mirror of
https://github.com/TecharoHQ/anubis.git
synced 2026-04-05 08:18:17 +00:00
Compare commits
6 Commits
Xe/redirec
...
json/signi
| Author | SHA1 | Date | |
|---|---|---|---|
|
ff73c32736 | ||
|
|
f0199d014f | ||
|
|
75109f6b73 | ||
|
|
c43d7ca686 | ||
|
|
5d5c39e123 | ||
|
|
d35e47c655 |
1
.github/PULL_REQUEST_TEMPLATE.md
vendored
1
.github/PULL_REQUEST_TEMPLATE.md
vendored
@@ -9,3 +9,4 @@ Checklist:
|
||||
- [ ] Added a description of the changes to the `[Unreleased]` section of docs/docs/CHANGELOG.md
|
||||
- [ ] Added test cases to [the relevant parts of the codebase](https://anubis.techaro.lol/docs/developer/code-quality)
|
||||
- [ ] Ran integration tests `npm run test:integration` (unsupported on Windows, please use WSL)
|
||||
- [ ] All of my commits have [verified signatures](https://anubis.techaro.lol/docs/developer/signed-commits)
|
||||
|
||||
1
.github/actions/spelling/excludes.txt
vendored
1
.github/actions/spelling/excludes.txt
vendored
@@ -88,6 +88,7 @@
|
||||
^docs/manifest/.*$
|
||||
^docs/static/\.nojekyll$
|
||||
^lib/policy/config/testdata/bad/unparseable\.json$
|
||||
^internal/glob/glob_test.go$
|
||||
ignore$
|
||||
robots.txt
|
||||
^lib/localization/locales/.*\.json$
|
||||
|
||||
@@ -11,6 +11,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||
|
||||
## [Unreleased]
|
||||
|
||||
- Document missing environment variables in installation guide: `SLOG_LEVEL`, `COOKIE_PREFIX`, `FORCED_LANGUAGE`, and `TARGET_DISABLE_KEEPALIVE` ([#1086](https://github.com/TecharoHQ/anubis/pull/1086))
|
||||
|
||||
<!-- This changes the project to: -->
|
||||
|
||||
## v1.22.0: Yda Hext
|
||||
@@ -43,6 +45,7 @@ A new ["proof of React"](./admin/configuration/challenges/preact.mdx) has been a
|
||||
- Add a default block rule for Alibaba Cloud.
|
||||
- Added support to use Traefik forwardAuth middleware.
|
||||
- Add X-Request-URI support so that Subrequest Authentication has path support.
|
||||
- Added glob matching for `REDIRECT_DOMAINS`. You can pass `*.bugs.techaro.lol` to allow redirecting to anything ending with `.bugs.techaro.lol`. There is a limit of 4 wildcards.
|
||||
|
||||
### Fixes
|
||||
|
||||
|
||||
@@ -197,6 +197,96 @@ $ du -hs *
|
||||
8.0K reject.webp
|
||||
```
|
||||
|
||||
## Custom HTML templates
|
||||
|
||||
If you need to completely control the HTML layout of all Anubis pages, you can customize the entire page with `USE_TEMPLATES=true`. This uses Go's standard library [html/template](https://pkg.go.dev/html/template) package to template HTML responses. In order to use this, you must define the following templates:
|
||||
|
||||
| Template path | Usage |
|
||||
| :----------------------------------------- | :---------------------------------------------- |
|
||||
| `$OVERLAY_FOLDER/templates/challenge.tmpl` | Challenge pages |
|
||||
| `$OVERLAY_FOLDER/templates/error.tmpl` | Error pages |
|
||||
| `$OVERLAY_FOLDER/templates/impressum.tmpl` | [Impressum](./configuration/impressum.mdx) page |
|
||||
|
||||
Here are minimal (but working) examples for each template:
|
||||
|
||||
<details>
|
||||
<summary>`challenge.tmpl`</summary>
|
||||
|
||||
:::note
|
||||
|
||||
You **MUST** include the `{{.Head}}` segment in a `<head>` tag. It contains important information for challenges to execute. If you don't include this, no clients will be able to pass challenges.
