Fix challenge validation panic when follow-up hits ALLOW (#1278)
* fix(localization): correct formatting of Swedish loading message * fix(main): correct formatting and improve readability in main.go * fix(challenge): add difficulty and policy rule hash to challenge metadata * docs(challenge): fix panic when validating challenges in privacy-mode browsers
This commit is contained in:
Jason Cameron
GitHub
parent
68fcc0c44f
commit
97ba84e26d
7 changed files with 126 additions and 23 deletions
|
|
@ -117,10 +117,12 @@ func (s *Server) issueChallenge(ctx context.Context, r *http.Request, lg *slog.L
|
|||
}
|
||||
|
||||
chall := challenge.Challenge{
|
||||
ID: id.String(),
|
||||
Method: rule.Challenge.Algorithm,
|
||||
RandomData: fmt.Sprintf("%x", randomData),
|
||||
IssuedAt: time.Now(),
|
||||
ID: id.String(),
|
||||
Method: rule.Challenge.Algorithm,
|
||||
RandomData: fmt.Sprintf("%x", randomData),
|
||||
IssuedAt: time.Now(),
|
||||
Difficulty: rule.Challenge.Difficulty,
|
||||
PolicyRuleHash: rule.Hash(),
|
||||
Metadata: map[string]string{
|
||||
"User-Agent": r.Header.Get("User-Agent"),
|
||||
"X-Real-Ip": r.Header.Get("X-Real-Ip"),
|
||||
|
|
@ -137,6 +139,44 @@ func (s *Server) issueChallenge(ctx context.Context, r *http.Request, lg *slog.L
|
|||
return &chall, err
|
||||
}
|
||||
|
||||
func (s *Server) hydrateChallengeRule(rule *policy.Bot, chall *challenge.Challenge, lg *slog.Logger) *policy.Bot {
|
||||
if chall == nil {
|
||||
return rule
|
||||
}
|
||||
|
||||
if rule == nil {
|
||||
rule = &policy.Bot{
|
||||
Rules: &checker.List{},
|
||||
}
|
||||
}
|
||||
|
||||
if chall.Difficulty == 0 {
|
||||
// fall back to whatever the policy currently says or the global default
|
||||
if rule.Challenge != nil && rule.Challenge.Difficulty != 0 {
|
||||
chall.Difficulty = rule.Challenge.Difficulty
|
||||
} else {
|
||||
chall.Difficulty = s.policy.DefaultDifficulty
|
||||
}
|
||||
}
|
||||
|
||||
if rule.Challenge == nil {
|
||||
lg.Warn("rule missing challenge configuration; using stored challenge metadata", "rule", rule.Name)
|
||||
rule.Challenge = &config.ChallengeRules{}
|
||||
}
|
||||
|
||||
if rule.Challenge.Difficulty == 0 {
|
||||
rule.Challenge.Difficulty = chall.Difficulty
|
||||
}
|
||||
if rule.Challenge.ReportAs == 0 {
|
||||
rule.Challenge.ReportAs = chall.Difficulty
|
||||
}
|
||||
if rule.Challenge.Algorithm == "" {
|
||||
rule.Challenge.Algorithm = chall.Method
|
||||
}
|
||||
|
||||
return rule
|
||||
}
|
||||
|
||||
func (s *Server) maybeReverseProxyHttpStatusOnly(w http.ResponseWriter, r *http.Request) {
|
||||
s.maybeReverseProxy(w, r, true)
|
||||
}
|
||||
|
|
@ -461,6 +501,8 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
|
|||
return
|
||||
}
|
||||
|
||||
rule = s.hydrateChallengeRule(rule, chall, lg)
|
||||
|
||||
impl, ok := challenge.Get(chall.Method)
|
||||
if !ok {
|
||||
lg.Error("check failed", "err", err)
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@ package lib
|
|||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
|
|
@ -18,8 +19,10 @@ import (
|
|||
"github.com/TecharoHQ/anubis"
|
||||
"github.com/TecharoHQ/anubis/data"
|
||||
"github.com/TecharoHQ/anubis/internal"
|
||||
"github.com/TecharoHQ/anubis/lib/challenge"
|
||||
"github.com/TecharoHQ/anubis/lib/policy"
|
||||
"github.com/TecharoHQ/anubis/lib/policy/config"
|
||||
"github.com/TecharoHQ/anubis/lib/store"
|
||||
"github.com/TecharoHQ/anubis/lib/thoth/thothmock"
|
||||
)
|
||||
|
||||
|
|
@ -1027,6 +1030,59 @@ func TestPassChallengeXSS(t *testing.T) {
|
|||
})
|
||||
}
|
||||
|
||||
func TestPassChallengeNilRuleChallengeFallback(t *testing.T) {
|
||||
pol := loadPolicies(t, "testdata/zero_difficulty.yaml", 0)
|
||||
|
||||
srv := spawnAnubis(t, Options{
|
||||
Next: http.NewServeMux(),
|
||||
Policy: pol,
|
||||
})
|
||||
|
||||
allowThreshold, err := policy.ParsedThresholdFromConfig(config.Threshold{
|
||||
Name: "allow-all",
|
||||
Expression: &config.ExpressionOrList{
|
||||
Expression: "true",
|
||||
},
|
||||
Action: config.RuleAllow,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("can't compile test threshold: %v", err)
|
||||
}
|
||||
srv.policy.Thresholds = []*policy.Threshold{allowThreshold}
|
||||
srv.policy.Bots = nil
|
||||
|
||||
chall := challenge.Challenge{
|
||||
ID: "test-challenge",
|
||||
Method: "metarefresh",
|
||||
RandomData: "apple cider",
|
||||
IssuedAt: time.Now().Add(-5 * time.Second),
|
||||
Difficulty: 1,
|
||||
}
|
||||
|
||||
j := store.JSON[challenge.Challenge]{Underlying: srv.store}
|
||||
if err := j.Set(context.Background(), "challenge:"+chall.ID, chall, time.Minute); err != nil {
|
||||
t.Fatalf("can't insert challenge into store: %v", err)
|
||||
}
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "https://example.com"+anubis.APIPrefix+"pass-challenge", nil)
|
||||
q := req.URL.Query()
|
||||
q.Set("redir", "/")
|
||||
q.Set("id", chall.ID)
|
||||
q.Set("challenge", chall.RandomData)
|
||||
req.URL.RawQuery = q.Encode()
|
||||
req.Header.Set("X-Real-Ip", "203.0.113.4")
|
||||
req.Header.Set("User-Agent", "NilChallengeTester/1.0")
|
||||
req.AddCookie(&http.Cookie{Name: anubis.TestCookieName, Value: chall.ID})
|
||||
|
||||
rr := httptest.NewRecorder()
|
||||
|
||||
srv.PassChallenge(rr, req)
|
||||
|
||||
if rr.Code != http.StatusFound {
|
||||
t.Fatalf("expected redirect when validating challenge, got %d", rr.Code)
|
||||
}
|
||||
}
|
||||
|
||||
func TestXForwardedForNoDoubleComma(t *testing.T) {
|
||||
var h http.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.Header().Set("X-Forwarded-For", r.Header.Get("X-Forwarded-For"))
|
||||
|
|
|
|||
|
|
@ -4,10 +4,12 @@ import "time"
|
|||
|
||||
// Challenge is the metadata about a single challenge issuance.
|
||||
type Challenge struct {
|
||||
ID string `json:"id"` // UUID identifying the challenge
|
||||
Method string `json:"method"` // Challenge method
|
||||
RandomData string `json:"randomData"` // The random data the client processes
|
||||
IssuedAt time.Time `json:"issuedAt"` // When the challenge was issued
|
||||
Metadata map[string]string `json:"metadata"` // Challenge metadata such as IP address and user agent
|
||||
Spent bool `json:"spent"` // Has the challenge already been solved?
|
||||
ID string `json:"id"` // UUID identifying the challenge
|
||||
Method string `json:"method"` // Challenge method
|
||||
RandomData string `json:"randomData"` // The random data the client processes
|
||||
IssuedAt time.Time `json:"issuedAt"` // When the challenge was issued
|
||||
Metadata map[string]string `json:"metadata"` // Challenge metadata such as IP address and user agent
|
||||
Spent bool `json:"spent"` // Has the challenge already been solved?
|
||||
Difficulty int `json:"difficulty,omitempty"` // Difficulty that was in effect when issued
|
||||
PolicyRuleHash string `json:"policyRuleHash,omitempty"` // Hash of the policy rule that issued this challenge
|
||||
}
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ import (
|
|||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/TecharoHQ/anubis"
|
||||
"github.com/TecharoHQ/anubis/internal"
|
||||
"github.com/TecharoHQ/anubis/lib/challenge"
|
||||
"github.com/google/uuid"
|
||||
|
|
@ -19,5 +20,6 @@ func New(t *testing.T) *challenge.Challenge {
|
|||
ID: id.String(),
|
||||
RandomData: randomData,
|
||||
IssuedAt: time.Now(),
|
||||
Difficulty: anubis.DefaultDifficulty,
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ func TestLocalizationService(t *testing.T) {
|
|||
"vi": "Đang nạp...",
|
||||
"zh-CN": "加载中...",
|
||||
"zh-TW": "載入中...",
|
||||
"sv" : "Laddar...",
|
||||
"sv": "Laddar...",
|
||||
}
|
||||
|
||||
var keys []string
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue