[Tails-dev] Resend: Locking down stream-events in onion-grat…

Re-sending this in a human readable form:


Hi, posting this mail for input.

A couple of months ago I was looking at locking down the amount of info
leaked to Tor Browser in case it is compromised - if/when stream events
access is enabled. my thought was to have the cake and eat it too.
stream-events are needed to supported auth onions IIRC. I ran into
issues with escaping characters from Tor's output namely $ and + which
were included in an example output:

250+circuit-status=00 BUILT
$relayid~$relayid,$relayid~$relayid,$relayid~$relayid
BUILD_FLAGS=NEED_CAPACITY PURPOSE=GENERAL
TIME_CREATED=2020-09-16T00:00:00.000000

Questions:

* Can onion-grater currently deal with such characters without having to
escape them?

* Is it even possible to sanitize responses as large and varied as
stream-events output without having something leak thru or is it best to
keep it blocked for peace of mind?


***


The rule I used in the profile:


GETINFO:
      - pattern: 'circuit-status'
        response:
        - pattern: '250(.+)circuit-status=(\S+) (\S+) (.+) (\S+) (\S+)'
        - replacement: '250+circuit-status='



Here's the onion-grater debug log. Any idea what's wrong here?


 host onion-grater[8471]:   - pattern: circuit-status
 host onion-grater[8471]:     response:
 host onion-grater[8471]:     - {pattern: 250(.+)circuit-status=(\S+)
(\S+) (.+) (\S+) (\S+)}
 host onion-grater[8471]:     - {replacement: 250+circuit-status=}
 host onion-grater[8471]:   SIGNAL:
 host onion-grater[8471]:   - {pattern: NEWNYM}
 host onion-grater[8471]: events:
 host onion-grater[8471]:   CONF_CHANGED: {suppress: true}
 host onion-grater[8471]:   SIGNAL: {suppress: true}
 host onion-grater[8471]:   STATUS_SERVER: {suppress: true}
 host onion-grater[8471]:   STREAM: {}
 host onion-grater[8471]: restrict-stream-events: false
 host onion-grater[8471]: 10.152.152.11:56158 (filter:
30_autogenerated): -> getinfo circuit-status
 host onion-grater[8471]: 10.152.152.11:56158 (filter:
30_autogenerated) disconnected: client quit
 host onion-grater[8471]: ----------------------------------------
 host onion-grater[8471]: Exception happened during processing of
request from ('10.152.152.11', 56158)
 host onion-grater[8471]: Traceback (most recent call last):
 host onion-grater[8471]:   File "/usr/lib/python3.7/socketserver.py",
line 650, in process_request_thread
 host onion-grater[8471]:     self.finish_request(request, client_address)
 host onion-grater[8471]:   File "/usr/lib/python3.7/socketserver.py",
line 360, in finish_request
 host onion-grater[8471]:     self.RequestHandlerClass(request,
client_address, self)
 host onion-grater[8471]:   File "/usr/lib/python3.7/socketserver.py",
line 720, in __init__
 host onion-grater[8471]:     self.handle()
 host onion-grater[8471]:   File "/usr/lib/onion-grater", line 661, in
handle
 host onion-grater[8471]:     session.handle()
 host onion-grater[8471]:   File "/usr/lib/onion-grater", line 481, in
handle
 host onion-grater[8471]:     response_rewriter=response_rewriter)
 host onion-grater[8471]:   File "/usr/lib/onion-grater", line 277, in
proxy_line
 host onion-grater[8471]:     new_response = response_rewriter(response)
 host onion-grater[8471]:   File "/usr/lib/onion-grater", line 462, in
_response_rewriter
 host onion-grater[8471]:     lines)
 host onion-grater[8471]:   File "/usr/lib/onion-grater", line 314, in
rewrite_matched_lines
 host onion-grater[8471]:     for line in split_lines]) + "\r\n"
 host onion-grater[8471]:   File "/usr/lib/onion-grater", line 314, in
<listcomp>
 host onion-grater[8471]:     for line in split_lines]) + "\r\n"
 host onion-grater[8471]:   File "/usr/lib/onion-grater", line 307, in
rewrite_matched_line
 host onion-grater[8471]:     return self.rewrite_line(replacers, line)
 host onion-grater[8471]:   File "/usr/lib/onion-grater", line 298, in
rewrite_line
 host onion-grater[8471]:     match = re.match(r['pattern'] + "$", line)
 host onion-grater[8471]: KeyError: 'pattern'
 host onion-grater[8471]: ----------------------------------------