|
||||
|
||||
:::
|
||||
|
||||
```html
|
||||
<!DOCTYPE html>
|
||||
<html lang="{{ .Lang }}">
|
||||
<head>
|
||||
{{ .Head }}
|
||||
</head>
|
||||
<body>
|
||||
{{ .Body }}
|
||||
</body>
|
||||
</html>
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
<summary>`error.tmpl`</summary>
|
||||
|
||||
```html
|
||||
<!DOCTYPE html>
|
||||
<html lang="{{ .Lang }}">
|
||||
<body>
|
||||
{{ .Body }}
|
||||
</body>
|
||||
</html>
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
<summary>`impressum.tmpl`</summary>
|
||||
|
||||
```html
|
||||
<!DOCTYPE html>
|
||||
<html lang="{{ .Lang }}">
|
||||
<body>
|
||||
{{ .Body }}
|
||||
</body>
|
||||
</html>
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
### Template functions
|
||||
|
||||
In order to make life easier, the following template functions are defined:
|
||||
|
||||
#### `Asset`
|
||||
|
||||
Constructs the path for a static asset in the [overlay folder](#custom-images-and-css)'s `static` directory.
|
||||
|
||||
```go
|
||||
func Asset(string) string
|
||||
```
|
||||
|
||||
Usage:
|
||||
|
||||
```html
|
||||
<link rel="stylesheet" href="{{ Asset "css/example.css" }}" />
|
||||
```
|
||||
|
||||
Generates:
|
||||
|
||||
```html
|
||||
<link
|
||||
rel="stylesheet"
|
||||
href="/.within.website/x/cmd/anubis/static/css/example.css"
|
||||
/>
|
||||
```
|
||||
|
||||
## Customizing messages
|
||||
|
||||
You can customize messages using the following environment variables:
|
||||
|
||||
@@ -59,7 +59,7 @@ Currently the following settings are configurable via the policy file:
|
||||
Anubis uses these environment variables for configuration:
|
||||
|
||||
| Environment Variable | Default value | Explanation |
|
||||
| :----------------------------- | :---------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
||||
|:-------------------------------|:------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| `BASE_PREFIX` | unset | If set, adds a global prefix to all Anubis endpoints (everything starting with `/.within.website/x/anubis/`). For example, setting this to `/myapp` would make Anubis accessible at `/myapp/` instead of `/`. This is useful when running Anubis behind a reverse proxy that routes based on path prefixes. |
|
||||
| `BIND` | `:8923` | The network address that Anubis listens on. For `unix`, set this to a path: `/run/anubis/instance.sock` |
|
||||
| `BIND_NETWORK` | `tcp` | The address family that Anubis listens on. Accepts `tcp`, `unix` and anything Go's [`net.Listen`](https://pkg.go.dev/net#Listen) supports. |
|
||||
@@ -67,6 +67,7 @@ Anubis uses these environment variables for configuration:
|
||||
| `COOKIE_DYNAMIC_DOMAIN` | false | If set to true, automatically set cookie domain fields based on the hostname of the request. EG: if you are making a request to `anubis.techaro.lol`, the Anubis cookie will be valid for any subdomain of `techaro.lol`. |
|
||||
| `COOKIE_EXPIRATION_TIME` | `168h` | The amount of time the authorization cookie is valid for. |
|
||||
| `COOKIE_PARTITIONED` | `false` | If set to `true`, enables the [partitioned (CHIPS) flag](https://developers.google.com/privacy-sandbox/cookies/chips), meaning that Anubis inside an iframe has a different set of cookies than the domain hosting the iframe. |
|
||||
| `COOKIE_PREFIX` | `anubis-cookie` | The prefix used for browser cookies created by Anubis. Useful for customization or avoiding conflicts with other applications. |
|
||||
| `COOKIE_SECURE` | `true` | If set to `true`, enables the [Secure flag](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#block_access_to_your_cookies), meaning that the cookies will only be transmitted over HTTPS. If Anubis is used in an unsecure context (plain HTTP), this will be need to be set to false |
|
||||
| `DIFFICULTY` | `4` | The difficulty of the challenge, or the number of leading zeroes that must be in successful responses. |
|
||||
| `ED25519_PRIVATE_KEY_HEX` | unset | The hex-encoded ed25519 private key used to sign Anubis responses. If this is not set, Anubis will generate one for you. This should be exactly 64 characters long. When running multiple instances on the same base domain, the key must be the same across all instances. See below for details. |
