Project

General

Profile

Bug #6571

Sanitize IPv6 addresses in WhisperBack

Added by sajolida over 5 years ago. Updated about 5 years ago.

Status:
In Progress
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
03/02/2014
Due date:
% Done:

50%

QA Check:
Feature Branch:
Type of work:
Code
Blueprint:
Starter:
No
Affected tool:
WhisperBack

Description

We currently don't remove IPv6 addresses, while we do remove IPv4
addresses (see sanitize_hardware_info in utils.py).

This should be fixed as IPv6 addresses can contain MAC addresses.


Subtasks

Bug #6804: Sanitize expanded IPv6 addresses in WhisperBackResolved

Bug #6805: Sanitize "compressed" IPv6 addresses in WhisperBackConfirmedalant


Related issues

Related to Tails - Bug #6343: List potentially identifying information sent in Whisperback reports In Progress 03/01/2014
Related to Tails - Bug #10695: unscrubbed URL in .xsession-errors (and therefore, in whisperback report) In Progress 11/30/2015

History

#1 Updated by intrigeri over 5 years ago

  • Assignee set to alant

Alan volunteered.

#2 Updated by sajolida over 5 years ago

We were submitted a patch for that. See bugreport baf885a4fc0b888f09afe2e625cd448d.


--- /lib/live/mount//rootfs//filesystem.squashfs/usr/share/pyshared/whisperBack/utils.py    2013-11-30 09:19:08.000000000 -0500
+++ /usr/share/pyshared/whisperBack/utils.py    2014-01-08 03:24:49.707905907 -0500
@@ -29,6 +29,8 @@
 import re
 import urlparse
 import locale
+import subprocess
+import string

 # Ugly pathes finder utilities

@@ -135,6 +137,45 @@
     else:
         return False

+def expand_ipv6(address):
+    fullAddress = "" # All groups
+    expandedAddress = "" # Each group padded with leading zeroes
+    validGroupCount = 8
+    validGroupSize = 4
+    if "::" not in address: # All groups are already present
+        fullAddress = address
+    else: # Consecutive groups of zeroes have been collapsed with "::" 
+        sides = address.split("::")
+        groupsPresent = 0
+        for side in sides:
+            if len(side) > 0:
+                groupsPresent += len(side.split(":"))
+        if len(sides[0]) > 0:
+            fullAddress += sides[0] + ":" 
+        for i in range(0,validGroupCount-groupsPresent):
+            fullAddress += "0000:" 
+        if len(sides[1]) > 0:
+            fullAddress += sides[1]
+        if fullAddress[-1] == ":":
+            fullAddress = fullAddress[:-1]
+    groups = fullAddress.split(":")
+    for group in groups:
+        while(len(group) < validGroupSize):
+            group = "0" + group
+        expandedAddress += group + ":" 
+    if expandedAddress[-1] == ":":
+        expandedAddress = expandedAddress[:-1]
+    return expandedAddress
+
+def get_local_ipv6():
+    ifconfig = subprocess.Popen(("/sbin/ifconfig"), stdout=subprocess.PIPE)
+    ifconfig.wait()
+    data = ifconfig.communicate()[0]
+    matched_lines = [line for line in data.split('\n') if "inet6" in line]
+    ipv6_addresses = [re.sub(r'.*addr: ([^/]*)/.*', r'\g<1>', line) for line in matched_lines]
+    ipv6_addresses.extend([expand_ipv6(addr) for addr in ipv6_addresses])
+    return ipv6_addresses
+
 def sanitize_hardware_info(log_string):
     """Sanitize hardware-identifying info from a string

@@ -162,6 +203,15 @@
     log_string = re.sub(r'([\d]{1,3}\.){3}[\d]{1,3}',
                         r'[IP REMOVED]',
                         log_string)
+
+    log_string = re.sub(r'[0-9a-fA-F]{4}(:[0-9a-fA-F]{4}){7}',
+                        r'[IP6 REMOVED]',
+                        log_string)
+
+    ipv6 = get_local_ipv6()
+    for addr in ipv6:
+        log_string = string.replace(log_string, addr, '[IP6 REMOVED]')
+
     # MAC addresses
     log_string = re.sub(r'([0-9a-fA-F]{2}:){5,}[0-9a-fA-F]{2}',
                         r'[MAC REMOVED]',

#3 Updated by intrigeri over 5 years ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 20

#4 Updated by alant about 5 years ago

I don't see why to use such a complex solution while addresses in the exemple are already expanded:

[   12.3456789] Dropped outbound packet: IN= OUT=eth0 SRC=fe80:0000:0000:0000:abcd:efab:cdef:1234 DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=56 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0

#5 Updated by alant about 5 years ago

  • % Done changed from 20 to 40
  • Feature Branch set to whisperback:bugfix/filter_more_serial_nos

The simple approach is now implemented.

#6 Updated by alant about 5 years ago

  • Assignee changed from alant to anonym
  • QA Check set to Ready for QA

#7 Updated by alant about 5 years ago

  • Assignee changed from anonym to alant
  • QA Check deleted (Ready for QA)
  • Feature Branch deleted (whisperback:bugfix/filter_more_serial_nos)

Splitted between two subtasks: expanded and "compressed" addresses

#8 Updated by intrigeri over 3 years ago

  • Related to Bug #6343: List potentially identifying information sent in Whisperback reports added

#9 Updated by intrigeri over 3 years ago

  • Related to Bug #10695: unscrubbed URL in .xsession-errors (and therefore, in whisperback report) added

Also available in: Atom PDF