Use Tor2Web's URL mangling to detect it

Tor2Web mangles onion URLs to point to the proxy, but its implementation is a buggy and we can use that for detection. In this case, it rewrites a literal `href="fake.onion"` (inside a hidden form <input>) to something like: `href="//{$address}.onion.ly/fake.onion.ly"`. On form submission, we can detect that it doesn't roundtrip properly and flag the mangling as Tor2Web usage. Fixes #6293.
freedomofpress · Feb 23, 2022 · 66e7b04 · 66e7b04
1 parent 1787f47
commit 66e7b04
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/securedrop/source_app/main.py b/securedrop/source_app/main.py
@@ -65,6 +65,9 @@ def generate() -> Union[str, werkzeug.Response]:
 
     @view.route('/create', methods=['POST'])
     def create() -> werkzeug.Response:
+        # Try to detect Tor2Web usage by looking to see if source_url got mangled
+        if request.form['source_url'] != 'href="fake.onion"':
+            return redirect(url_for('info.tor2web_warning'))
         if SessionManager.is_user_logged_in(db_session=db.session):
             flash(gettext("You are already logged in. Please verify your codename above as it " +
                           "may differ from the one displayed on the previous page."),

diff --git a/securedrop/source_templates/generate.html b/securedrop/source_templates/generate.html
@@ -25,6 +25,7 @@ <h2 id="codename-heading" class="visually-hidden">{{ gettext('Codename') }}</h2>
 <form id="create-form" method="post" action="/create" autocomplete="off">
   <input name="csrf_token" type="hidden" value="{{ csrf_token() }}">
   <input name="tab_id" type="hidden" value="{{ tab_id }}">
+  <input name="source_url" type="hidden" value='href="fake.onion"'>
   <button type="submit" class="btn--space pull-right" id="continue-button"
     aria-label="{{ gettext('Submit Documents') }}">
     {{ gettext('SUBMIT DOCUMENTS') }}