|
||||
@@ -81,6 +82,7 @@ Anubis uses these environment variables for configuration:
|
||||
| `PUBLIC_URL` | unset | The externally accessible URL for this Anubis instance, used for constructing redirect URLs (e.g., for Traefik forwardAuth). |
|
||||
| `REDIRECT_DOMAINS` | unset | If set, restrict the domains that Anubis can redirect to when passing a challenge.<br/><br/>If this is unset, Anubis may redirect to any domain which could cause security issues in the unlikely case that an attacker passes a challenge for your browser and then tricks you into clicking a link to your domain.<br/><br/>Note that if you are hosting Anubis on a non-standard port (`https://example:com:8443`, `http://www.example.net:8080`, etc.), you must also include the port number here. |
|
||||
| `SERVE_ROBOTS_TXT` | `false` | If set `true`, Anubis will serve a default `robots.txt` file that disallows all known AI scrapers by name and then additionally disallows every scraper. This is useful if facts and circumstances make it difficult to change the underlying service to serve such a `robots.txt` file. |
|
||||
| `SLOG_LEVEL` | `INFO` | The log level for structured logging. Valid values are `DEBUG`, `INFO`, `WARN`, and `ERROR`. Set to `DEBUG` to see all requests, evaluations, and detailed diagnostic information. |
|
||||
| `SOCKET_MODE` | `0770` | _Only used when at least one of the `*_BIND_NETWORK` variables are set to `unix`._ The socket mode (permissions) for Unix domain sockets. |
|
||||
| `STRIP_BASE_PREFIX` | `false` | If set to `true`, strips the base prefix from request paths when forwarding to the target server. This is useful when your target service expects to receive requests without the base prefix. For example, with `BASE_PREFIX=/foo` and `STRIP_BASE_PREFIX=true`, a request to `/foo/bar` would be forwarded to the target as `/bar`. |
|
||||
| `TARGET` | `http://localhost:3923` | The URL of the service that Anubis should forward valid requests to. Supports Unix domain sockets, set this to a URI like so: `unix:///path/to/socket.sock`. |
|
||||
@@ -100,10 +102,12 @@ If you don't know or understand what these settings mean, ignore them. These are
|
||||
|
||||
| Environment Variable | Default value | Explanation |
|
||||
| :---------------------------- | :------------ | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `TARGET_SNI` | unset | If set, overrides the TLS handshake hostname in requests forwarded to `TARGET`. |
|
||||
| `FORCED_LANGUAGE` | unset | If set, forces Anubis to display challenge pages in the specified language instead of using the browser's Accept-Language header. Use ISO 639-1 language codes (e.g., `de` for German, `fr` for French). |
|
||||
| `HS512_SECRET` | unset | Secret string for JWT HS512 algorithm. If this is not set, Anubis will use ED25519 as defined via the variables above. The longer the better; 128 chars should suffice. |
|
||||
| `TARGET_DISABLE_KEEPALIVE` | `false` | If `true`, disables HTTP keep-alive for connections to the target backend. Useful for backends that don't handle keep-alive properly. |
|
||||
| `TARGET_HOST` | unset | If set, overrides the Host header in requests forwarded to `TARGET`. |
|
||||
| `TARGET_INSECURE_SKIP_VERIFY` | `false` | If `true`, skip TLS certificate validation for targets that listen over `https`. If your backend does not listen over `https`, ignore this setting. |
|
||||
| `HS512_SECRET` | unset | Secret string for JWT HS512 algorithm. If this is not set, Anubis will use ED25519 as defined via the variables above. The longer the better; 128 chars should suffice. |
|
||||
| `TARGET_SNI` | unset | If set, overrides the TLS handshake hostname in requests forwarded to `TARGET`. |
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
61
internal/glob/glob.go
Normal file
61
internal/glob/glob.go
Normal file
@@ -0,0 +1,61 @@
|
||||
package glob
|
||||
|
||||
import "strings"
|
||||
|
||||
const GLOB = "*"
|
||||
|
||||
const maxGlobParts = 5
|
||||
|
||||
// Glob will test a string pattern, potentially containing globs, against a
|
||||
// subject string. The result is a simple true/false, determining whether or
|
||||
// not the glob pattern matched the subject text.
