Skip to content

ja*: Fix preserve logic to check for any header in fingerprint group#12811

Merged
bneradt merged 1 commit intoapache:masterfrom
bneradt:ja_fix_preserve_across_headers_asf
Jan 29, 2026
Merged

ja*: Fix preserve logic to check for any header in fingerprint group#12811
bneradt merged 1 commit intoapache:masterfrom
bneradt:ja_fix_preserve_across_headers_asf

Conversation

@bneradt
Copy link
Contributor

@bneradt bneradt commented Jan 14, 2026

Problem:
When --preserve was enabled and a request passed through multiple proxies, each header was checked individually. This could result in mismatched fingerprint data - for example, x-ja3-raw being added by a downstream proxy while x-ja3-sig was preserved from an upstream proxy.

Solution:
The JA3 and JA4 fingerprint plugins now check if ANY header in a fingerprint group exists before adding headers. If any header in the group exists, ALL headers in that group are skipped.

Changes:

  • ja3_fingerprint: Added group-level checks for JA3 headers
  • ja4_fingerprint: Added --preserve option and group-level check for JA4 headers
  • Updated tests to verify group-level preserve behavior

@bneradt bneradt added this to the 10.2.0 milestone Jan 14, 2026
@bneradt bneradt self-assigned this Jan 14, 2026
@bneradt bneradt added ja3_fingerprint ja4_fingerprint Work related to JA4 fingerprinting labels Jan 14, 2026
@bneradt bneradt force-pushed the ja_fix_preserve_across_headers_asf branch from 49e7f6f to a7a1dd3 Compare January 14, 2026 23:26
@bneradt bneradt changed the title Fix preserve logic to check for any header in fingerprint group ja*: Fix preserve logic to check for any header in fingerprint group Jan 21, 2026
@bryancall bryancall requested a review from Copilot January 26, 2026 22:52
Copilot AI reviewed Jan 26, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the JA3 and JA4 fingerprint plugins’ --preserve behavior to operate at the “fingerprint group” level (skip adding all related headers if any already exist), preventing mixed upstream/downstream fingerprint header sets.

Changes:

  • JA3 plugin: add group-level “any JA3 header exists” check before adding JA3 headers.
  • JA4 plugin: add --preserve option plus group-level “any JA4 header exists” check before adding JA4 headers.
  • Tests/gold files updated to validate group-level preserve behavior for both plugins.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
plugins/ja3_fingerprint/ja3_fingerprint.cc Implements group-level preserve logic for JA3 header set.
plugins/experimental/ja4_fingerprint/plugin.cc Adds --preserve option parsing and group-level preserve logic for JA4 headers.
tests/gold_tests/pluginTest/ja4_fingerprint/ja4_fingerprint.test.py Adds test coverage for JA4 --preserve behavior.
tests/gold_tests/pluginTest/ja4_fingerprint/ja4_fingerprint.replay.yaml Extends replay scenarios to validate JA4 preserve cases.
tests/gold_tests/pluginTest/ja3_fingerprint/ja3_fingerprint.test.py Adjusts JA3 test assertions for group-level preserve behavior.
tests/gold_tests/pluginTest/ja3_fingerprint/ja3_fingerprint_global.replay.yaml Updates expected JA3 header presence/absence under preserve.
tests/gold_tests/pluginTest/ja3_fingerprint/modify-incoming-proxy.gold Updates expected internal proxy header output for modify-incoming + preserve.
tests/gold_tests/pluginTest/ja3_fingerprint/modify-sent-proxy-remap.gold Updates expected internal proxy header output for remap configuration.
tests/gold_tests/pluginTest/ja3_fingerprint/modify-sent-proxy-global.gold New gold file for global-plugin internal proxy header output expectations.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

jasmine-nahrain
jasmine-nahrain previously approved these changes Jan 27, 2026
View reviewed changes
@bneradt
Fix preserve logic to check for any header in fingerprint group
0e83273 
Problem:
When --preserve was enabled and a request passed through multiple proxies,
each header was checked individually. This could result in mismatched
fingerprint data - for example, x-ja3-raw being added by a downstream proxy
while x-ja3-sig was preserved from an upstream proxy.

Solution:
The JA3 and JA4 fingerprint plugins now check if ANY header in a fingerprint
group exists before adding headers. If any header in the group exists, ALL
headers in that group are skipped.

Changes:
- ja3_fingerprint: Added group-level checks for JA3 headers
- ja4_fingerprint: Added --preserve option and group-level check for JA4 headers
- Updated tests to verify group-level preserve behavior
@bneradt bneradt force-pushed the ja_fix_preserve_across_headers_asf branch from a7a1dd3 to 0e83273 Compare January 28, 2026 21:00
@bneradt bneradt merged commit de11357 into apache:master Jan 29, 2026
15 checks passed
@bneradt bneradt deleted the ja_fix_preserve_across_headers_asf branch January 29, 2026 02:26
@github-project-automation github-project-automation bot moved this to For v10.1.1 in ATS v10.1.x Jan 29, 2026
@bneradt bneradt removed this from ATS v10.1.x Jan 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jasmine-nahrain jasmine-nahrain jasmine-nahrain approved these changes

Assignees

@bneradt bneradt

Labels

ja3_fingerprint ja4_fingerprint Work related to JA4 fingerprinting

Projects

None yet

Milestone

10.2.0

Development

Successfully merging this pull request may close these issues.

2 participants

@bneradt @jasmine-nahrain