From 75aa251406630350e08d58ff282ebfbe89cb790b Mon Sep 17 00:00:00 2001 From: Xe Iaso Date: Mon, 18 May 2026 20:59:36 -0400 Subject: [PATCH] fix(honeypot/naive): cap r9k delay to one second Otherwise this can get unbounded, which can cause problems with lesser HTTP proxies such as Apache. Ref: AWOO-002 Signed-off-by: Xe Iaso --- docs/docs/CHANGELOG.md | 1 + internal/honeypot/naive/naive.go | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md index 75186865..40463afe 100644 --- a/docs/docs/CHANGELOG.md +++ b/docs/docs/CHANGELOG.md @@ -30,6 +30,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Add config option to add ASN to logs/metrics. - Log weight when issuing challenge. - Gate pprof endpoints behind `metrics.debug` in the policy file. +- Limit naive honeypot r9k delay to one second. - Fix `path_regex` and CEL `path` rules not matching when using Traefik `forwardAuth` middleware. Anubis now checks `X-Forwarded-Uri` (Traefik) in addition to `X-Original-URI` (nginx) when resolving the request path in subrequest mode ([#1628](https://github.com/TecharoHQ/anubis/issues/1628)). ## v1.25.0: Necron diff --git a/internal/honeypot/naive/naive.go b/internal/honeypot/naive/naive.go index 0c7083a4..c941e837 100644 --- a/internal/honeypot/naive/naive.go +++ b/internal/honeypot/naive/naive.go @@ -169,7 +169,7 @@ func (i *Impl) ServeHTTP(w http.ResponseWriter, r *http.Request) { } } - millisecondAmount := math.Pow(float64(networkCount), 2) + millisecondAmount := min(math.Pow(float64(networkCount), 2), 1000) time.Sleep(time.Duration(millisecondAmount) * time.Millisecond) spins := i.makeSpins()