mirror of
https://github.com/TecharoHQ/anubis.git
synced 2026-05-16 19:43:10 +00:00
Xe Iaso
276b537776
* fix(policy): correctly wire subrequest mode through CEL/path checkers Previously Anubis only checked for the X-Original-Url when using subrequest mode. This header is used by the example nginx config to pass the request path through from the original client request to Anubis in order to do path-based filtering. According to facts and circumstances, Traefik hardcodes its own headers[1]: ```text httpdebug-1 | GET /.within.website/x/cmd/anubis/api/check httpdebug-1 | X-Forwarded-Method: GET httpdebug-1 | X-Forwarded-Proto: http httpdebug-1 | X-Forwarded-Server: b9a5d299c929 httpdebug-1 | X-Forwarded-Port: 8080 httpdebug-1 | X-Forwarded-Uri: / httpdebug-1 | X-Real-Ip: 172.18.0.1 httpdebug-1 | Accept-Encoding: gzip httpdebug-1 | User-Agent: curl/8.20.0 httpdebug-1 | Accept: */* httpdebug-1 | X-Forwarded-For: 172.18.0.1 httpdebug-1 | X-Forwarded-Host: localhost:8080 ``` As a result, this means that path-based filtering did not work. This commit fixes this issue by amending how path based checking logic works: * For CEL based checks, this pipes through the `subrequestMode` flag from main and alters the behaviour if either `X-Original-Url` or `X-Forwarded-Url` are found. These values are currently hardcoded for convenience but probably need to be made configurable in the policy file at a future date. * For path-based checks, this uses the existing `subrequestMode` flag from main and adds `X-Forwarded-Url` to the list of headers it checks. A smoke test was added to make sure that traefik in this mode continues to work. Thank you https://github.com/flifloo for filing a detailed issue with the relevant configuration fragments. Those configuration fragments formed the core of this smoke test. [1]: https://doc.traefik.io/traefik/v3.4/middlewares/http/forwardauth/ Closes: https://github.com/TecharoHQ/anubis/issues/1628 Signed-off-by: Xe Iaso <me@xeiaso.net> Co-Authored-By: flifloo <flifloo@gmail.com> * chore: spelling Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net> Co-authored-by: flifloo <flifloo@gmail.com>
check-spelling/check-spelling configuration
| File | Purpose | Format | Info |
|---|---|---|---|
| dictionary.txt | Replacement dictionary (creating this file will override the default dictionary) | one word per line | dictionary |
| allow.txt | Add words to the dictionary | one word per line (only letters and 's allowed) |
allow |
| reject.txt | Remove words from the dictionary (after allow) | grep pattern matching whole dictionary words | reject |
| excludes.txt | Files to ignore entirely | perl regular expression | excludes |
| only.txt | Only check matching files (applied after excludes) | perl regular expression | only |
| patterns.txt | Patterns to ignore from checked lines | perl regular expression (order matters, first match wins) | patterns |
| candidate.patterns | Patterns that might be worth adding to patterns.txt | perl regular expression with optional comment block introductions (all matches will be suggested) | candidates |
| line_forbidden.patterns | Patterns to flag in checked lines | perl regular expression (order matters, first match wins) | patterns |
| expect.txt | Expected words that aren't in the dictionary | one word per line (sorted, alphabetically) | expect |
| advice.md | Supplement for GitHub comment when unrecognized words are found | GitHub Markdown | advice |
Note: you can replace any of these files with a directory by the same name (minus the suffix) and then include multiple files inside that directory (with that suffix) to merge multiple files together.