Scala Stream Collector: allow users to disable the default redirect endpoint

[dilyand]

The Javascript tracker allows for click tracking through open redirects. There are concerns that this functionality might be abused by malicious third parties. Even if SSC users are not making use of the feature in the JS tracker, they are still potentially vulnerable as the collector would accept requests to the default redirect endpoint.

[yalisassoon]

https://www.bleepingcomputer.com/news/security/adobe-and-google-open-redirects-abused-by-phishing-campaigns/

[dilyand]

It would be great if we can still allow redirects, just not via the default route.

The default route is public, which makes it easy to abuse. However, a custom redirect path will be much harder to guess.

We can't use custom path mappings for this, because the custom path will have to be mapped to some default. But if we make the redirect path configurable, then users will be able to have the functionality in a secure way.

Seeing how we're already adding a new item to the config, what if instead of a Boolean it's just the redirect path to be used -- and if it's not specified then redirects are not possible? I wonder if this would be much harder to implement.

[peel]

@dilyand to me the only problem here is backwards compatibility:

• I deliberately set a 4xx response on the old route to make submitting events to collector invalid, otherwise ${OLD_PREFIX}/${PROTOCOL_VERSION} is a perfectly valid event that gets tracked. Can't be done with fully configurable or we need to hardcode the old default somewhere (as is it is now) until all the users have migrated.
• With fully configurable we disable the old r/ route by default (should we?) so upon upgrade config changes are necessary.

What are your thoughts on the two?

[dilyand]

I think what we have now in the proposed 0.17.0 is good enough. It might be worthwhile though to open an issue for future versions, where we give users the ability to only use a custom redirect path (ie, disabling the default path but not redirects as such). And have the discussion on backward compatibility there, if we ever pick up the issue again.