Remove duplicate EC cookie helpers

ChristianPavilonis · ChristianPavilonis · commit f771640958c4 · 2026-06-11T11:10:42.000-05:00
diff --git a/crates/trusted-server-core/src/cookies.rs b/crates/trusted-server-core/src/cookies.rs
@@ -3,20 +3,14 @@
 //! This module provides functionality for parsing, creating, stripping, and forwarding cookies
 //! used in the trusted server system.
 
-use std::borrow::Cow;
-
 use cookie::{Cookie, CookieJar};
 use edgezero_core::body::Body as EdgeBody;
 use error_stack::{Report, ResultExt};
 use http::header;
 use http::Request;
-use http::Response;
 
-use crate::constants::{
-    COOKIE_EUCONSENT_V2, COOKIE_GPP, COOKIE_GPP_SID, COOKIE_TS_EC, COOKIE_US_PRIVACY,
-};
+use crate::constants::{COOKIE_EUCONSENT_V2, COOKIE_GPP, COOKIE_GPP_SID, COOKIE_US_PRIVACY};
 use crate::error::TrustedServerError;
-use crate::settings::Settings;
 
 /// Cookie names carrying privacy consent signals.
 ///
@@ -30,50 +24,6 @@ pub const CONSENT_COOKIE_NAMES: &[&str] = &[
     COOKIE_US_PRIVACY,
 ];
 
-const COOKIE_MAX_AGE: i32 = 365 * 24 * 60 * 60;
-
-fn is_allowed_ec_id_char(c: char) -> bool {
-    c.is_ascii_alphanumeric() || matches!(c, '.' | '-' | '_')
-}
-
-// Outbound allowlist for cookie sanitization: permits [a-zA-Z0-9._-] as a
-// defense-in-depth backstop when setting the Set-Cookie header. This is
-// intentionally broader than the inbound format validator
-// (`synthetic::is_valid_synthetic_id`), which enforces the exact
-// `<64-hex>.<6-alphanumeric>` structure and is used to reject untrusted
-// request values before they enter the system.
-#[must_use]
-pub(crate) fn ec_id_has_only_allowed_chars(ec_id: &str) -> bool {
-    ec_id.chars().all(is_allowed_ec_id_char)
-}
-
-fn sanitize_ec_id_for_cookie(ec_id: &str) -> Cow<'_, str> {
-    if ec_id_has_only_allowed_chars(ec_id) {
-        return Cow::Borrowed(ec_id);
-    }
-
-    let safe_id = ec_id
-        .chars()
-        .filter(|c| is_allowed_ec_id_char(*c))
-        .collect::<String>();
-
-    log::warn!(
-        "Stripped disallowed characters from EC ID before setting cookie (len {} -> {}); \
-         callers should reject invalid request IDs before cookie creation",
-        ec_id.len(),
-        safe_id.len(),
-    );
-
-    Cow::Owned(safe_id)
-}
-
-pub(crate) fn ec_cookie_attributes(settings: &Settings, max_age: i32) -> String {
-    format!(
-        "Domain={}; Path=/; Secure; HttpOnly; SameSite=Lax; Max-Age={max_age}",
-        settings.publisher.cookie_domain,
-    )
-}
-
 /// Parses a cookie string into a [`CookieJar`].
 ///
 /// Returns an empty jar if the cookie string is unparseable.
@@ -180,136 +130,6 @@ pub fn forward_cookie_header(
     }
 }
 
