From 4067114fbd362cb4a2e9555ef160b82637e06fa7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lukas=20K=C3=A4mmerling?= Date: Mon, 2 May 2022 21:38:19 +0200 Subject: [PATCH] Pageview ID shouldn't be generated from the tracker MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The ID should always be server generated - so in this case from the collector. Generating it on the client and just "storing" it on the collector makes it difficult and insecure. Because of backward compability we limit the generated UUID to only 32 chars. Closes #322 Closes #312 Signed-off-by: Lukas Kämmerling --- assets/src/js/tracker.js | 6 ------ go.mod | 6 +----- go.sum | 9 ++------- pkg/api/collect.go | 5 +++-- 4 files changed, 6 insertions(+), 20 deletions(-) diff --git a/assets/src/js/tracker.js b/assets/src/js/tracker.js index a3b42e1d..bc1d48d4 100644 --- a/assets/src/js/tracker.js +++ b/assets/src/js/tracker.js @@ -30,11 +30,6 @@ }).join('&'); } - function randomString(n) { - var s = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; - return Array(n).join().split(',').map(() => s.charAt(Math.floor(Math.random() * s.length))).join(''); - } - function getCookie(name) { var cookies = document.cookie ? document.cookie.split('; ') : []; @@ -160,7 +155,6 @@ let data = getData(); const d = { - id: randomString(20), pid: data.previousPageviewId || '', p: path, h: hostname, diff --git a/go.mod b/go.mod index 927e0a65..fb467138 100644 --- a/go.mod +++ b/go.mod @@ -5,6 +5,7 @@ go 1.17 require ( github.com/go-sql-driver/mysql v1.4.1-0.20181113023849-369b5d6e5e8e github.com/gobuffalo/packr v1.13.7 + github.com/google/uuid v1.3.0 github.com/gorilla/context v1.1.1 github.com/gorilla/handlers v1.3.1-0.20180717233320-6257a585e449 github.com/gorilla/mux v1.6.3-0.20180605211556-cb4698366aa6 @@ -23,13 +24,8 @@ require ( require ( github.com/gorilla/securecookie v1.1.2-0.20180608144417-78f3d318a8bf // indirect - github.com/inconshreveable/mousetrap v1.0.0 // indirect github.com/pkg/errors v0.8.1-0.20180311214515-816c9085562c // indirect - github.com/spf13/cobra v0.0.3 // indirect - github.com/spf13/pflag v1.0.2 // indirect github.com/ziutek/mymysql v1.5.5-0.20171217234033-ff6cc86d3d93 // indirect - golang.org/x/net v0.0.0-20180921000356-2f5d2388922f // indirect - golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f // indirect golang.org/x/sys v0.0.0-20180724212812-e072cadbbdc8 // indirect google.golang.org/appengine v1.1.0 // indirect gopkg.in/airbrake/gobrake.v2 v2.0.9 // indirect diff --git a/go.sum b/go.sum index 523f8bcb..2093728c 100644 --- a/go.sum +++ b/go.sum @@ -5,6 +5,8 @@ github.com/go-sql-driver/mysql v1.4.1-0.20181113023849-369b5d6e5e8e h1:Xw+e5SXKk github.com/go-sql-driver/mysql v1.4.1-0.20181113023849-369b5d6e5e8e/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/gobuffalo/packr v1.13.7 h1:2uZgLd6b/W4yRBZV/ScaORxZLNGMHO0VCvqQNkKukNA= github.com/gobuffalo/packr v1.13.7/go.mod h1:KkinLIn/n6+3tVXMwg6KkNvWwVsrRAz4ph+jgpk3Z24= +github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8= github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= github.com/gorilla/handlers v1.3.1-0.20180717233320-6257a585e449 h1:xvx+89oAmZAh0wLoEwx2ynicSQP3QR80g1M9zcS3IZE= @@ -16,7 +18,6 @@ github.com/gorilla/securecookie v1.1.2-0.20180608144417-78f3d318a8bf h1:tgJ+TrHb github.com/gorilla/securecookie