fix(honeypot/naive): apply robot9001 style delays

Currently the honeypotting feature has no limits or delays anywhere and uses that to feed an internal greylist of IP networks. This can cause issues such as in #1613 where Claude's crawler seemed to pick up on it and egress data at over one megabit per second until the administrator noticed and blocked the address range. This takes a different approach by inspiration of how the classic #xkcd IRC bot Robot9000 works. The first time a given IPv4 /24 or IPv6 /48 visits a honepot page, Anubis sleeps for 1 millisecond. The second it sleeps for two milliseconds. The third is four milliseconds and so on. The goal of this is to make the scraping inherently self-limiting such that the scrapers go off in their own corner where they won't really hurt anyone. Let's see if this works out according to keikaku. Ref: https://github.com/TecharoHQ/anubis/issues/1613 Signed-off-by: Xe Iaso <me@xeiaso.net>
build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.4 to 3.0.5 (#1629 )
2026-05-21 21:47:48 +00:00 · 2026-05-15 17:39:28 -04:00 · 2026-05-14 14:07:24 -04:00 · 2026-05-12 16:32:01 -04:00 · 2026-05-08 19:17:25 -04:00
6 changed files with 338 additions and 366 deletions
@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 <!-- This changes the project to: -->

 - Patch [GHSA-6wcg-mqvh-fcvg](https://github.com/TecharoHQ/anubis/security/advisories/GHSA-6wcg-mqvh-fcvg) by containing subrequest logic to Anubis instances in subrequest mode.
+- Implement robot9001 style delays on the honeypot feature so that the first hit takes 1 millisecond, the second takes 2, etc.
 - Move metrics server configuration to [the policy file](./admin/policies.mdx#metrics-server).
 - Expose [pprof endpoints](https://pkg.go.dev/net/http/pprof) on the metrics listener to enable profiling Anubis in production.
 - fix: prevent nil pointer panic in challenge validation when threshold rules match during PassChallenge (#1463)
@@ -106,7 +106,7 @@ require (
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.6.2 // indirect
 	github.com/go-git/go-git/v5 v5.16.2 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.4 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.5 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
@@ -189,8 +189,8 @@ github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMj
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
 github.com/go-git/go-git/v5 v5.16.2 h1:fT6ZIOjE5iEnkzKyxTHK1W4HGAsPhqEqiSAssSO77hM=
 github.com/go-git/go-git/v5 v5.16.2/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
-github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY=
-github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
+github.com/go-jose/go-jose/v3 v3.0.5 h1:BLLJWbC4nMZOfuPVxoZIxeYsn6Nl2r1fITaJ78UQlVQ=
+github.com/go-jose/go-jose/v3 v3.0.5/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -5,6 +5,7 @@ import (
 	_ "embed"
 	"fmt"
 	"log/slog"
+	"math"
 	"math/rand/v2"
 	"net/http"
 	"net/netip"
@@ -168,6 +169,9 @@ func (i *Impl) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 	}