|
||||
func Glob(pattern, subj string) bool {
|
||||
// Empty pattern can only match empty subject
|
||||
if pattern == "" {
|
||||
return subj == pattern
|
||||
}
|
||||
|
||||
// If the pattern _is_ a glob, it matches everything
|
||||
if pattern == GLOB {
|
||||
return true
|
||||
}
|
||||
|
||||
parts := strings.Split(pattern, GLOB)
|
||||
|
||||
if len(parts) > maxGlobParts {
|
||||
return false // Pattern is too complex, reject it.
|
||||
}
|
||||
|
||||
if len(parts) == 1 {
|
||||
// No globs in pattern, so test for equality
|
||||
return subj == pattern
|
||||
}
|
||||
|
||||
leadingGlob := strings.HasPrefix(pattern, GLOB)
|
||||
trailingGlob := strings.HasSuffix(pattern, GLOB)
|
||||
end := len(parts) - 1
|
||||
|
||||
// Go over the leading parts and ensure they match.
|
||||
for i := 0; i < end; i++ {
|
||||
idx := strings.Index(subj, parts[i])
|
||||
|
||||
switch i {
|
||||
case 0:
|
||||
// Check the first section. Requires special handling.
|
||||
if !leadingGlob && idx != 0 {
|
||||
return false
|
||||
}
|
||||
default:
|
||||
// Check that the middle parts match.
|
||||
if idx < 0 {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
// Trim evaluated text from subj as we loop over the pattern.
|
||||
subj = subj[idx+len(parts[i]):]
|
||||
}
|
||||
|
||||
// Reached the last section. Requires special handling.
|
||||
return trailingGlob || strings.HasSuffix(subj, parts[end])
|
||||
}
|
||||
189
internal/glob/glob_test.go
Normal file
189
internal/glob/glob_test.go
Normal file
@@ -0,0 +1,189 @@
|
||||
package glob
|
||||
|
||||
import "testing"
|
||||
|
||||
func TestGlob_EqualityAndEmpty(t *testing.T) {
|
||||
cases := []struct {
|
||||
name string
|
||||
pattern string
|
||||
subj string
|
||||
want bool
|
||||
}{
|
||||
{"exact match", "hello", "hello", true},
|
||||
{"exact mismatch", "hello", "hell", false},
|
||||
{"empty pattern and subject", "", "", true},
|
||||
{"empty pattern with non-empty subject", "", "x", false},
|
||||
{"pattern star matches empty", "*", "", true},
|
||||
{"pattern star matches anything", "*", "anything at all", true},
|
||||
}
|
||||
for _, tc := range cases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
if got := Glob(tc.pattern, tc.subj); got != tc.want {
|
||||
t.Fatalf("Glob(%q,%q) = %v, want %v", tc.pattern, tc.subj, got, tc.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestGlob_LeadingAndTrailing(t *testing.T) {
|
||||
cases := []struct {
|
||||
name string
|
||||
pattern string
|
||||
subj string
|
||||
want bool
|
||||
}{
|
||||
{"prefix match - minimal", "foo*", "foo", true},
|
||||
{"prefix match - extended", "foo*", "foobar", true},
|
||||
{"prefix mismatch - not at start", "foo*", "xfoo", false},
|
||||
{"suffix match - minimal", "*foo", "foo", true},
|
||||
{"suffix match - extended", "*foo", "xfoo", true},
|
||||
{"suffix mismatch - not at end", "*foo", "foox", false},
|
||||
{"contains match", "*foo*", "barfoobaz", true},
|
||||
{"contains mismatch - missing needle", "*foo*", "f", false},
|
||||
}
|
||||
for _, tc := range cases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
if got := Glob(tc.pattern, tc.subj); got != tc.want {
|
||||
