Merge pull request #116 from TeamPiped/blake3-query-hashing

Implement blake3 cryptographic hash verification for query string
2024-08-14 23:50:45 +00:00 · 2023-11-20 05:24:46 +00:00 · 2023-11-20 05:24:46 +00:00 · 0a6feb88ae
commit 0a6feb88ae
parent c136f79cc2 2aa3053d34
3 changed files with 81 additions and 1 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -256,6 +256,12 @@ dependencies = [
 "syn 2.0.39",
 ]
 [[package]]
 name = "arrayref"
 version = "0.3.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6b4930d2cb77ce62f89ee5d5289b4ac049559b1c45539271f5ed4fdc7db34545"
 [[package]]
 name = "arrayvec"
 version = "0.7.4"
@ -349,6 +355,19 @@ version = "1.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "02bef9e74b5908bed0360844109a55b62b07cc973274c11d3a577bda8cc1cf60"
 [[package]]
 name = "blake3"
 version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0231f06152bf547e9c2b5194f247cd97aacf6dcd8b15d8e5ec0663f64580da87"
 dependencies = [
 "arrayref",
 "arrayvec",
 "cc",
 "cfg-if",
 "constant_time_eq",
 ]
 [[package]]
 name = "block-buffer"
 version = "0.10.4"
@ -465,6 +484,12 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3d7b894f5411737b7867f4827955924d7c254fc9f4d91a6aad6b097804b1018b"
 [[package]]
 name = "constant_time_eq"
 version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f7144d30dcf0fafbce74250a3963025d8d52177934239851c917d29f1df280c2"
 [[package]]
 name = "convert_case"
 version = "0.4.0"
@ -1380,6 +1405,7 @@ name = "piped-proxy"
 version = "0.1.0"
 dependencies = [
 "actix-web",
 "blake3",
 "image",
 "libwebp-sys",
 "mimalloc",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -23,9 +23,10 @@ rgb = { version = "0.8.37", optional = true }
 once_cell = "1.18.0"
 regex = "1.10.2"
 blake3 = { version = "1.5.0", optional = true }
 [features]
-default = ["webp", "mimalloc", "reqwest-rustls"]
+default = ["webp", "mimalloc", "reqwest-rustls", "qhash"]
 reqwest-rustls = ["reqwest/rustls-tls"]
 reqwest-native-tls = ["reqwest/default-tls"]
@ -37,5 +38,7 @@ mimalloc = ["dep:mimalloc"]
 optimized = ["libwebp-sys?/sse41", "libwebp-sys?/avx2", "libwebp-sys?/neon"]
 qhash = ["blake3"]
 [profile.release]
 lto = true
--- a/src/main.rs
+++ b/src/main.rs
@ -137,6 +137,57 @@ async fn index(req: HttpRequest) -> Result<HttpResponse, Box<dyn Error>> {
    // parse query string
    let query = QString::from(req.query_string());
    #[cfg(feature = "qhash")]
    {
        use std::collections::BTreeSet;
        let secret = env::var("HASH_SECRET");
        if let Ok(secret) = secret {
            let qhash = query.get("qhash");
            if qhash.is_none() {
                return Err("No qhash provided".into());
            }
            let qhash = qhash.unwrap();
            if qhash.len() != 8 {
                return Err("Invalid qhash provided".into());
            }
            // Store sorted key-value pairs
            let mut set = BTreeSet::new();
            {
                let pairs = query.to_pairs();
                for (key, value) in &pairs {
                    if matches!(*key, "qhash" | "range" | "rewrite") {
                        continue;
                    }
                    set.insert((key.as_bytes().to_owned(), value.as_bytes().to_owned()));
                }
            }
            let hash = spawn_blocking(move || {
                let mut hasher = blake3::Hasher::new();
                for (key, value) in set {
                    hasher.update(&key);
                    hasher.update(&value);
                }
                hasher.update(secret.as_bytes());
                let hash = hasher.finalize().to_hex();
                let hash = hash[..8].to_owned();
                hash
            }).await.unwrap();
            if hash != qhash {
                return Err("Invalid qhash provided".into());
            }
        }
    }
    let res = query.get("host");
    let res = res.map(|s| s.to_string());