Add random padding to issue requests (#1195)

* Add random padding to bulk upload requests * move to static js file * do it for regular issue * fix ref
google · Nov 25, 2020 · 9097a07 · 9097a07
1 parent f2f8310
commit 9097a07
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 8 deletions.
diff --git a/cmd/server/assets/codes/bulk-issue.html b/cmd/server/assets/codes/bulk-issue.html
@@ -134,7 +134,7 @@
       let tzOffset = new Date().getTimezoneOffset();
       let randomString = getCookie("retryCode");
       if (randomString == "") {
-        randomString = genCode();
+        randomString = genRandomString(12);
       } else {
         $rememberCode.prop("checked", true);
       }
@@ -164,7 +164,7 @@
 
       $newCode.on('click', function(event) {
         event.preventDefault();
-        $retryCode.val(genCode());
+        $retryCode.val(genRandomString(12));
       });
 
       $form.on('submit', function(event) {
@@ -267,6 +267,9 @@
         request["phone"] = $("<div>").text(cols[0].trim()).html();
         request["testDate"] = (cols.length > 1) ? $("<div>").text(cols[1].trim()).html() : "";
         request["symptomDate"] = (cols.length > 2) ? $("<div>").text(cols[2].trim()).html() : "";
+        // Request is padded with 5-15 random chars. These are ignored but vary the size of the request
+        // to prevent network traffic observation.
+        request["padding"] = btoa(genRandomString(5  + Math.floor(Math.random() * 15)));
         if (request["phone"] == "") {
           return "";
         }
@@ -306,11 +309,6 @@
         },
       });
     }
-
-    // generates a random 16 digit alphanumeric code
-    function genCode() {
-      return Math.random().toString(36).substr(2, 8) + Math.random().toString(36).substr(2, 8);
-    }
   </script>
 </body>
 

diff --git a/cmd/server/assets/codes/issue.html b/cmd/server/assets/codes/issue.html
@@ -281,7 +281,11 @@ <h1>{{t $.locale "header.create-verification-code"}}</h1>
         // Clear and hide errors
         flash.clear();
 
-        let data = {};
+        let data = {
+          // Request is padded with 5-15 random chars. These are ignored but vary the size of the request
+          // to prevent network traffic observation.
+          'padding': btoa(genRandomString(5  + Math.floor(Math.random() * 15))),
+        };
         $($form.serializeArray()).each(function(i, obj) {
           data[obj.name] = obj.value
         });

diff --git a/cmd/server/assets/static/js/application.js b/cmd/server/assets/static/js/application.js
@@ -616,3 +616,16 @@ function loginScripts(hasCurrentUser, onLoginSuccess) {
     $factors.append($li);
   }
 }
+
+// generates a random alphanumeric code
+function genRandomString(len) {
+  let i = len;
+  let s = "";
+  for (; i >= 6; i -= 6) {
+    s += Math.random().toString(36).substr(2, 8);
+  }
+  if (i > 0) {
+    s += Math.random().toString(36).substr(2, 2 + i);
+  }
+  return s;
+}