t.Fatalf("Glob(%q,%q) = %v, want %v", tc.pattern, tc.subj, got, tc.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestGlob_MiddleAndOrder(t *testing.T) {
|
||||
cases := []struct {
|
||||
name string
|
||||
pattern string
|
||||
subj string
|
||||
want bool
|
||||
}{
|
||||
{"middle wildcard basic", "f*o", "fo", true},
|
||||
{"middle wildcard gap", "f*o", "fZZZo", true},
|
||||
{"middle wildcard requires start f", "f*o", "xfyo", false},
|
||||
{"order enforced across parts", "a*b*c*d", "axxbxxcxxd", true},
|
||||
{"order mismatch fails", "a*b*c*d", "abdc", false},
|
||||
{"must end with last part when no trailing *", "*foo*bar", "zzfooqqbar", true},
|
||||
{"failing when trailing chars remain", "*foo*bar", "zzfooqqbarzz", false},
|
||||
{"first part must start when no leading *", "foo*bar", "zzfooqqbar", false},
|
||||
{"works with overlapping content", "ab*ba", "ababa", true},
|
||||
{"needle not found fails", "foo*bar", "foobaz", false},
|
||||
}
|
||||
for _, tc := range cases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
if got := Glob(tc.pattern, tc.subj); got != tc.want {
|
||||
t.Fatalf("Glob(%q,%q) = %v, want %v", tc.pattern, tc.subj, got, tc.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestGlob_ConsecutiveStarsAndEmptyParts(t *testing.T) {
|
||||
cases := []struct {
|
||||
name string
|
||||
pattern string
|
||||
subj string
|
||||
want bool
|
||||
}{
|
||||
{"double star matches anything", "**", "", true},
|
||||
{"double star matches anything non-empty", "**", "abc", true},
|
||||
{"consecutive stars behave like single", "a**b", "ab", true},
|
||||
{"consecutive stars with gaps", "a**b", "axxxb", true},
|
||||
{"consecutive stars + trailing star", "a**b*", "axxbzzz", true},
|
||||
{"consecutive stars still enforce anchors", "a**b", "xaBy", false},
|
||||
}
|
||||
for _, tc := range cases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
if got := Glob(tc.pattern, tc.subj); got != tc.want {
|
||||
t.Fatalf("Glob(%q,%q) = %v, want %v", tc.pattern, tc.subj, got, tc.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestGlob_MaxPartsLimit(t *testing.T) {
|
||||
// Allowed: up to 4 '*' (5 parts)
|
||||
allowed := []struct {
|
||||
pattern string
|
||||
subj string
|
||||
want bool
|
||||
}{
|
||||
{"a*b*c*d*e", "axxbxxcxxdxxe", true}, // 4 stars -> 5 parts
|
||||
{"*a*b*c*d", "zzzaaaabbbcccddd", true},
|
||||
{"a*b*c*d*e", "abcde", true},
|
||||
{"a*b*c*d*e", "abxdxe", false}, // missing 'c' should fail
|
||||
}
|
||||
for _, tc := range allowed {
|
||||
if got := Glob(tc.pattern, tc.subj); got != tc.want {
|
||||
t.Fatalf("allowed pattern Glob(%q,%q) = %v, want %v", tc.pattern, tc.subj, got, tc.want)
|
||||
}
|
||||
}
|
||||
|
||||
// Disallowed: 5 '*' (6 parts) -> always false by complexity check
|
||||
disallowed := []struct {
|
||||
pattern string
|
||||
subj string
|
||||
}{
|
||||
{"a*b*c*d*e*f", "aXXbYYcZZdQQeRRf"},
|
||||
{"*a*b*c*d*e*", "abcdef"},
|
||||
{"******", "anything"}, // 6 stars -> 7 parts
|
||||
}
|
||||
for _, tc := range disallowed {
|
||||
if got := Glob(tc.pattern, tc.subj); got {
|
||||
t.Fatalf("disallowed pattern should fail Glob(%q,%q) = %v, want false", tc.pattern, tc.subj, got)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestGlob_CaseSensitivity(t *testing.T) {
