lib/anubis: actually check the result with the correct difficulty (#180)

* cmd/anubis actually check the result with the correct difficulty * chore: changelog * test(cmd/anubis): make test check for difficulty * lib: add regression test for CVE-2025-24369 Signed-off-by: Xe Iaso <me@xeiaso.net> * bump VERSION and CHANGELOG Tracks #181 Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net> Co-authored-by: Xe Iaso <me@xeiaso.net>
author: Henri Vasserman <henv@hot.ee> 2025-04-01 01:42:12 +0300
committer: GitHub <noreply@github.com> 2025-03-31 18:42:12 -0400
commit: b4a2e1a6a0014446252645db6e61c596e16fbcd4 (patch)
tree: 684cda635dcd4d8e3d21e0f5b727f6e50d9280cb /lib
parent: 28828a2e93de32e758b62107f0af0a429b911b90 (diff)
download: anubis-b4a2e1a6a0014446252645db6e61c596e16fbcd4.tar.xz
anubis-b4a2e1a6a0014446252645db6e61c596e16fbcd4.zip
2 files changed, 84 insertions, 11 deletions
diff --git a/lib/anubis.go b/lib/anubis.go
index 1b2ebfc..732d2c3 100644
--- a/lib/anubis.go
+++ b/lib/anubis.go
@@ -145,14 +145,13 @@ func New(opts Options) (*Server, error) {
 }
 
 type Server struct {
-	mux                 *http.ServeMux
-	next                http.Handler
-	priv                ed25519.PrivateKey
-	pub                 ed25519.PublicKey
-	policy              *policy.ParsedConfig
-	opts                Options
-	DNSBLCache          *decaymap.Impl[string, dnsbl.DroneBLResponse]
-	ChallengeDifficulty int
+	mux        *http.ServeMux
+	next       http.Handler
+	priv       ed25519.PrivateKey
+	pub        ed25519.PublicKey
+	policy     *policy.ParsedConfig
+	opts       Options
+	DNSBLCache *decaymap.Impl[string, dnsbl.DroneBLResponse]
 }
 
 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
@@ -441,9 +440,9 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// compare the leading zeroes
-	if !strings.HasPrefix(response, strings.Repeat("0", s.ChallengeDifficulty)) {
+	if !strings.HasPrefix(response, strings.Repeat("0", rule.Challenge.Difficulty)) {
 		s.ClearCookie(w)
-		lg.Debug("difficulty check failed", "response", response, "difficulty", s.ChallengeDifficulty)
+		lg.Debug("difficulty check failed", "response", response, "difficulty", rule.Challenge.Difficulty)
 		templ.Handler(web.Base("Oh noes!", web.ErrorPage("invalid response")), templ.WithStatus(http.StatusForbidden)).ServeHTTP(w, r)
 		failedValidations.Inc()
 		return
diff --git a/lib/anubis_test.go b/lib/anubis_test.go
index 58c8834..79a0532 100644
--- a/lib/anubis_test.go
+++ b/lib/anubis_test.go
@@ -34,6 +34,79 @@ func spawnAnubis(t *testing.T, opts Options) *Server {
 	return s
 }
 
+type challenge struct {
+	Challenge string `json:"challenge"`
+}
+
+func makeChallenge(t *testing.T, ts *httptest.Server) challenge {
+	t.Helper()
+
+	resp, err := ts.Client().Post(ts.URL+"/.within.website/x/cmd/anubis/api/make-challenge", "", nil)
+	if err != nil {
+		t.Fatalf("can't request challenge: %v", err)
+	}
+	defer resp.Body.Close()
+
+	var chall challenge
+	if err := json.NewDecoder(resp.Body).Decode(&chall); err != nil {
+		t.Fatalf("can't read challenge response body: %v", err)
+	}
+
+	return chall
+}
+
+// Regression test for CVE-2025-24369
+func TestCVE2025_24369(t *testing.T) {
+	pol := loadPolicies(t, "")
+	pol.DefaultDifficulty = 4
+
+	srv := spawnAnubis(t, Options{
+		Next:   http.NewServeMux(),
+		Policy: pol,
+
+		CookieDomain:      "local.cetacean.club",
+		CookiePartitioned: true,
+		CookieName:        t.Name(),
+	})
+
+	ts := httptest.NewServer(internal.RemoteXRealIP(true, "tcp", srv))
+	defer ts.Close()
+
+	chall := makeChallenge(t, ts)
+	calcString := fmt.Sprintf("%s%d", chall.Challenge, 0)
+	calculated := internal.SHA256sum(calcString)
+	nonce := 0
+	elapsedTime := 420
+	redir := "/"
+
+	cli := ts.Client()
+	cli.CheckRedirect = func(req *http.Request, via []*http.Request) error {
+		return http.ErrUseLastResponse
+	}
+
+	req, err := http.NewRequest(http.MethodGet, ts.URL+"/.within.website/x/cmd/anubis/api/pass-challenge", nil)
+	if err != nil {
+		t.Fatalf("can't make request: %v", err)
+	}
+
+	q := req.URL.Query()
+	q.Set("response", calculated)
+	q.Set("nonce", fmt.Sprint(nonce))
+	q.Set("redir", redir)
+	q.Set("elapsedTime", fmt.Sprint(elapsedTime))
+	req.URL.RawQuery = q.Encode()
+
+	resp, err := cli.Do(req)
+	if err != nil {
+		t.Fatalf("can't do challenge passing")
+	}
+
+	if resp.StatusCode == http.StatusFound {
+		t.Log("Regression on CVE-2025-24369")
+		t.Errorf("wanted HTTP status %d, got: %d", http.StatusForbidden, resp.StatusCode)
+	}
+}
+
 func TestCookieSettings(t *testing.T) {
 	pol := loadPolicies(t, "")
 	pol.DefaultDifficulty = 0
@@ -72,8 +145,9 @@ func TestCookieSettings(t *testing.T) {
 	nonce := 0
 	elapsedTime := 420
 	redir := "/"
+	calculated := ""
 	calcString := fmt.Sprintf("%s%d", chall.Challenge, nonce)
-	calculated := internal.SHA256sum(calcString)
+	calculated = internal.SHA256sum(calcString)
 
 	req, err := http.NewRequest(http.MethodGet, ts.URL+"/.within.website/x/cmd/anubis/api/pass-challenge", nil)
 	if err != nil {
author	Henri Vasserman <henv@hot.ee>	2025-04-01 01:42:12 +0300
committer	GitHub <noreply@github.com>	2025-03-31 18:42:12 -0400
commit	b4a2e1a6a0014446252645db6e61c596e16fbcd4 (patch)
tree	684cda635dcd4d8e3d21e0f5b727f6e50d9280cb /lib
parent	28828a2e93de32e758b62107f0af0a429b911b90 (diff)
download	anubis-b4a2e1a6a0014446252645db6e61c596e16fbcd4.tar.xz anubis-b4a2e1a6a0014446252645db6e61c596e16fbcd4.zip