v1.1.2-0.20180608144417-78f3d318a8bf/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= github.com/gorilla/sessions v1.1.1 h1:YMDmfaK68mUixINzY/XjscuJ47uXFWSSHzFbBQM0PrE= github.com/gorilla/sessions v1.1.1/go.mod h1:8KCfur6+4Mqcc6S0FEfKuN15Vl5MgXW92AE8ovaJD0w= -github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/jmoiron/sqlx v1.2.1-0.20181024163419-82935fac6c1a h1:7F1aETmIWwSQAv4S2415VrWj9eJyxR3epEEb6O5isgA= github.com/jmoiron/sqlx v1.2.1-0.20181024163419-82935fac6c1a/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhBSsks= @@ -30,8 +31,6 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= -github.com/lib/pq v1.0.1-0.20181016162627-9eb73efc1fcc h1:9GUJohDyEsZO3cDfQuSxTf38xvk+gRWe+fDv3L9oWHA= -github.com/lib/pq v1.0.1-0.20181016162627-9eb73efc1fcc/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.10.4 h1:SO9z7FRPzA03QhHKJrH5BXA6HU1rS4V2nIVrrNC1iYk= github.com/lib/pq v1.10.4/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= @@ -48,9 +47,7 @@ github.com/rubenv/sql-migrate v0.0.0-20180704111356-3f452fc0ebeb h1:lAOy8O8yKU3u github.com/rubenv/sql-migrate v0.0.0-20180704111356-3f452fc0ebeb/go.mod h1:WS0rl9eEliYI8DPnr3TOwz4439pay+qNgzJoVya/DmY= github.com/sirupsen/logrus v1.0.7-0.20180723115307-c108f5553c36 h1:NvBdWUXstAlJwU7RjOTudVgMj5N/NTYKJxwoJN5+0XY= github.com/sirupsen/logrus v1.0.7-0.20180723115307-c108f5553c36/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= -github.com/spf13/cobra v0.0.3 h1:ZlrZ4XsMRm04Fr5pSFxBgfND2EBVa1nLpiy1stUsX/8= github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= -github.com/spf13/pflag v1.0.2 h1:Fy0orTDgHdbnzHcsOgfCN4LtHf0ec3wwtiwJqwvf3Gc= github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= @@ -60,9 +57,7 @@ github.com/ziutek/mymysql v1.5.5-0.20171217234033-ff6cc86d3d93 h1:neEPpeeJDl7Rs0 github.com/ziutek/mymysql v1.5.5-0.20171217234033-ff6cc86d3d93/go.mod h1:LMSpPZ6DbqWFxNCHW77HeMg9I646SAhApZ/wKdgO/C0= golang.org/x/crypto v0.0.0-20180723164146-c126467f60eb h1:Ah9YqXLj6fEgeKqcmBuLCbAsrF3ScD7dJ/bYM0C6tXI= golang.org/x/crypto v0.0.0-20180723164146-c126467f60eb/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/net v0.0.0-20180921000356-2f5d2388922f h1:QM2QVxvDoW9PFSPp/zy9FgxJLfaWTZlS61KEPtBwacM= golang.org/x/net v0.0.0-20180921000356-2f5d2388922f/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f h1:wMNYb4v58l5UBM7MYRLPG6ZhfOqbKu7X5eyFl8ZhKvA= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180724212812-e072cadbbdc8 h1:7T3bTJEttnfJdEY+NY/VYT7IXRaul8potWiyw/n7LB8= golang.org/x/sys v0.0.0-20180724212812-e072cadbbdc8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= diff --git a/pkg/api/collect.go b/pkg/api/collect.go index 2581ea22..78666034 100644 --- a/pkg/api/collect.go +++ b/pkg/api/collect.go @@ -7,6 +7,7 @@ import ( "strings" "time" + "github.com/google/uuid" log "github.com/sirupsen/logrus" "github.com/mssola/user_agent" @@ -52,7 +53,7 @@ func (c *Collector) ServeHTTP(w http.ResponseWriter, r *http.Request) { now := time.Now() pageview := &models.Pageview{ - ID: q.Get("id"), + ID: uuid.NewString()[0:30], SiteTrackingID: q.Get("sid"), Hostname: parseHostname(q.Get("h")), Pathname: parsePathname(q.Get("p")), @@ -194,7 +195,7 @@ func shouldCollect(r *http.Request) bool { } // discard if required query vars are missing - requiredQueryVars := []string{"id", "h", "p"} + requiredQueryVars := []string{"h", "p"} q := r.URL.Query() for _, k := range requiredQueryVars { if q.Get(k) == "" {