-/// Returns `true` if every byte in `value` is a valid RFC 6265 `cookie-octet`.
-/// An empty string is always rejected.
-///
-/// RFC 6265 restricts cookie values to printable US-ASCII excluding whitespace,
-/// double-quote, comma, semicolon, and backslash. Rejecting these characters
-/// prevents header-injection attacks where a crafted value could append
-/// spurious cookie attributes (e.g. `evil; Domain=.attacker.com`).
-///
-/// Non-ASCII characters (multi-byte UTF-8) are always rejected because their
-/// byte values exceed `0x7E`.
-#[must_use]
-pub(crate) fn ec_cookie_value_is_safe(value: &str) -> bool {
-    // RFC 6265 §4.1.1 cookie-octet:
-    //   0x21        — '!'
-    //   0x23–0x2B  — '#' through '+'   (excludes 0x22 DQUOTE)
-    //   0x2D–0x3A  — '-' through ':'   (excludes 0x2C comma)
-    //   0x3C–0x5B  — '<' through '['   (excludes 0x3B semicolon)
-    //   0x5D–0x7E  — ']' through '~'   (excludes 0x5C backslash, 0x7F DEL)
-    // All control characters (0x00–0x20) and non-ASCII (0x80+) are also excluded.
-    !value.is_empty()
-        && value
-            .bytes()
-            .all(|b| matches!(b, 0x21 | 0x23..=0x2B | 0x2D..=0x3A | 0x3C..=0x5B | 0x5D..=0x7E))
-}
-
-/// Generates a `Set-Cookie` header value with the following security attributes:
-/// - `Secure`: transmitted over HTTPS only.
-/// - `HttpOnly`: inaccessible to JavaScript (`document.cookie`), blocking XSS exfiltration.
-///   Safe to set because integrations receive the EC ID via the `x-ts-ec`
-///   response header instead of reading it from the cookie directly.
-/// - `SameSite=Lax`: sent on same-site requests and top-level cross-site navigations.
-///   `Strict` is intentionally avoided — it would suppress the cookie on the first
-///   request when a user arrives from an external page, breaking first-visit attribution.
-/// - `Max-Age`: 1 year retention.
-///
-/// The `ec_id` is sanitized via an allowlist before embedding in the cookie value.
-/// Only ASCII alphanumeric characters and `.`, `-`, `_` are permitted — matching the
-/// known EC ID format (`{64-char-hex}.{6-char-alphanumeric}`). Request-sourced IDs
-/// with disallowed characters are rejected earlier in [`crate::ec::get_ec_id`];
-/// this sanitization remains as a defense-in-depth backstop for unexpected callers.
-///
-/// The `cookie_domain` is validated at config load time via [`validator::Validate`] on
-/// [`crate::settings::Publisher`]; bad config fails at startup, not per-request.
-///
-/// # Examples
-///
-/// ```no_run
-/// # use trusted_server_core::cookies::create_ec_cookie;
-/// # use trusted_server_core::settings::Settings;
-/// // `settings` is loaded at startup via `Settings::from_toml_and_env`.
-/// # fn example(settings: &Settings) {
-/// let cookie = create_ec_cookie(settings, "abc123.xk92ab");
-/// assert!(cookie.contains("HttpOnly"));
-/// assert!(cookie.contains("Secure"));
-/// # }
-/// ```
-#[must_use]
-pub fn create_ec_cookie(settings: &Settings, ec_id: &str) -> String {
-    let safe_id = sanitize_ec_id_for_cookie(ec_id);
-
-    format!(
-        "{}={}; {}",
-        COOKIE_TS_EC,
-        safe_id,
-        ec_cookie_attributes(settings, COOKIE_MAX_AGE),
-    )
-}
-
-#[must_use]
-pub(crate) fn try_build_ec_cookie_value(settings: &Settings, ec_id: &str) -> Option<String> {
-    if !ec_cookie_value_is_safe(ec_id) {
-        log::warn!(
-            "Rejecting EC ID for Set-Cookie: value of {} bytes contains characters illegal in a cookie value",
-            ec_id.len()
-        );
-        return None;
-    }
-
-    Some(create_ec_cookie(settings, ec_id))
-}
-
-/// Sets the EC ID cookie on the given response.
-///
-/// Validates `ec_id` against RFC 6265 `cookie-octet` rules before
-/// interpolation. If the value contains unsafe characters (e.g. semicolons),
-/// the cookie is not set and a warning is logged. This prevents an attacker
-/// from injecting spurious cookie attributes via a controlled ID value.
-///
-/// `cookie_domain` comes from operator configuration and is considered trusted.
-///
-/// # Panics
-///
-/// Does not panic in practice — the cookie value is validated by
-/// `ec_cookie_value_is_safe` (early return if invalid) before
-/// [`http::HeaderValue::from_str`] is called, so the expect is unreachable.
-/// Listed here only because clippy cannot prove it statically.
-pub fn set_ec_cookie(settings: &Settings, response: &mut Response<EdgeBody>, ec_id: &str) {
-    let Some(cookie) = try_build_ec_cookie_value(settings, ec_id) else {
-        return;
-    };
-
-    response.headers_mut().append(
-        header::SET_COOKIE,
-        http::HeaderValue::from_str(&cookie).expect("should build Set-Cookie header value"),
-    );
-}
-
-/// Expires the EC cookie by setting `Max-Age=0`.
-///
-/// Used when a user revokes consent — the browser will delete the cookie
-/// on receipt of this header.
-///
-/// # Panics
-///
-/// Does not panic in practice — the formatted value contains only ASCII
-/// printable characters (constant name, validated domain, static attributes),
-/// so [`http::HeaderValue::from_str`] always succeeds. Listed here only
-/// because clippy cannot prove it statically.
-pub fn expire_ec_cookie(settings: &Settings, response: &mut Response<EdgeBody>) {
-    response.headers_mut().append(
-        header::SET_COOKIE,
-        http::HeaderValue::from_str(&format!(
-            "{}=; {}",
-            COOKIE_TS_EC,
-            ec_cookie_attributes(settings, 0),
-        ))
-        .expect("should build expiry Set-Cookie header value"),
-    );
-}
-
 #[cfg(test)]
 mod tests {
     use http::HeaderValue;
diff --git a/crates/trusted-server-core/src/settings.rs b/crates/trusted-server-core/src/settings.rs
@@ -1550,6 +1550,14 @@ impl Proxy {
                     route.prefix
                 );
             }
+
+            if !route.prefix.is_empty() && route.prefix != "/" && !route.prefix.ends_with('/') {
+                log::warn!(
+                    "proxy.asset_routes prefix `{}` does not end with `/`; matching uses raw string-prefix semantics, so this also matches paths such as `{}example`",
+                    route.prefix,
+                    route.prefix
+                );
+            }
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -1550,6 +1550,14 @@ impl Proxy {`
`1550`	`1550`	`route.prefix`
`1551`	`1551`	`);`
`1552`	`1552`	`}`
	`1553`	`+`
	`1554`	`+ if !route.prefix.is_empty() && route.prefix != "/" && !route.prefix.ends_with('/') {`
	`1555`	`+ log::warn!(`
	`1556`	+ "proxy.asset_routes prefix `{}` does not end with `/`; matching uses raw string-prefix semantics, so this also matches paths such as `{}example`",
	`1557`	`+ route.prefix,`
	`1558`	`+ route.prefix`
	`1559`	`+ );`
	`1560`	`+ }`
`1553`	`1561`	`}`
`1554`	`1562`	`}`
`1555`	`1563`