From 56170e4af59f176965f732f481c958d23d61dc96 Mon Sep 17 00:00:00 2001 From: Jason Cameron Date: Sun, 16 Nov 2025 18:34:36 -0500 Subject: [PATCH] fix(tests): make CVE-2025-24369 regression deterministic (#1285) * fix(tests): make CVE-2025-24369 regression deterministic * fix(tests): stabilize CVE-2025-24369 regression test by using invalid proof --- docs/docs/CHANGELOG.md | 1 + lib/anubis_test.go | 26 +++++++++++++++++++++++++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md index 250882b..0c5858d 100644 --- a/docs/docs/CHANGELOG.md +++ b/docs/docs/CHANGELOG.md @@ -21,6 +21,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Allow Renovate as an OCI registry client. - Properly handle 4in6 addresses so that IP matching works with those addresses. - Add support to simple Valkey/Redis cluster mode +- Stabilize the CVE-2025-24369 regression test by always submitting an invalid proof instead of relying on random POW failures. ## v1.23.1: Lyse Hext - Echo 1 diff --git a/lib/anubis_test.go b/lib/anubis_test.go index 6df8fc4..b05196f 100644 --- a/lib/anubis_test.go +++ b/lib/anubis_test.go @@ -152,6 +152,30 @@ func handleChallengeZeroDifficulty(t *testing.T, ts *httptest.Server, cli *http. return resp } +func handleChallengeInvalidProof(t *testing.T, ts *httptest.Server, cli *http.Client, chall challengeResp) *http.Response { + t.Helper() + + req, err := http.NewRequest(http.MethodGet, ts.URL+"/.within.website/x/cmd/anubis/api/pass-challenge", nil) + if err != nil { + t.Fatalf("can't make request: %v", err) + } + + q := req.URL.Query() + q.Set("response", strings.Repeat("f", 64)) // "hash" that never starts with the nonce + q.Set("nonce", "0") + q.Set("redir", "/") + q.Set("elapsedTime", "0") + q.Set("id", chall.ID) + req.URL.RawQuery = q.Encode() + + resp, err := cli.Do(req) + if err != nil { + t.Fatalf("can't do request: %v", err) + } + + return resp +} + type loggingCookieJar struct { t *testing.T cookies map[string][]*http.Cookie @@ -247,7 +271,7 @@ func TestCVE2025_24369(t *testing.T) { cli := httpClient(t) chall := makeChallenge(t, ts, cli) - resp := handleChallengeZeroDifficulty(t, ts, cli, chall) + resp := handleChallengeInvalidProof(t, ts, cli, chall) if resp.StatusCode == http.StatusFound { t.Log("Regression on CVE-2025-24369")