fix(tests): make CVE-2025-24369 regression deterministic (#1285)

* fix(tests): make CVE-2025-24369 regression deterministic

* fix(tests): stabilize CVE-2025-24369 regression test by using invalid proof
This commit is contained in:
Jason Cameron 2025-11-16 18:34:36 -05:00 committed by GitHub
parent 9dd4de6f1f
commit 56170e4af5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 26 additions and 1 deletions

View file

@ -21,6 +21,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Allow Renovate as an OCI registry client.
- Properly handle 4in6 addresses so that IP matching works with those addresses.
- Add support to simple Valkey/Redis cluster mode
- Stabilize the CVE-2025-24369 regression test by always submitting an invalid proof instead of relying on random POW failures.
## v1.23.1: Lyse Hext - Echo 1

View file

@ -152,6 +152,30 @@ func handleChallengeZeroDifficulty(t *testing.T, ts *httptest.Server, cli *http.
return resp
}
func handleChallengeInvalidProof(t *testing.T, ts *httptest.Server, cli *http.Client, chall challengeResp) *http.Response {
t.Helper()
req, err := http.NewRequest(http.MethodGet, ts.URL+"/.within.website/x/cmd/anubis/api/pass-challenge", nil)
if err != nil {
t.Fatalf("can't make request: %v", err)
}
q := req.URL.Query()
q.Set("response", strings.Repeat("f", 64)) // "hash" that never starts with the nonce
q.Set("nonce", "0")
q.Set("redir", "/")
q.Set("elapsedTime", "0")
q.Set("id", chall.ID)
req.URL.RawQuery = q.Encode()
resp, err := cli.Do(req)
if err != nil {
t.Fatalf("can't do request: %v", err)
}
return resp
}
type loggingCookieJar struct {
t *testing.T
cookies map[string][]*http.Cookie
@ -247,7 +271,7 @@ func TestCVE2025_24369(t *testing.T) {
cli := httpClient(t)
chall := makeChallenge(t, ts, cli)
resp := handleChallengeZeroDifficulty(t, ts, cli, chall)
resp := handleChallengeInvalidProof(t, ts, cli, chall)
if resp.StatusCode == http.StatusFound {
t.Log("Regression on CVE-2025-24369")