mirror of https://github.com/TecharoHQ/anubis.git synced 2026-05-09 00:22:53 +00:00

Files

T

Xe Iaso 0491f1fac2 fix: patch GHSA-6wcg-mqvh-fcvg (#1616 )

* fix: patch GHSA-6wcg-mqvh-fcvg

PR https://github.com/TecharoHQ/anubis/pull/1015 added the ability for
reverse proxies using Anubis in subrequest auth mode to look at the path
of a request as there are many rules in the wild that rely on checking
the path. This is how access to things like robots.txt or anything in the
.well-known directory is unaffected by Anubis.

However this logic was also enabled for non-subrequest deployments of Anubis,
meaning that a specially crafted request could include a /.well-known/
path in it and then get around Anubis with little effort.

This fix gates the logic behind a new plumbed variable named subrequestMode
that only fires when Anubis is running in subrequest auth mode. This
properly contains that workaround so that the logic does not fire in
most deployments.

Signed-off-by: Xe Iaso <me@xeiaso.net>

* chore: spelling

Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Xe Iaso <me@xeiaso.net>

2026-05-08 19:17:25 -04:00

advice.md

chore: set up commitlint, husky, and prettier (#1451 )

2026-02-15 08:19:12 -05:00

allow.txt

feat(metrics): basic auth support (#1579 )

2026-04-23 00:17:09 -04:00

candidate.patterns

ci: add check-spelling (#462 )

2025-05-09 17:02:41 +00:00

excludes.txt

Update check-spelling metadata (#1379 )

2026-01-01 23:02:15 +00:00

expect.txt

fix: patch GHSA-6wcg-mqvh-fcvg (#1616 )

2026-05-08 19:17:25 -04:00

line_forbidden.patterns

feat: add default OpenGraph tags to configuration file (#694 )

2025-06-19 18:00:44 -04:00

patterns.txt

fix(lib): block XSS attacks via nonstandard URLs (#904 )

2025-07-24 14:05:00 +00:00

README.md

chore: set up commitlint, husky, and prettier (#1451 )

2026-02-15 08:19:12 -05:00

reject.txt

ci: add check-spelling (#462 )

2025-05-09 17:02:41 +00:00

README.md

check-spelling/check-spelling configuration

File	Purpose	Format	Info
dictionary.txt	Replacement dictionary (creating this file will override the default dictionary)	one word per line	dictionary
allow.txt	Add words to the dictionary	one word per line (only letters and `'`s allowed)	allow
reject.txt	Remove words from the dictionary (after allow)	grep pattern matching whole dictionary words	reject
excludes.txt	Files to ignore entirely	perl regular expression	excludes
only.txt	Only check matching files (applied after excludes)	perl regular expression	only
patterns.txt	Patterns to ignore from checked lines	perl regular expression (order matters, first match wins)	patterns
candidate.patterns	Patterns that might be worth adding to patterns.txt	perl regular expression with optional comment block introductions (all matches will be suggested)	candidates
line_forbidden.patterns	Patterns to flag in checked lines	perl regular expression (order matters, first match wins)	patterns
expect.txt	Expected words that aren't in the dictionary	one word per line (sorted, alphabetically)	expect
advice.md	Supplement for GitHub comment when unrecognized words are found	GitHub Markdown	advice

Note: you can replace any of these files with a directory by the same name (minus the suffix) and then include multiple files inside that directory (with that suffix) to merge multiple files together.