ip address obfuscation

fippo · May 22, 2016 · 8ece744 · 8ece744
1 parent 491f8f7
commit 8ece744
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 3 deletions.
diff --git a/app.js b/app.js
@@ -3,6 +3,7 @@ var config = require('config');
 var uuid = require('uuid');
 var statsMangler = require('./getstats-mangle');
 var statsDecompressor = require('./getstats-deltacompression').decompress;
+var obfuscate = require('./obfuscator');
 var express = require('express');
 
 var Store = require('./store')({
@@ -126,6 +127,7 @@ function run(keys) {
                 });
                 break;
             default:
+                obfuscate(data);
                 if (!db[referer][clientid].peerConnections[data[1]]) {
                     db[referer][clientid].peerConnections[data[1]] = [];
                     baseStats[data[1]] = {};

diff --git a/obfuscator.js b/obfuscator.js
@@ -0,0 +1,34 @@
+// obfuscate ip addresses which should not be stored long-term.
+
+var SDPUtils = require('sdp');
+
+// obfuscate ip, keeping address family intact.
+// TODO: keep private addresses and only strip certain parts?
+function obfuscateIP(ip) {
+    return ip.indexOf(':') === -1 ? '0.0.0.0' : '::1';
+}
+
+// obfuscate the ip in ice candidates. Does NOT obfuscate the ip of the TURN server to allow
+// selecting/grouping sessions by TURN server.
+function obfuscateCandidate(candidate) {
+    var cand = SDPUtils.parseCandidate(candidate);
+    if (cand.type !== 'relay') {
+        cand.ip = obfuscateIP(cand.ip);
+    }
+    if (cand.relatedAddress) {
+        cand.relatedAddress = obfuscateIP(cand.relatedAddress);
+    }
+    return SDPUtils.writeCandidate(cand);
+}
+
+module.exports = function(data) {
+    var lines;
+    switch(data[0]) {
+    case 'addIceCandidate':
+    case 'onicecandidate':
+        if (data[2] && data[2].candidate) {
+            data[2].candidate = obfuscateCandidate(data[2].candidate);
+        }
+        break;
+    }
+};
diff --git a/package.json b/package.json
@@ -34,6 +34,7 @@
     "pg": "^4.4.6",
     "pg-promise": "^3.2.3",
     "platform": "^1.3.1",
+    "sdp": "^1.0.0",
     "uuid": "^2.0.1",
     "ws": "^0.8.1"
   },

diff --git a/test/clienttest.json b/test/clienttest.json
@@ -98,7 +98,7 @@
     "time": "2016-01-28T18:24:20.304Z",
     "type": "onicecandidate",
     "value": {
-     "candidate": "candidate:1608896916 1 udp 2122194687 10.1.5.92 47183 typ host generation 0",
+     "candidate": "candidate:1608896916 1 udp 2122194687 10.1.5.92 47183 typ srflx raddr 1.2.3.4 rport 47183 generation 0",
      "sdpMid": "audio",
      "sdpMLineIndex": 0
     }
@@ -107,7 +107,7 @@
     "time": "2016-01-28T18:24:20.308Z",
     "type": "onicecandidate",
     "value": {
-     "candidate": "candidate:211962667 2 udp 2122260222 10.0.3.1 52923 typ host generation 0",
+     "candidate": "candidate:211962667 2 udp 2122260222 10.0.3.1 52923 typ relay raddr 1.2.3.4 rport 52923 generation 0",
      "sdpMid": "audio",
      "sdpMLineIndex": 0
     }
@@ -11168,4 +11168,4 @@
    }
   ]
  }
-}
+}