v1.15.1: Zenos yae Galvus: Echo 1 (#181)

* version 1.15.0 (#144)

Signed-off-by: Xe Iaso <me@xeiaso.net>

* cmd/anubis actually check the result with the correct difficulty

Signed-off-by: Xe Iaso <me@xeiaso.net>

* v1.15.1: Zenos yae Galvus: Echo 1

Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Xe Iaso <me@xeiaso.net>
Co-authored-by: Henri Vasserman <henv@hot.ee>

VERSION

@@ -1 +1 @@
-1.14.2
+1.15.1

docs/docs/CHANGELOG.md

@@ -11,7 +11,32 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## v1.15.1
+
+Zenos yae Galvus: Echo 1
+
+Fixes a recurrence of [CVE-2025-24369](https://github.com/Xe/x/security/advisories/GHSA-56w8-8ppj-2p4f)
+due to an incorrect logic change in a refactor. This allows an attacker to mint a valid
+access token by passing any SHA-256 hash instead of one that matches the proof-of-work
+test.
+
+This case has been added as a regression test. It was not when CVE-2025-24369 was released
+due to the project not having the maturity required to enable this kind of regression testing.
+
+## v1.15.0
+
+Zenos yae Galvus
+
+> Yes...the coming days promise to be most interesting. Most interesting.
+
+Headline changes:
+
 - ed25519 signing keys for Anubis can be stored in the flag `--ed25519-private-key-hex` or envvar `ED25519_PRIVATE_KEY_HEX`; if one is not provided when Anubis starts, a new one is generated and logged
+- Add the ability to set the cookie domain with the envvar `COOKIE_DOMAIN=techaro.lol` for all domains under `techaro.lol`
+- Add the ability to set the cookie partitioned flag with the envvar `COOKIE_PARTITIONED=true`
+
+Many other small changes were made, including but not limited to:
+
 - Fixed and clarified installation instructions
 - Introduced integration tests using Playwright
 - Refactor & Split up Anubis into cmd and lib.go
@@ -19,10 +44,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Fix default difficulty setting that was broken in a refactor
 - Linting fixes
 - Make dark mode diff lines readable in the documentation
-- Add the ability to set the cookie domain with the envvar `COOKIE_DOMAIN=techaro.lol` for all domains under `techaro.lol`
-- Add the ability to set the cookie partitioned flag with the envvar `COOKIE_PARTITIONED=true`
 - Fix CI based browser smoke test
 
+Users running Anubis' test suite may run into issues with the integration tests on Windows hosts. This is a known issue and will be fixed at some point in the future. In the meantime, use the Windows Subsystem for Linux (WSL).
+
 ## v1.14.2
 
 Livia sas Junius: Echo 2

lib/anubis.go

@@ -145,14 +145,13 @@ func New(opts Options) (*Server, error) {
 }
 
 type Server struct {
-	mux                 *http.ServeMux
+	mux        *http.ServeMux
-	next                http.Handler
+	next       http.Handler
-	priv                ed25519.PrivateKey
+	priv       ed25519.PrivateKey
-	pub                 ed25519.PublicKey
+	pub        ed25519.PublicKey
-	policy              *policy.ParsedConfig
+	policy     *policy.ParsedConfig
-	opts                Options
+	opts       Options
-	DNSBLCache          *decaymap.Impl[string, dnsbl.DroneBLResponse]
+	DNSBLCache *decaymap.Impl[string, dnsbl.DroneBLResponse]
-	ChallengeDifficulty int
 }
 
 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
@@ -428,9 +427,9 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// compare the leading zeroes
-	if !strings.HasPrefix(response, strings.Repeat("0", s.ChallengeDifficulty)) {
+	if !strings.HasPrefix(response, strings.Repeat("0", rule.Challenge.Difficulty)) {
 		s.ClearCookie(w)
-		lg.Debug("difficulty check failed", "response", response, "difficulty", s.ChallengeDifficulty)
+		lg.Debug("difficulty check failed", "response", response, "difficulty", rule.Challenge.Difficulty)
 		templ.Handler(web.Base("Oh noes!", web.ErrorPage("invalid response")), templ.WithStatus(http.StatusForbidden)).ServeHTTP(w, r)
 		failedValidations.Inc()
 		return