From 0f480571e85e6ea8e13e7e21eb37ade9a9050668 Mon Sep 17 00:00:00 2001
From: Luke Barnard <luke@matrix.org>
Date: Wed, 25 Apr 2018 14:23:31 +0100
Subject: [PATCH] Track true origin, do not track unexpected hashes

---
 src/Analytics.js | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/src/Analytics.js b/src/Analytics.js
index 2ef058b11b..b8b98e303b 100644
--- a/src/Analytics.js
+++ b/src/Analytics.js
@@ -20,13 +20,24 @@ import SdkConfig, { DEFAULTS } from './SdkConfig';
 import Modal from './Modal';
 import sdk from './index';
 
-function getRedactedHash() {
-    return window.location.hash.replace(/#\/(group|room|user)\/(.+)/, "#/$1/<redacted>");
+const hashRegex = /#\/(group|room|user)\/(.+)/;
+
+// Remove all but the first item in the hash path. Redact unexpected hashes.
+function getRedactedHash(hash) {
+    // Don't leak URLs we aren't expecting - they could contain tokens/PPI
+    const match = hashRegex.exec(hash);
+    if (!match) {
+        console.warn(`Unexpected hash location "${hash}"`);
+        return '#/<unexpected hash location>';
+    }
+
+    return hash.replace(hashRegex, "#/$1");
 }
 
+// Return the current origin and hash separated with a `/`. This does not include query parameters.
 function getRedactedUrl() {
-    // hardcoded url to make piwik happy
-    return 'https://riot.im/app/' + getRedactedHash();
+    const { origin, hash } = window.location;
+    return origin + '/' + getRedactedHash(hash);
 }
 
 const customVariables = {