Merge branch 'fix-ipv6-address-redaction'

2 files changed, 48 insertions, 31 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1859e343d5..3bd82da208 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -36,6 +36,7 @@ Line wrap the file at 100 chars.                                              Th
 ### Fixed
 - Don't temporarily show the unsecured state in the GUI when the app is reconnecting or blocking.
 - Periodically update list of relays in the GUI.
+- Redact IPv6 address that start or end with double colons in problem reports.
 
 
 ## [2018.3] - 2018-09-17
diff --git a/mullvad-problem-report/src/main.rs b/mullvad-problem-report/src/main.rs
index 85cb81f94e..a76fb79544 100644
--- a/mullvad-problem-report/src/main.rs
+++ b/mullvad-problem-report/src/main.rs
@@ -352,16 +352,18 @@ impl ProblemReport {
     fn redact_network_info(input: &str) -> Cow<str> {
         lazy_static! {
             static ref RE: Regex = {
+                let boundary = "[^0-9a-zA-Z.:]";
                 let combined_pattern = format!(
-                    "\\b({}|{}|{})\\b",
+                    "(?P<start>^|{})(?:{}|{}|{})",
+                    boundary,
                     build_ipv4_regex(),
                     build_ipv6_regex(),
-                    build_mac_regex()
+                    build_mac_regex(),
                 );
                 Regex::new(&combined_pattern).unwrap()
             };
         }
-        RE.replace_all(input, "[REDACTED]")
+        RE.replace_all(input, "$start[REDACTED]")
     }
 
     fn redact_custom_strings<'a>(&self, input: &'a str) -> Cow<'a, str> {
@@ -423,23 +425,41 @@ fn build_ipv4_regex() -> String {
 }
 
 fn build_ipv6_regex() -> String {
-    let hextet = "[[:xdigit:]]{1,4}"; // 0 - ffff
+    // Regular expression obtained from:
+    // https://stackoverflow.com/a/17871737
+    let ipv4_segment = "(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])";
+    let ipv4_address = format!("({0}\\.){{3,3}}{0}", ipv4_segment);
 
-    // Matches 1-7 hextets followed by one or two colons
-    // and one last hextet.
-    //
-    // This means that there are many
-    // invalid IPv6 addresses that matches this. E.g.
-    // all that has more than one instance of '::', but we
-    // don't really care.
-    let short = format!("({0}::?){{1,6}}(:{0}){{1,6}}", hextet);
+    let ipv6_segment = "[0-9a-fA-F]{1,4}";
 
-    // Matches addresses without double colon. This is
-    // a separate regex to make it easier to not match
-    // on time
-    let long = format!("({0}:){{7}}{0}", hextet);
+    let long = format!("({0}:){{7,7}}{0}", ipv6_segment);
+    let compressed_1 = format!("({0}:){{1,7}}:", ipv6_segment);
+    let compressed_2 = format!("({0}:){{1,6}}:{0}", ipv6_segment);
+    let compressed_3 = format!("({0}:){{1,5}}(:{0}){{1,2}}", ipv6_segment);
+    let compressed_4 = format!("({0}:){{1,4}}(:{0}){{1,3}}", ipv6_segment);
+    let compressed_5 = format!("({0}:){{1,3}}(:{0}){{1,4}}", ipv6_segment);
+    let compressed_6 = format!("({0}:){{1,2}}(:{0}){{1,5}}", ipv6_segment);
+    let compressed_7 = format!("{0}:((:{0}){{1,6}})", ipv6_segment);
+    let compressed_8 = format!(":((:{0}){{1,7}}|:)", ipv6_segment);
+    let link_local = "[Ff][Ee]80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}";
+    let ipv4_mapped = format!("::([fF]{{4}}(:0{{1,4}}){{0,1}}:){{0,1}}{}", ipv4_address);
+    let ipv4_embedded = format!("({0}:){{1,4}}:{1}", ipv6_segment, ipv4_address);
 
-    format!("(?:{})|(?:{})", short, long)
+    format!(
+        "{}|{}|{}|{}|{}|{}|{}|{}|{}|{}|{}|{}",
+        long,
+        link_local,
+        ipv4_mapped,
+        ipv4_embedded,
+        compressed_8,
+        compressed_7,
+        compressed_6,
+        compressed_5,
+        compressed_4,
+        compressed_3,
+        compressed_2,
+        compressed_1,
+    )
 }
 
 /// Helper to lossily read a file to a `String`. If the file size exceeds the given `max_bytes`,
@@ -490,9 +510,7 @@ mod tests {
 
     #[test]
     fn does_not_redact_localhost_ipv4() {
-        let report = ProblemReport::new(vec![]);
-        let res = report.redact("127.0.0.1");
-        assert_eq!("127.0.0.1", res);
+        assert_does_not_redact("127.0.0.1");
     }
 
     #[test]
@@ -506,15 +524,16 @@ mod tests {
         assert_redacts_ipv6("2001:db8:0:1:1:1:1:1");
         assert_redacts_ipv6("2001:db8:0:0:1:0:0:1");
         assert_redacts_ipv6("2001:db8::1:0:0:1");
+        assert_redacts_ipv6("abcd:dead:beef::");
+        assert_redacts_ipv6("abcd:dead:beef:1234::");
+        assert_redacts_ipv6("::dead:beef:1234");
         assert_redacts_ipv6("0::0");
         assert_redacts_ipv6("0:0:0:0::1");
     }
 
     #[test]
     fn doesnt_redact_not_ipv6() {
-        let report = ProblemReport::new(vec![]);
-        let actual = report.redact("[talpid_core::security]");
-        assert_eq!("[talpid_core::security]", actual);
+        assert_does_not_redact("[talpid_core::security]");
     }
 
     fn assert_redacts_ipv6(input: &str) {
@@ -524,16 +543,13 @@ mod tests {
     }
 
     #[test]
-    fn test_does_not_redact_localhost_ipv6() {
-        let report = ProblemReport::new(vec![]);
-        let res = report.redact("::1");
-        assert_eq!("::1", res);
+    fn test_does_not_redact_time() {
+        assert_does_not_redact("09:47:59");
     }
 
-    #[test]
-    fn test_does_not_redact_time() {
+    fn assert_does_not_redact(input: &str) {
         let report = ProblemReport::new(vec![]);
-        let res = report.redact("09:47:59");
-        assert_eq!("09:47:59", res);
+        let res = report.redact(input);
+        assert_eq!(input, res);
     }
 }