+	millisecondAmount := math.Pow(float64(networkCount), 2)
+	time.Sleep(time.Duration(millisecondAmount) * time.Millisecond)
+
 	spins := i.makeSpins()
 	affirmations := i.makeAffirmations()
 	title := i.makeTitle()
@@ -20,11 +20,11 @@
  "author": "",
  "license": "ISC",
  "devDependencies": {
-    "@commitlint/cli": "^20.5.0",
-    "@commitlint/config-conventional": "^20.5.0",
-    "baseline-browser-mapping": "^2.10.15",
-    "cssnano": "^7.1.4",
-    "cssnano-preset-advanced": "^7.0.12",
+    "@commitlint/cli": "^20.5.3",
+    "@commitlint/config-conventional": "^20.5.3",
+    "baseline-browser-mapping": "^2.10.27",
+    "cssnano": "^7.1.8",
+    "cssnano-preset-advanced": "^7.0.16",
    "esbuild": "^0.28.0",
    "husky": "^9.1.7",
    "playwright": "^1.52.0",
@@ -32,7 +32,7 @@
    "postcss-import": "^16.1.1",
    "postcss-import-url": "^7.2.0",
    "postcss-url": "^10.1.3",
-    "prettier": "^3.8.1"
+    "prettier": "^3.8.3"
  },
  "dependencies": {
    "@aws-crypto/sha256-js": "^5.2.0",
Author	SHA1	Message	Date
Xe Iaso	caa4d1273e	fix(honeypot/naive): apply robot9001 style delays Currently the honeypotting feature has no limits or delays anywhere and uses that to feed an internal greylist of IP networks. This can cause issues such as in #1613 where Claude's crawler seemed to pick up on it and egress data at over one megabit per second until the administrator noticed and blocked the address range. This takes a different approach by inspiration of how the classic #xkcd IRC bot Robot9000 works. The first time a given IPv4 /24 or IPv6 /48 visits a honepot page, Anubis sleeps for 1 millisecond. The second it sleeps for two milliseconds. The third is four milliseconds and so on. The goal of this is to make the scraping inherently self-limiting such that the scrapers go off in their own corner where they won't really hurt anyone. Let's see if this works out according to keikaku. Ref: https://github.com/TecharoHQ/anubis/issues/1613 Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-05-15 17:39:28 -04:00
dependabot[bot]	9f479f578a	build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.4 to 3.0.5 (#1629 ) Signed-off-by: dependabot[bot] <support@github.com>	2026-05-14 14:07:24 -04:00
dependabot[bot]	c184028d42	build(deps-dev): bump the npm group across 1 directory with 6 updates (#1621 ) Bumps the npm group with 6 updates in the / directory: \| Package \| From \| To \| \| --- \| --- \| --- \| \| [@commitlint/cli](https://github.com/conventional-changelog/commitlint/tree/HEAD/@commitlint/cli) \| `20.5.0` \| `20.5.3` \| \| [@commitlint/config-conventional](https://github.com/conventional-changelog/commitlint/tree/HEAD/@commitlint/config-conventional) \| `20.5.0` \| `20.5.3` \| \| [baseline-browser-mapping](https://github.com/web-platform-dx/baseline-browser-mapping) \| `2.10.15` \| `2.10.27` \| \| [cssnano](https://github.com/cssnano/cssnano) \| `7.1.4` \| `7.1.8` \| \| [cssnano-preset-advanced](https://github.com/cssnano/cssnano) \| `7.0.12` \| `7.0.16` \| \| [prettier](https://github.com/prettier/prettier) \| `3.8.1` \| `3.8.3` \| Updates `@commitlint/cli` from 20.5.0 to 20.5.3 - [Release notes](https://github.com/conventional-changelog/commitlint/releases) - [Changelog](https://github.com/conventional-changelog/commitlint/blob/master/@commitlint/cli/CHANGELOG.md) - [Commits](https://github.com/conventional-changelog/commitlint/commits/v20.5.3/@commitlint/cli) Updates `@commitlint/config-conventional` from 20.5.0 to 20.5.3 - [Release notes](https://github.com/conventional-changelog/commitlint/releases) - [Changelog](https://github.com/conventional-changelog/commitlint/blob/master/@commitlint/config-conventional/CHANGELOG.md) - [Commits](https://github.com/conventional-changelog/commitlint/commits/v20.5.3/@commitlint/config-conventional) Updates `baseline-browser-mapping` from 2.10.15 to 2.10.27 - [Release notes](https://github.com/web-platform-dx/baseline-browser-mapping/releases) - [Commits](https://github.com/web-platform-dx/baseline-browser-mapping/compare/v2.10.15...v2.10.27) Updates `cssnano` from 7.1.4 to 7.1.8 - [Release notes](https://github.com/cssnano/cssnano/releases) - [Commits](https://github.com/cssnano/cssnano/compare/cssnano@7.1.4...cssnano@7.1.8) Updates `cssnano-preset-advanced` from 7.0.12 to 7.0.16 - [Release notes](https://github.com/cssnano/cssnano/releases) - [Commits](https://github.com/cssnano/cssnano/compare/cssnano-preset-advanced@7.0.12...cssnano-preset-advanced@7.0.16) Updates `prettier` from 3.8.1 to 3.8.3 - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](https://github.com/prettier/prettier/compare/3.8.1...3.8.3) --- updated-dependencies: - dependency-name: "@commitlint/cli" dependency-version: 20.5.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm - dependency-name: "@commitlint/config-conventional" dependency-version: 20.5.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm - dependency-name: baseline-browser-mapping dependency-version: 2.10.27 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm - dependency-name: cssnano dependency-version: 7.1.8 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm - dependency-name: cssnano-preset-advanced dependency-version: 7.0.16 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm - dependency-name: prettier dependency-version: 3.8.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Jason Cameron <git@jasoncameron.dev>	2026-05-12 16:32:01 -04:00
Xe Iaso	0491f1fac2	fix: patch GHSA-6wcg-mqvh-fcvg (#1616 ) * fix: patch GHSA-6wcg-mqvh-fcvg PR https://github.com/TecharoHQ/anubis/pull/1015 added the ability for reverse proxies using Anubis in subrequest auth mode to look at the path of a request as there are many rules in the wild that rely on checking the path. This is how access to things like robots.txt or anything in the .well-known directory is unaffected by Anubis. However this logic was also enabled for non-subrequest deployments of Anubis, meaning that a specially crafted request could include a /.well-known/ path in it and then get around Anubis with little effort. This fix gates the logic behind a new plumbed variable named subrequestMode that only fires when Anubis is running in subrequest auth mode. This properly contains that workaround so that the logic does not fire in most deployments. Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-05-08 19:17:25 -04:00