From b4a2e1a6a0014446252645db6e61c596e16fbcd4 Mon Sep 17 00:00:00 2001 From: Henri Vasserman Date: Tue, 1 Apr 2025 01:42:12 +0300 Subject: lib/anubis: actually check the result with the correct difficulty (#180) * cmd/anubis actually check the result with the correct difficulty * chore: changelog * test(cmd/anubis): make test check for difficulty * lib: add regression test for CVE-2025-24369 Signed-off-by: Xe Iaso * bump VERSION and CHANGELOG Tracks #181 Signed-off-by: Xe Iaso --------- Signed-off-by: Xe Iaso Co-authored-by: Xe Iaso --- lib/anubis.go | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) (limited to 'lib/anubis.go') diff --git a/lib/anubis.go b/lib/anubis.go index 1b2ebfc..732d2c3 100644 --- a/lib/anubis.go +++ b/lib/anubis.go @@ -145,14 +145,13 @@ func New(opts Options) (*Server, error) { } type Server struct { - mux *http.ServeMux - next http.Handler - priv ed25519.PrivateKey - pub ed25519.PublicKey - policy *policy.ParsedConfig - opts Options - DNSBLCache *decaymap.Impl[string, dnsbl.DroneBLResponse] - ChallengeDifficulty int + mux *http.ServeMux + next http.Handler + priv ed25519.PrivateKey + pub ed25519.PublicKey + policy *policy.ParsedConfig + opts Options + DNSBLCache *decaymap.Impl[string, dnsbl.DroneBLResponse] } func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { @@ -441,9 +440,9 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) { } // compare the leading zeroes - if !strings.HasPrefix(response, strings.Repeat("0", s.ChallengeDifficulty)) { + if !strings.HasPrefix(response, strings.Repeat("0", rule.Challenge.Difficulty)) { s.ClearCookie(w) - lg.Debug("difficulty check failed", "response", response, "difficulty", s.ChallengeDifficulty) + lg.Debug("difficulty check failed", "response", response, "difficulty", rule.Challenge.Difficulty) templ.Handler(web.Base("Oh noes!", web.ErrorPage("invalid response")), templ.WithStatus(http.StatusForbidden)).ServeHTTP(w, r) failedValidations.Inc() return -- cgit v1.2.3