lib/anubis: actually check the result with the correct difficulty (#180)

* cmd/anubis actually check the result with the correct difficulty

* chore: changelog

* test(cmd/anubis): make test check for difficulty

* lib: add regression test for CVE-2025-24369

Signed-off-by: Xe Iaso <me@xeiaso.net>

* bump VERSION and CHANGELOG

Tracks #181

Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Xe Iaso <me@xeiaso.net>
Co-authored-by: Xe Iaso <me@xeiaso.net>

1 files changed, 9 insertions, 10 deletions

diff --git a/lib/anubis.go b/lib/anubis.go
index 1b2ebfc..732d2c3 100644
--- a/lib/anubis.go
+++ b/lib/anubis.go
@@ -145,14 +145,13 @@ func New(opts Options) (*Server, error) {
 }
 
 type Server struct {
-	mux                 *http.ServeMux
-	next                http.Handler
-	priv                ed25519.PrivateKey
-	pub                 ed25519.PublicKey
-	policy              *policy.ParsedConfig
-	opts                Options
-	DNSBLCache          *decaymap.Impl[string, dnsbl.DroneBLResponse]
-	ChallengeDifficulty int
+	mux        *http.ServeMux
+	next       http.Handler
+	priv       ed25519.PrivateKey
+	pub        ed25519.PublicKey
+	policy     *policy.ParsedConfig
+	opts       Options
+	DNSBLCache *decaymap.Impl[string, dnsbl.DroneBLResponse]
 }
 
 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
@@ -441,9 +440,9 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// compare the leading zeroes
-	if !strings.HasPrefix(response, strings.Repeat("0", s.ChallengeDifficulty)) {
+	if !strings.HasPrefix(response, strings.Repeat("0", rule.Challenge.Difficulty)) {
 		s.ClearCookie(w)
-		lg.Debug("difficulty check failed", "response", response, "difficulty", s.ChallengeDifficulty)
+		lg.Debug("difficulty check failed", "response", response, "difficulty", rule.Challenge.Difficulty)
 		templ.Handler(web.Base("Oh noes!", web.ErrorPage("invalid response")), templ.WithStatus(http.StatusForbidden)).ServeHTTP(w, r)
 		failedValidations.Inc()
 		return