chore: spelling

Signed-off-by: Xe Iaso <me@xeiaso.net>
chore: spelling
2026-06-09 22:08:15 +00:00 · 2026-06-06 10:25:42 -04:00 · 2026-06-06 10:24:12 -04:00 · 2026-06-06 10:22:05 -04:00 · 2026-06-04 16:05:37 -04:00 · 2026-06-03 11:35:28 -04:00
9 changed files with 55 additions and 11 deletions
@@ -44,3 +44,6 @@ xou
 AWOO
 firewalls
 bindhosts
+handrolled
+xai
+gitlab
@@ -10,4 +10,3 @@ builds:
    ldflags:
      - -s -w
      - -extldflags "-static"
-      - -X github.com/TecharoHQ/anubis.Version={{.Env.VERSION}}
@@ -1,12 +1,27 @@
 // Package anubis contains the version number of Anubis.
 package anubis

-import "time"
+import (
+	"runtime/debug"
+	"time"
+)
+
+func init() {
+	bi, ok := debug.ReadBuildInfo()
+	if !ok {
+		return
+	}
+
+	// XXX(Xe): many things in this repo assume that the development version
+	// of anubis is `devel` and ReadBuildInfo returns `(devel)`. Shim the gap.
+	if bi.Main.Version != "(devel)" {
+		Version = bi.Main.Version
+	}
+}

 // Version is the current version of Anubis.
 //
-// This variable is set at build time using the -X linker flag. If not set,
-// it defaults to "devel".
+// This is set from the Go module runtime version.
 var Version = "devel"

 // CookieName is the name of the cookie that Anubis uses in order to validate
@@ -41,6 +41,9 @@ bots:
  # Challenge Firefox AI previews
  - import: (data)/clients/x-firefox-ai.yaml

+  # x.ai has a scraper that is killing gitlab instances
+  - import: (data)/crawlers/xai.yaml
+
  # Allow common "keeping the internet working" routes (well-known, favicon, robots.txt)
  - import: (data)/common/keep-internet-working.yaml

@@ -0,0 +1,8 @@
+- name: xai-crawler-and-asn
+  action: DENY
+  user_agent_regex: code-review-sourcing.*\+xai-research
+  remote_addresses:
+    - 69.12.56.0/12
+- name: xai-crawler-user-agent
+  action: DENY
+  user_agent_regex: code-review-sourcing.*\+xai-research
@@ -25,6 +25,9 @@
 # Challenge Firefox AI previews
 - import: (data)/clients/x-firefox-ai.yaml

+# x.ai has a scraper that is killing gitlab instances
+- import: (data)/crawlers/xai.yaml
+
 # Allow common "keeping the internet working" routes (well-known, favicon, robots.txt)
 - import: (data)/common/keep-internet-working.yaml

@@ -23,12 +23,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Improve error messages and fix broken REDIRECT_DOMAINS link in docs ([#1193](https://github.com/TecharoHQ/anubis/issues/1193))
 - Add Bulgarian locale ([#1394](https://github.com/TecharoHQ/anubis/pull/1394))
 - Fixed case-sensitivity mismatch in geoipchecker.go
+- Use [Go's native version stamping](https://michael.stapelberg.ch/posts/2026-04-05-stamp-it-all-programs-must-report-their-version/) instead of a handrolled variant.
 - Fix CEL internal errors when iterating `headers`/`query` map wrappers by implementing map iterators for `HTTPHeaders` and `URLValues` ([#1465](https://github.com/TecharoHQ/anubis/pull/1465)).
 - Enable [metrics serving via TLS](./admin/policies.mdx#tls), including [mutual TLS (mTLS)](./admin/policies.mdx#mtls).
 - Enable [HTTP basic auth](./admin/policies.mdx#http-basic-authentication) for the metrics server.
 - Fix a bug in the dataset poisoning maze that could allow denial of service [#1580](https://github.com/TecharoHQ/anubis/issues/1580).
 - Add config option to add ASN to logs/metrics.
 - Log weight when issuing challenge.
+- Block x.ai's crawler for code review training.
 - Gate pprof endpoints behind `metrics.debug` in the policy file.
 - Limit naive honeypot r9k delay to one second.
 - Fix an obscure case where adding query values to a subrequest match could cause an invalid rule match when using path based matching for protected resources.
@@ -41,6 +43,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Marginally improve the performances of PoW validation
 - Marginally improve the performances of challenges generation/display
 - Significantly improve the performances of the gzip middleware
+- Significantly improve the performances of the PoW validation

