From 56b134facd6f6a9152cd2e347d0df1bc495ab3fe Mon Sep 17 00:00:00 2001
From: Ehren Kret <ehren@signal.org>
Date: Mon, 30 Mar 2020 10:42:21 -0700
Subject: [PATCH] Change attachment key from long to base64 of 15 bytes

---
 .../controllers/AttachmentControllerV3.java    | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/AttachmentControllerV3.java b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/AttachmentControllerV3.java
index ab2ce9250..f055c46fd 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/AttachmentControllerV3.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/AttachmentControllerV3.java
@@ -17,8 +17,10 @@ import javax.ws.rs.Produces;
 import javax.ws.rs.core.MediaType;
 import java.io.IOException;
 import java.security.InvalidKeyException;
+import java.security.SecureRandom;
 import java.time.ZoneOffset;
 import java.time.ZonedDateTime;
+import java.util.Base64;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -34,11 +36,15 @@ public class AttachmentControllerV3 extends AttachmentControllerBase {
   @Nonnull
   private final CanonicalRequestSigner canonicalRequestSigner;
 
+  @Nonnull
+  private final SecureRandom secureRandom;
+
   public AttachmentControllerV3(@Nonnull RateLimiters rateLimiters, @Nonnull String domain, @Nonnull String email, int maxSizeInBytes, @Nonnull String pathPrefix, @Nonnull String rsaSigningKey)
           throws IOException, InvalidKeyException {
     this.rateLimiter               = rateLimiters.getAttachmentLimiter();
     this.canonicalRequestGenerator = new CanonicalRequestGenerator(domain, email, maxSizeInBytes, pathPrefix);
     this.canonicalRequestSigner    = new CanonicalRequestSigner(rsaSigningKey);
+    this.secureRandom              = new SecureRandom();
   }
 
   @Timed
@@ -49,23 +55,29 @@ public class AttachmentControllerV3 extends AttachmentControllerBase {
     rateLimiter.validate(account.getNumber());
 
     final ZonedDateTime now                 = ZonedDateTime.now(ZoneOffset.UTC);
-    final String key                        = String.valueOf(generateAttachmentId());
+    final String key                        = generateAttachmentKey();
     final CanonicalRequest canonicalRequest = canonicalRequestGenerator.createFor(key, now);
 
     return new AttachmentDescriptorV3(2, key, getHeaderMap(canonicalRequest), getSignedUploadLocation(canonicalRequest));
   }
 
-  public String getSignedUploadLocation(@Nonnull CanonicalRequest canonicalRequest) {
+  private String getSignedUploadLocation(@Nonnull CanonicalRequest canonicalRequest) {
     return "https://" + canonicalRequest.getDomain() + canonicalRequest.getResourcePath()
             + '?' + canonicalRequest.getCanonicalQuery()
             + "&X-Goog-Signature=" + canonicalRequestSigner.sign(canonicalRequest);
   }
 
-  public static Map<String, String> getHeaderMap(@Nonnull CanonicalRequest canonicalRequest) {
+  private static Map<String, String> getHeaderMap(@Nonnull CanonicalRequest canonicalRequest) {
     Map<String, String> result = new HashMap<>(3);
     result.put("host", canonicalRequest.getDomain());
     result.put("x-goog-content-length-range", "1," + canonicalRequest.getMaxSizeInBytes());
     result.put("x-goog-resumable", "start");
     return result;
   }
+
+  private String generateAttachmentKey() {
+    final byte[] bytes = new byte[15];
+    secureRandom.nextBytes(bytes);
+    return Base64.getUrlEncoder().encodeToString(bytes);
+  }
 }