Validate synthetic ID format on inbound header and cookie values

Inbound synthetic IDs from the x-synthetic-id header and synthetic_id
cookie were accepted without validation. An attacker could inject
arbitrary strings — including very long values, special characters, or
newlines — which were then set as response headers, cookies, and
forwarded to third-party APIs.

Adds a private is_valid_synthetic_id() validator enforcing the canonical
format (64 lowercase hex chars + '.' + 6 alphanumeric chars). The length
check is O(1) and runs first to bound all downstream work. Invalid values
are silently discarded and a fresh ID is generated in their place; the
raw value is never written to logs.

Also adds a debug_assert! in generate_synthetic_id() to catch any future
regression in the generator, moves VALID_SYNTHETIC_ID to test_support so
it is shared across all test modules, and demotes synthetic ID values from
INFO to DEBUG in log output to avoid recording pseudonymous identifiers in
production log pipelines.

Closes #412

Author: prk-Jr

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Security
+
+- Validate synthetic ID format on inbound values from the `x-synthetic-id` header and `synthetic_id` cookie; values that do not match the expected format (`64-hex-hmac.6-alphanumeric-suffix`) are discarded and a fresh ID is generated rather than forwarded to response headers, cookies, or third-party APIs
+
 ### Added
 
 - Implemented basic authentication for configurable endpoint paths (#73)

crates/common/src/integrations/registry.rs

@@ -1310,8 +1310,15 @@ mod tests {
         let registry = IntegrationRegistry::from_routes(routes);
 
         let mut req = Request::get("https://test.example.com/integrations/test/synthetic");
-        // Pre-existing cookie
-        req.set_header(header::COOKIE, "synthetic_id=existing_id_12345");
+        // Pre-existing cookie with a valid-format synthetic ID
+        req.set_header(
+            header::COOKIE,
+            format!(
+                "{}={}",
+                crate::constants::COOKIE_SYNTHETIC_ID,
+                crate::test_support::tests::VALID_SYNTHETIC_ID
+            ),
+        );
 
         let result = futures::executor::block_on(registry.handle_proxy(
             &Method::GET,

crates/common/src/proxy.rs

@@ -1291,7 +1291,8 @@ mod tests {
                 sig
             ),
         );
-        req.set_header(crate::constants::HEADER_X_SYNTHETIC_ID, "synthetic-123");
+        let valid_synthetic_id = crate::test_support::tests::VALID_SYNTHETIC_ID;
+        req.set_header(crate::constants::HEADER_X_SYNTHETIC_ID, valid_synthetic_id);
 
         let resp = handle_first_party_click(&settings, req)
             .await
@@ -1309,7 +1310,7 @@ mod tests {
         assert_eq!(pairs.remove("foo").as_deref(), Some("1"));
         assert_eq!(
             pairs.remove("synthetic_id").as_deref(),
-            Some("synthetic-123")
+            Some(valid_synthetic_id)
         );
         assert!(pairs.is_empty());
     }