 ## v1.25.0: Necron

@@ -1,14 +1,15 @@
 package proofofwork

 import (
+	"crypto/sha256"
 	"crypto/subtle"
+	"encoding/hex"
 	"fmt"
 	"log/slog"
 	"net/http"
 	"strconv"
 	"strings"

-	"github.com/TecharoHQ/anubis/internal"
 	chall "github.com/TecharoHQ/anubis/lib/challenge"
 	"github.com/TecharoHQ/anubis/lib/localization"
 	"github.com/a-h/templ"
@@ -66,11 +67,20 @@ func (i *Impl) Validate(r *http.Request, lg *slog.Logger, in *chall.ValidateInpu
 		return chall.NewError("validate", "invalid response", fmt.Errorf("%w response", chall.ErrMissingField))
 	}

-	calcString := challenge + nonceStr
-	calculated := internal.SHA256sum(calcString)
+	// Stream the challenge and nonce into a single sha256 hasher to avoid
+	// the intermediate "challenge + nonceStr" concatenation. Hex-encode
+	// the digest into a stack buffer so the comparison runs without
+	// allocating a heap string.
+	h := sha256.New()
+	h.Write([]byte(challenge))
+	h.Write([]byte(nonceStr))
+	var sumBuf [sha256.Size]byte
+	sum := h.Sum(sumBuf[:0])
+	var hexBuf [sha256.Size * 2]byte
+	hex.Encode(hexBuf[:], sum)

-	if subtle.ConstantTimeCompare([]byte(response), []byte(calculated)) != 1 {
-		return chall.NewError("validate", "invalid response", fmt.Errorf("%w: wanted response %s but got %s", chall.ErrFailed, calculated, response))
+	if subtle.ConstantTimeCompare([]byte(response), hexBuf[:]) != 1 {
+		return chall.NewError("validate", "invalid response", fmt.Errorf("%w: wanted response %s but got %s", chall.ErrFailed, string(hexBuf[:]), response))
 	}

 	// compare the leading zeroes
@@ -17,8 +17,8 @@ $`npm run assets`;
      },

      build: ({ bin, etc, systemd, doc }) => {
-        $`go build -o ${bin}/anubis -ldflags '-s -w -extldflags "-static" -X "github.com/TecharoHQ/anubis.Version=${git.tag()}"' ./cmd/anubis`;
-        $`go build -o ${bin}/anubis-robots2policy -ldflags '-s -w -extldflags "-static" -X "github.com/TecharoHQ/anubis.Version=${git.tag()}"' ./cmd/robots2policy`;
+        $`go build -o ${bin}/anubis -ldflags '-s -w -extldflags "-static" ./cmd/anubis`;
+        $`go build -o ${bin}/anubis-robots2policy -ldflags '-s -w -extldflags "-static"' ./cmd/robots2policy`;

        file.install("./run/anubis@.service", `${systemd}/anubis@.service`);
        file.install("./run/default.env", `${etc}/default.env`);
Author	SHA1	Message	Date
Xe Iaso	9d88de5878	chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-06-06 10:25:42 -04:00
Xe Iaso	3c2e2f5940	chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-06-06 10:24:12 -04:00
Xe Iaso	5c16bf5592	chore: ban x.ai Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-06-06 10:22:05 -04:00
Xe Iaso	44d5fa3ce0	chore: use Go stdlib version stamping (#1665 ) * chore: use Go stdlib version stamping Signed-off-by: Xe Iaso <me@xeiaso.net> * chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net>	2026-06-04 16:05:37 -04:00
Julien Voisin	ef3ea08b79	perf(challenge/proofofwork): stream sha256 into stack buffer in Validate (#1653 ) Signed-off-by: jvoisin <julien.voisin@dustri.org> Co-authored-by: Jason Cameron <git@jasoncameron.dev>	2026-06-03 11:35:28 -04:00