Context
Follow-up from the PR #890 review (discussion).
redact_bid_for_dump in crates/trusted-server-core/src/publisher.rs serializes the whole Bid via serde_json::to_value(bid) and only narrows creative (previewed to MAX_BID_CREATIVE_DUMP_BYTES). Every other bid field — Bid.metadata, nurl, burl — reaches the on-page ts-debug comment unfiltered.
Response-level metadata takes the opposite default: redact_response_for_dump runs AuctionResponse.metadata through the fail-closed DEBUG_DUMP_METADATA_ALLOWLIST. Two metadata maps, two opposite defaults.
Impact
Defence-in-depth only — not a live leak today:
- The only writer of
Bid.metadata is integrations/aps.rs (amzniid / amznbid / amznp / amznsz / amznactt), all opaque targeting keys.
- Prebid never populates
Bid.metadata.
- The dump is gated behind
[debug].auction_html_comment, documented as never-in-production.
The risk is future drift: a provider that mirrors a bidder's ext into Bid.metadata would surface it into page source silently, while the SECURITY: comment above prepend_auction_debug_comment reads as though the bid map were covered. nurl / burl (win/billing notification URLs) also become readable — and firable — by any script on the page.
Proposed fix
Apply a fail-closed allowlist to the bid map in redact_bid_for_dump, mirroring redact_response_for_dump:
- allowlist
Bid.metadata keys (or drop the map entirely unless a key is explicitly permitted);
- drop
nurl / burl from the dump;
- keep the existing 512-byte
creative preview.
Context
Follow-up from the PR #890 review (discussion).
redact_bid_for_dumpincrates/trusted-server-core/src/publisher.rsserializes the wholeBidviaserde_json::to_value(bid)and only narrowscreative(previewed toMAX_BID_CREATIVE_DUMP_BYTES). Every other bid field —Bid.metadata,nurl,burl— reaches the on-pagets-debugcomment unfiltered.Response-level metadata takes the opposite default:
redact_response_for_dumprunsAuctionResponse.metadatathrough the fail-closedDEBUG_DUMP_METADATA_ALLOWLIST. Two metadata maps, two opposite defaults.Impact
Defence-in-depth only — not a live leak today:
Bid.metadataisintegrations/aps.rs(amzniid/amznbid/amznp/amznsz/amznactt), all opaque targeting keys.Bid.metadata.[debug].auction_html_comment, documented as never-in-production.The risk is future drift: a provider that mirrors a bidder's
extintoBid.metadatawould surface it into page source silently, while theSECURITY:comment aboveprepend_auction_debug_commentreads as though the bid map were covered.nurl/burl(win/billing notification URLs) also become readable — and firable — by any script on the page.Proposed fix
Apply a fail-closed allowlist to the bid map in
redact_bid_for_dump, mirroringredact_response_for_dump:Bid.metadatakeys (or drop the map entirely unless a key is explicitly permitted);nurl/burlfrom the dump;creativepreview.