|
||||
cases := []struct {
|
||||
pattern string
|
||||
subj string
|
||||
want bool
|
||||
}{
|
||||
{"FOO*", "foo", false},
|
||||
{"*Bar", "bar", false},
|
||||
{"Foo*Bar", "FooZZZBar", true},
|
||||
}
|
||||
for _, tc := range cases {
|
||||
if got := Glob(tc.pattern, tc.subj); got != tc.want {
|
||||
t.Fatalf("Glob(%q,%q) = %v, want %v", tc.pattern, tc.subj, got, tc.want)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestGlob_EmptySubjectInteractions(t *testing.T) {
|
||||
cases := []struct {
|
||||
pattern string
|
||||
subj string
|
||||
want bool
|
||||
}{
|
||||
{"*a", "", false},
|
||||
{"a*", "", false},
|
||||
{"**", "", true},
|
||||
{"*", "", true},
|
||||
}
|
||||
for _, tc := range cases {
|
||||
if got := Glob(tc.pattern, tc.subj); got != tc.want {
|
||||
t.Fatalf("Glob(%q,%q) = %v, want %v", tc.pattern, tc.subj, got, tc.want)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func BenchmarkGlob(b *testing.B) {
|
||||
patterns := []string{
|
||||
"*", "*foo*", "foo*bar", "a*b*c*d*e", "a**b*", "*needle*end",
|
||||
}
|
||||
subjects := []string{
|
||||
"", "foo", "barfoo", "foobarbaz", "axxbxxcxxdxxe", "zzfooqqbarzz",
|
||||
"lorem ipsum dolor sit amet, consectetur adipiscing elit",
|
||||
}
|
||||
for _, p := range patterns {
|
||||
for _, s := range subjects {
|
||||
b.Run(p+"::"+s, func(b *testing.B) {
|
||||
for i := 0; i < b.N; i++ {
|
||||
_ = Glob(p, s)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -11,7 +11,6 @@ import (
|
||||
"net"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"slices"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
@@ -435,7 +434,7 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
|
||||
s.respondWithError(w, r, localizer.T("redirect_not_parseable"))
|
||||
return
|
||||
}
|
||||
if (len(urlParsed.Host) > 0 && len(s.opts.RedirectDomains) != 0 && !slices.Contains(s.opts.RedirectDomains, urlParsed.Host)) || urlParsed.Host != r.URL.Host {
|
||||
if (len(urlParsed.Host) > 0 && len(s.opts.RedirectDomains) != 0 && !matchRedirectDomain(s.opts.RedirectDomains, urlParsed.Host)) || urlParsed.Host != r.URL.Host {
|
||||
lg.Debug("domain not allowed", "domain", urlParsed.Host)
|
||||
s.respondWithError(w, r, localizer.T("redirect_domain_not_allowed"))
|
||||
return
|
||||
|
||||
28
lib/http.go
28
lib/http.go
@@ -7,12 +7,12 @@ import (
|
||||
"net/http"
|
||||
"net/url"
|
||||
"regexp"
|
||||
"slices"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/TecharoHQ/anubis"
|
||||
"github.com/TecharoHQ/anubis/internal"
|
||||
"github.com/TecharoHQ/anubis/internal/glob"
|
||||
"github.com/TecharoHQ/anubis/lib/challenge"
|
||||
"github.com/TecharoHQ/anubis/lib/localization"
|
||||
"github.com/TecharoHQ/anubis/lib/policy"
|
||||
@@ -24,6 +24,26 @@ import (
|
||||
|
||||
var domainMatchRegexp = regexp.MustCompile(`^((xn--)?[a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$`)
|
||||
|
||||
// matchRedirectDomain returns true if host matches any of the allowed redirect
|
||||
// domain patterns. Patterns may contain '*' which are matched using the
|
||||
// internal glob matcher. Matching is case-insensitive on hostnames.
