete this message

Reply to this message
Autore: procmem@riseup.net
Data:  
To: tails-dev
Oggetto: [Tails-dev] Locking down stream-events in onion-grater
Hi, posting this mail for input.

A couple of months ago I was looking at locking down the amount of info
leaked to Tor Browser in case it is compromised - if/when stream events
access is enabled. my thought was to have the cake and eat it too.
stream-events are needed to supported auth onions IIRC. I ran into
issues with escaping characters from Tor's output namely $ and + which
were included in an example output:

|250+circuit-status=00 BUILT $relayid~|||$relayid|,|||$relayid|~|||$relayid|,|||$relayid|~|||$relayid| BUILD_FLAGS=NEED_CAPACITY PURPOSE=GENERAL
TIME_CREATED=2020-09-16T00:00:00.000000|

Questions:

* Can onion-grater currently deal with such characters without having to
escape them?

* Is it even possible to sanitize responses as large and varied as
stream-events output without having something leak thru or is it best to
keep it blocked for peace of mind?


***


The rule I used in the profile:


|GETINFO: - pattern: 'circuit-status' response: - pattern:
'250(.+)circuit-status=(\S+) (\S+) (.+) (\S+) (\S+)' - replacement:
'250+circuit-status=' Here's the onion-grater debug log. Any idea what's
wrong here? host onion-grater[8471]: - pattern: circuit-status host
onion-grater[8471]: response: host onion-grater[8471]: - {pattern:
250(.+)circuit-status=(\S+) (\S+) (.+) (\S+) (\S+)} host
onion-grater[8471]: - {replacement: 250+circuit-status=} host
onion-grater[8471]: SIGNAL: host onion-grater[8471]: - {pattern: NEWNYM}
host onion-grater[8471]: events: host onion-grater[8471]: CONF_CHANGED:
{suppress: true} host onion-grater[8471]: SIGNAL: {suppress: true} host
onion-grater[8471]: STATUS_SERVER: {suppress: true} host
onion-grater[8471]: STREAM: {} host onion-grater[8471]:
restrict-stream-events: false host onion-grater[8471]:
10.152.152.11:56158 (filter: 30_autogenerated): -> getinfo
circuit-status host onion-grater[8471]: 10.152.152.11:56158 (filter:
30_autogenerated) disconnected: client quit host onion-grater[8471]:
---------------------------------------- host onion-grater[8471]:
Exception happened during processing of request from ('10.152.152.11',
56158) host onion-grater[8471]: Traceback (most recent call last): host
onion-grater[8471]: File "/usr/lib/python3.7/socketserver.py", line 650,
in process_request_thread host onion-grater[8471]:
self.finish_request(request, client_address) host onion-grater[8471]:
File "/usr/lib/python3.7/socketserver.py", line 360, in finish_request
host onion-grater[8471]: self.RequestHandlerClass(request,
client_address, self) host onion-grater[8471]: File
"/usr/lib/python3.7/socketserver.py", line 720, in __init__ host
onion-grater[8471]: self.handle() host onion-grater[8471]: File
"/usr/lib/onion-grater", line 661, in handle host onion-grater[8471]:
session.handle() host onion-grater[8471]: File "/usr/lib/onion-grater",
line 481, in handle host onion-grater[8471]:
response_rewriter=response_rewriter) host onion-grater[8471]: File
"/usr/lib/onion-grater", line 277, in proxy_line host
onion-grater[8471]: new_response = response_rewriter(response) host
onion-grater[8471]: File "/usr/lib/onion-grater", line 462, in
_response_rewriter host onion-grater[8471]: lines) host
onion-grater[8471]: File "/usr/lib/onion-grater", line 314, in
rewrite_matched_lines host onion-grater[8471]: for line in split_lines])
+ "\r\n" host onion-grater[8471]: File "/usr/lib/onion-grater", line
314, in <listcomp> host onion-grater[8471]: for line in split_lines]) +
"\r\n" host onion-grater[8471]: File "/usr/lib/onion-grater", line 307,
in rewrite_matched_line host onion-grater[8471]: return
self.rewrite_line(replacers, line) host onion-grater[8471]: File
"/usr/lib/onion-grater", line 298, in rewrite_line host
onion-grater[8471]: match = re.match(r['pattern'] + "$", line) host
onion-grater[8471]: KeyError: 'pattern' host onion-grater[8471]:
---------------------------------------- |