cmd/anubis: delete example RSS reader rule (#67)

The example/default bot policy document had a rule to allow RSS readers
through based on paths that end with ".rss", ".xml", ".atom", or
".json". Frameworks like Rails will treat these specially, meaning that
going to /things/12345-whateverhaha.json could bypass Anubis.

I checked the history of this rule and it was present in the original
example policy file in Xe/x. This rule is likely a mistake and it has
been removed. I think it was for making my blog still work with RSS
readers.

Thanks to Graham Sutherland for reporting this over email.

Signed-off-by: Xe Iaso <me@xeiaso.net>

VERSION

@@ -1 +1 @@
-1.14.0
+1.14.2

cmd/anubis/botPolicies.json

@@ -335,6 +335,14 @@
         "193.183.0.174/32"
       ]
     },
+    {
+      "name": "mojeekbot",
+      "user_agent_regex": "http\\://www\\.mojeek\\.com/bot\\.html",
+      "action": "ALLOW",
+      "remote_addresses": [
+        "5.102.173.71/32"
+      ]
+    },
     {
       "name": "us-artificial-intelligence-scraper",
       "user_agent_regex": "\\+https\\:\\/\\/github\\.com\\/US-Artificial-Intelligence\\/scraper",
@@ -355,11 +363,6 @@
       "path_regex": "^/robots.txt$",
       "action": "ALLOW"
     },
-    {
-      "name": "rss-readers",
-      "path_regex": ".*\\.(rss|xml|atom|json)$",
-      "action": "ALLOW"
-    },
     {
       "name": "lightpanda",
       "user_agent_regex": "^Lightpanda/.*$",
@@ -392,4 +395,4 @@
     }
   ],
   "dnsbl": true
-}
+}

cmd/anubis/index.templ

@@ -151,7 +151,7 @@ templ base(title string, body templ.Component) {
 						<p>
 							Protected by <a href="https://github.com/TecharoHQ/anubis">Anubis</a> from <a
 	href="https://techaro.lol"
->Techaro</a>.
+>Techaro</a>. Made with ❤️ in 🇨🇦.
 						</p>
 					</center>
 				</footer>

cmd/anubis/index_templ.go

@@ -89,7 +89,7 @@ func base(title string, body templ.Component) templ.Component {
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 6, "<footer><center><p>Protected by <a href=\"https://github.com/TecharoHQ/anubis\">Anubis</a> from <a href=\"https://techaro.lol\">Techaro</a>.</p></center></footer></main></body></html>")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 6, "<footer><center><p>Protected by <a href=\"https://github.com/TecharoHQ/anubis\">Anubis</a> from <a href=\"https://techaro.lol\">Techaro</a>. Made with ❤️ in 🇨🇦.</p></center></footer></main></body></html>")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}

cmd/anubis/main.go

@@ -214,6 +214,7 @@ func main() {
 	var h http.Handler
 	h = mux
 	h = internal.DefaultXRealIP(*debugXRealIPDefault, h)
+	h = internal.XForwardedForToXRealIP(h)
 
 	srv := http.Server{Handler: h}
 	listener, url := setupListener(*bindNetwork, *bind)

docs/docs/CHANGELOG.md

@@ -11,6 +11,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## v1.14.2
+
+Livia sas Junius: Echo 2
+
+- Remove default RSS reader rule as it may allow for a targeted attack against rails apps
+  [#67](https://github.com/TecharoHQ/anubis/pull/67)
+- Whitelist MojeekBot in botPolicies [#47](https://github.com/TecharoHQ/anubis/issues/47)
+
+## v1.14.1
+
+Livia sas Junius: Echo 1
+
+- Set the `X-Real-Ip` header based on the contents of `X-Forwarded-For`
+  [#62](https://github.com/TecharoHQ/anubis/issues/62)
+
 ## v1.14.0
 
 Livia sas Junius

go.mod

@@ -34,6 +34,7 @@ require (
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/sebest/xff v0.0.0-20210106013422-671bd2870b3a // indirect
 	golang.org/x/mod v0.24.0 // indirect
 	golang.org/x/net v0.37.0 // indirect
 	golang.org/x/sync v0.12.0 // indirect

go.sum

@@ -59,6 +59,8 @@ github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ
 github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/sebest/xff v0.0.0-20210106013422-671bd2870b3a h1:iLcLb5Fwwz7g/DLK89F+uQBDeAhHhwdzB5fSlVdhGcM=
+github.com/sebest/xff v0.0.0-20210106013422-671bd2870b3a/go.mod h1:wozgYq9WEBQBaIJe4YZ0qTSFAMxmcwBhQH0fO0R34Z0=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=

internal/headers.go

@@ -5,6 +5,7 @@ import (
 	"net/http"
 
 	"github.com/TecharoHQ/anubis"
+	"github.com/sebest/xff"
 )
 
 // UnchangingCache sets the Cache-Control header to cache a response for 1 year if
@@ -33,3 +34,17 @@ func DefaultXRealIP(defaultIP string, next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 	})
 }
+
+// XForwardedForToXRealIP sets the X-Real-Ip header based on the contents
+// of the X-Forwarded-For header.
+func XForwardedForToXRealIP(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if xffHeader := r.Header.Get("X-Forwarded-For"); r.Header.Get("X-Real-Ip") == "" && xffHeader != "" {
+			ip := xff.Parse(xffHeader)
+			slog.Debug("setting x-real-ip", "val", ip)
+			r.Header.Set("X-Real-Ip", ip)
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}