|
||||
func matchRedirectDomain(allowed []string, host string) bool {
|
||||
h := strings.ToLower(strings.TrimSpace(host))
|
||||
for _, pat := range allowed {
|
||||
p := strings.ToLower(strings.TrimSpace(pat))
|
||||
if strings.Contains(p, glob.GLOB) {
|
||||
if glob.Glob(p, h) {
|
||||
return true
|
||||
}
|
||||
continue
|
||||
}
|
||||
if p == h {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
type CookieOpts struct {
|
||||
Value string
|
||||
Host string
|
||||
@@ -217,8 +237,8 @@ func (s *Server) constructRedirectURL(r *http.Request) (string, error) {
|
||||
if proto == "" || host == "" || uri == "" {
|
||||
return "", errors.New(localizer.T("missing_required_forwarded_headers"))
|
||||
}
|
||||
// Check if host is allowed in RedirectDomains
|
||||
if len(s.opts.RedirectDomains) > 0 && !slices.Contains(s.opts.RedirectDomains, host) {
|
||||
// Check if host is allowed in RedirectDomains (supports '*' via glob)
|
||||
if len(s.opts.RedirectDomains) > 0 && !matchRedirectDomain(s.opts.RedirectDomains, host) {
|
||||
lg := internal.GetRequestLogger(s.logger, r)
|
||||
lg.Debug("domain not allowed", "domain", host)
|
||||
return "", errors.New(localizer.T("redirect_domain_not_allowed"))
|
||||
@@ -290,7 +310,7 @@ func (s *Server) ServeHTTPNext(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
hostNotAllowed := len(urlParsed.Host) > 0 &&
|
||||
len(s.opts.RedirectDomains) != 0 &&
|
||||
!slices.Contains(s.opts.RedirectDomains, urlParsed.Host)
|
||||
!matchRedirectDomain(s.opts.RedirectDomains, urlParsed.Host)
|
||||
hostMismatch := r.URL.Host != "" && urlParsed.Host != r.URL.Host
|
||||
|
||||
if hostNotAllowed || hostMismatch {
|
||||
|
||||
4
package-lock.json
generated
4
package-lock.json
generated
@@ -1,12 +1,12 @@
|
||||
{
|
||||
"name": "@techaro/anubis",
|
||||
"version": "1.22.0-pre2",
|
||||
"version": "1.22.0",
|
||||
"lockfileVersion": 3,
|
||||
"requires": true,
|
||||
"packages": {
|
||||
"": {
|
||||
"name": "@techaro/anubis",
|
||||
"version": "1.22.0-pre2",
|
||||
"version": "1.22.0",
|
||||
"license": "ISC",
|
||||
"dependencies": {
|
||||
"@aws-crypto/sha256-js": "^5.2.0",
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@techaro/anubis",
|
||||
"version": "1.22.0-pre2",
|
||||
"version": "1.22.0",
|
||||
"description": "",
|
||||
"main": "index.js",
|
||||
"scripts": {
|
||||
|
||||
Reference in New Issue
Block a user