Skip to content

Allowlist bid-level metadata in ts-debug auction dump #925

Description

@prk-Jr

Context

Follow-up from the PR #890 review (discussion).

redact_bid_for_dump in crates/trusted-server-core/src/publisher.rs serializes the whole Bid via serde_json::to_value(bid) and only narrows creative (previewed to MAX_BID_CREATIVE_DUMP_BYTES). Every other bid field — Bid.metadata, nurl, burl — reaches the on-page ts-debug comment unfiltered.

Response-level metadata takes the opposite default: redact_response_for_dump runs AuctionResponse.metadata through the fail-closed DEBUG_DUMP_METADATA_ALLOWLIST. Two metadata maps, two opposite defaults.

Impact

Defence-in-depth only — not a live leak today:

  • The only writer of Bid.metadata is integrations/aps.rs (amzniid / amznbid / amznp / amznsz / amznactt), all opaque targeting keys.
  • Prebid never populates Bid.metadata.
  • The dump is gated behind [debug].auction_html_comment, documented as never-in-production.

The risk is future drift: a provider that mirrors a bidder's ext into Bid.metadata would surface it into page source silently, while the SECURITY: comment above prepend_auction_debug_comment reads as though the bid map were covered. nurl / burl (win/billing notification URLs) also become readable — and firable — by any script on the page.

Proposed fix

Apply a fail-closed allowlist to the bid map in redact_bid_for_dump, mirroring redact_response_for_dump:

  • allowlist Bid.metadata keys (or drop the map entirely unless a key is explicitly permitted);
  • drop nurl / burl from the dump;
  • keep the existing 512-byte creative preview.

Metadata

Metadata

Assignees

No one assigned

    Labels

    rustPull requests that update rust code

    Type

    Fields

    No fields configured for Task.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions