mirror of
https://github.com/TecharoHQ/anubis.git
synced 2026-06-10 06:18:15 +00:00
Merge branch 'main' into Xe/small-sec-fixes
Signed-off-by: Xe Iaso <xe.iaso@techaro.lol>
This commit is contained in:
Xe Iaso
@@ -38,6 +38,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|||||||
- Validate bounds in the CEL `randInt` helper so non-positive or platform-overflowing arguments surface a typed CEL error instead of an evaluator panic.
|
- Validate bounds in the CEL `randInt` helper so non-positive or platform-overflowing arguments surface a typed CEL error instead of an evaluator panic.
|
||||||
- Pin docs deployment images to immutable digests with `imagePullPolicy: IfNotPresent`, and have the docs-deploy workflow overlay the just-built digest via `kustomize edit set image` so each rollout references an auditable artifact instead of a floating `:main` tag. The docs `Dockerfile` now pins `node` and `nginx-micro` base images to specific versions.
|
- Pin docs deployment images to immutable digests with `imagePullPolicy: IfNotPresent`, and have the docs-deploy workflow overlay the just-built digest via `kustomize edit set image` so each rollout references an auditable artifact instead of a floating `:main` tag. The docs `Dockerfile` now pins `node` and `nginx-micro` base images to specific versions.
|
||||||
- Fix a race in the bbolt store where the asynchronous cleanup scheduled by an expired read could delete a value that had just been refreshed; the delete now only fires when the key still carries the same expired generation it observed.
|
- Fix a race in the bbolt store where the asynchronous cleanup scheduled by an expired read could delete a value that had just been refreshed; the delete now only fires when the key still carries the same expired generation it observed.
|
||||||
|
- Marginally increase the performances of requests processing
|
||||||
|
- Marginally improve the performances of PoW validation
|
||||||
|
|
||||||
## v1.25.0: Necron
|
## v1.25.0: Necron
|
||||||
|
|
||||||
|
|||||||
+2
-3
@@ -11,9 +11,8 @@ import (
|
|||||||
// SHA256sum computes a cryptographic hash. Still used for proof-of-work challenges
|
// SHA256sum computes a cryptographic hash. Still used for proof-of-work challenges
|
||||||
// where we need the security properties of a cryptographic hash function.
|
// where we need the security properties of a cryptographic hash function.
|
||||||
func SHA256sum(text string) string {
|
func SHA256sum(text string) string {
|
||||||
hash := sha256.New()
|
sum := sha256.Sum256([]byte(text))
|
||||||
hash.Write([]byte(text))
|
return hex.EncodeToString(sum[:])
|
||||||
return hex.EncodeToString(hash.Sum(nil))
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// FastHash is a high-performance non-cryptographic hash function suitable for
|
// FastHash is a high-performance non-cryptographic hash function suitable for
|
||||||
|
|||||||
@@ -45,7 +45,7 @@ func (i *Impl) Validate(r *http.Request, lg *slog.Logger, in *chall.ValidateInpu
|
|||||||
return chall.NewError("validate", "invalid response", fmt.Errorf("%w nonce", chall.ErrMissingField))
|
return chall.NewError("validate", "invalid response", fmt.Errorf("%w nonce", chall.ErrMissingField))
|
||||||
}
|
}
|
||||||
|
|
||||||
nonce, err := strconv.Atoi(nonceStr)
|
_, err := strconv.Atoi(nonceStr)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return chall.NewError("validate", "invalid response", fmt.Errorf("%w: nonce: %w", chall.ErrInvalidFormat, err))
|
return chall.NewError("validate", "invalid response", fmt.Errorf("%w: nonce: %w", chall.ErrInvalidFormat, err))
|
||||||
|
|
||||||
@@ -66,7 +66,7 @@ func (i *Impl) Validate(r *http.Request, lg *slog.Logger, in *chall.ValidateInpu
|
|||||||
return chall.NewError("validate", "invalid response", fmt.Errorf("%w response", chall.ErrMissingField))
|
return chall.NewError("validate", "invalid response", fmt.Errorf("%w response", chall.ErrMissingField))
|
||||||
}
|
}
|
||||||
|
|
||||||
calcString := fmt.Sprintf("%s%d", challenge, nonce)
|
calcString := challenge + nonceStr
|
||||||
calculated := internal.SHA256sum(calcString)
|
calculated := internal.SHA256sum(calcString)
|
||||||
|
|
||||||
if subtle.ConstantTimeCompare([]byte(response), []byte(calculated)) != 1 {
|
if subtle.ConstantTimeCompare([]byte(response), []byte(calculated)) != 1 {
|
||||||
|
|||||||
+15
-4
@@ -1,8 +1,6 @@
|
|||||||
package policy
|
package policy
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
|
||||||
|
|
||||||
"github.com/TecharoHQ/anubis/internal"
|
"github.com/TecharoHQ/anubis/internal"
|
||||||
"github.com/TecharoHQ/anubis/lib/config"
|
"github.com/TecharoHQ/anubis/lib/config"
|
||||||
"github.com/TecharoHQ/anubis/lib/policy/checker"
|
"github.com/TecharoHQ/anubis/lib/policy/checker"
|
||||||
@@ -13,9 +11,22 @@ type Bot struct {
|
|||||||
Challenge *config.ChallengeRules
|
Challenge *config.ChallengeRules
|
||||||
Weight *config.Weight
|
Weight *config.Weight
|
||||||
Name string
|
Name string
|
||||||
Action config.Rule
|
// hash caches the result of Hash() when populated at parse time, see ParseConfig
|
||||||
|
hash string
|
||||||
|
Action config.Rule
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Hash returns a stable identifier for this Bot derived from its Name
|
||||||
|
// and Rules. When the cached value is present (populated by
|
||||||
|
// ParseConfig) it is returned directly; otherwise the hash is
|
||||||
|
// recomputed on demand so callers do not have to know about the cache.
|
||||||
func (b Bot) Hash() string {
|
func (b Bot) Hash() string {
|
||||||
return internal.FastHash(fmt.Sprintf("%s::%s", b.Name, b.Rules.Hash()))
|
if b.hash != "" {
|
||||||
|
return b.hash
|
||||||
|
}
|
||||||
|
var rulesHash string
|
||||||
|
if b.Rules != nil { // defensive, should never happen
|
||||||
|
rulesHash = b.Rules.Hash()
|
||||||
|
}
|
||||||
|
return internal.FastHash(b.Name + "::" + rulesHash)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -219,6 +219,7 @@ func ParseConfig(ctx context.Context, fin io.Reader, fname string, defaultDiffic
|
|||||||
result.Impressum = c.Impressum
|
result.Impressum = c.Impressum
|
||||||
|
|
||||||
parsedBot.Rules = cl
|
parsedBot.Rules = cl
|
||||||
|
parsedBot.hash = parsedBot.Hash()
|
||||||
|
|
||||||
result.Bots = append(result.Bots, parsedBot)
|
result.Bots = append(result.Bots, parsedBot)
|
||||||
}
|
}
|
||||||
|
|||||||
Generated
+491
-373
File diff suppressed because it is too large
Load Diff
+6
-6
@@ -20,11 +20,11 @@
|
|||||||
"author": "",
|
"author": "",
|
||||||
"license": "ISC",
|
"license": "ISC",
|
||||||
"devDependencies": {
|
"devDependencies": {
|
||||||
"@commitlint/cli": "^20.5.3",
|
"@commitlint/cli": "^21.0.1",
|
||||||
"@commitlint/config-conventional": "^20.5.3",
|
"@commitlint/config-conventional": "^21.0.1",
|
||||||
"baseline-browser-mapping": "^2.10.27",
|
"baseline-browser-mapping": "^2.10.30",
|
||||||
"cssnano": "^7.1.8",
|
"cssnano": "^8.0.1",
|
||||||
"cssnano-preset-advanced": "^7.0.16",
|
"cssnano-preset-advanced": "^8.0.1",
|
||||||
"esbuild": "^0.28.0",
|
"esbuild": "^0.28.0",
|
||||||
"husky": "^9.1.7",
|
"husky": "^9.1.7",
|
||||||
"playwright": "^1.52.0",
|
"playwright": "^1.52.0",
|
||||||
@@ -36,7 +36,7 @@
|
|||||||
},
|
},
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"@aws-crypto/sha256-js": "^5.2.0",
|
"@aws-crypto/sha256-js": "^5.2.0",
|
||||||
"preact": "^10.29.1"
|
"preact": "^10.29.2"
|
||||||
},
|
},
|
||||||
"commitlint": {
|
"commitlint": {
|
||||||
"extends": [
|
"extends": [
|
||||||
|
|||||||
Reference in New Issue
Block a user