Tags: polcak/anubis
Tags
v1.17.0: Asahi sas Brutus Signed-off-by: Xe Iaso <[email protected]>
fix(config): remove trailing newlines in regexes (TecharoHQ#373) Closes TecharoHQ#372 Fun YAML fact of the day: What is the difference between how these two expressions are parsed? ```yaml foo: > bar ``` ```yaml foo: >- bar ``` They are invisible in yaml, but when you evaluate them to JSON the difference is obvious: ```json { "foo": "bar\n" } ``` ```json { "foo": "bar" } ``` User-Agent strings, URL path values, and HTTP headers _do_ end in newlines in HTTP/1.1 wire form, but that newline is usually stripped before the server actually handles it. Also HTTP/2 is a thing and does not terminate header values with newlines. This change makes Anubis more aggressively detect mistaken uses of the yaml `>` operator and nudges the user into using the yaml `>-` operator which does not append the trailing newline. I had honestly forgotten about this YAML behavior because it wasn't relevant for so long. Oops! Glad I released a beta. Whenever you get into this state, Anubis will throw a config parsing error and then give you a message hinting at the folly of your ways. ``` config.Bot: regular expression ends with newline (try >- instead of > in yaml) ``` Big thanks to https://yaml-multiline.info, this helped me realize my folly instantly. @aiverson, this is official permission to say "told you so". Signed-off-by: Xe Iaso <[email protected]>
fix(config): remove trailing newlines in regexes (TecharoHQ#373) Closes TecharoHQ#372 Fun YAML fact of the day: What is the difference between how these two expressions are parsed? ```yaml foo: > bar ``` ```yaml foo: >- bar ``` They are invisible in yaml, but when you evaluate them to JSON the difference is obvious: ```json { "foo": "bar\n" } ``` ```json { "foo": "bar" } ``` User-Agent strings, URL path values, and HTTP headers _do_ end in newlines in HTTP/1.1 wire form, but that newline is usually stripped before the server actually handles it. Also HTTP/2 is a thing and does not terminate header values with newlines. This change makes Anubis more aggressively detect mistaken uses of the yaml `>` operator and nudges the user into using the yaml `>-` operator which does not append the trailing newline. I had honestly forgotten about this YAML behavior because it wasn't relevant for so long. Oops! Glad I released a beta. Whenever you get into this state, Anubis will throw a config parsing error and then give you a message hinting at the folly of your ways. ``` config.Bot: regular expression ends with newline (try >- instead of > in yaml) ``` Big thanks to https://yaml-multiline.info, this helped me realize my folly instantly. @aiverson, this is official permission to say "told you so". Signed-off-by: Xe Iaso <[email protected]>
fix(lib): make Anubis less paranoid (TecharoHQ#365) Previously Anubis would aggressively make sure that the client cookie matched exactly what it should. This has turned out to be too paranoid in practice and has caused problems with Happy Eyeballs et. al. This is a potential fix to TecharoHQ#303 and TecharoHQ#289.
v1.16.0: Fordola rem Lupis > I want to make them pay! All of them! Everyone who ever mocked or looked down on me -- I want the power to make them pay! The following features are the "big ticket" items: - Added support for native Debian, Red Hat, and tarball packaging strategies including installation and use directions. - A prebaked tarball has been added, allowing distros to build Anubis like they could in v1.15.x. - The placeholder Anubis mascot has been replaced with a design by [CELPHASE](https://bsky.app/profile/celphase.bsky.social). - Verification page now shows hash rate and a progress bar for completion probability. - Added support for [OpenGraph tags](https://ogp.me/) when rendering the challenge page. This allows for social previews to be generated when sharing the challenge page on social media platforms ([TecharoHQ#195](TecharoHQ#195)) - Added support for passing the ed25519 signing key in a file with `-ed25519-private-key-hex-file` or `ED25519_PRIVATE_KEY_HEX_FILE`. The other small fixes have been made: - Added a periodic cleanup routine for the decaymap that removes expired entries, ensuring stale data is properly pruned. - Added a no-store Cache-Control header to the challenge page - Hide the directory listings for Anubis' internal static content - Changed `--debug-x-real-ip-default` to `--use-remote-address`, getting the IP address from the request's socket address instead. - DroneBL lookups have been disabled by default - Static asset builds are now done on demand instead of the results being committed to source control - The Dockerfile has been removed as it is no longer in use - Developer documentation has been added to the docs site - Show more errors when some predictable challenge page errors happen ([TecharoHQ#150](TecharoHQ#150)) - Added the `--debug-benchmark-js` flag for testing proof-of-work performance during development. - Use `TrimSuffix` instead of `TrimRight` on containerbuild - Fix the startup logs to correctly show the address and port the server is listening on - Add [LibreJS](https://www.gnu.org/software/librejs/) banner to Anubis JavaScript to allow LibreJS users to run the challenge - Added a wait with button continue + 30 second auto continue after 30s if you click "Why am I seeing this?" - Fixed a typo in the challenge page title. - Disabled running integration tests on Windows hosts due to it's reliance on posix features (see [TecharoHQ#133](TecharoHQ#133 (comment))). - Fixed minor typos - Added a Makefile to enable comfortable workflows for downstream packagers. - Added `zizmor` for GitHub Actions static analysis - Fixed most `zizmor` findings - Enabled Dependabot - Added an air config for autoreload support in development ([TecharoHQ#195](TecharoHQ#195)) - Added an `--extract-resources` flag to extract static resources to a local folder. - Add noindex flag to all Anubis pages ([TecharoHQ#227](TecharoHQ#227)). - Added `WEBMASTER_EMAIL` variable, if it is present then display that email address on error pages ([TecharoHQ#235](TecharoHQ#235), [TecharoHQ#115](TecharoHQ#115)) - Hash pinned all GitHub Actions
Zenos yae Galvus: Echo 1 Fixes a recurrence of [CVE-2025-24369](GHSA-56w8-8ppj-2p4f) due to an incorrect logic change in a refactor. This allows an attacker to mint a valid access token by passing any SHA-256 hash instead of one that matches the proof-of-work test. This case has been added as a regression test. It was not when CVE-2025-24369 was released due to the project not having the maturity required to enable this kind of regression testing.
Zenos yae Galvus > Yes...the coming days promise to be most interesting. Most interesting. Headline changes: - ed25519 signing keys for Anubis can be stored in the flag `--ed25519-private-key-hex` or envvar `ED25519_PRIVATE_KEY_HEX` - Add the ability to set the cookie domain with the envvar `COOKIE_DOMAIN=techaro.lol` for all domains under `techaro.lol` - Add the ability to set the cookie partitioned flag with the envvar `COOKIE_PARTITIONED=true` Many other small changes were made, including but not limited to: - Fixed and clarified installation instructions - Introduced integration tests using Playwright - Refactor & Split up Anubis into cmd and lib.go - Fixed bot check to only apply if address range matches - Fix default difficulty setting that was broken in a refactor - Linting fixes - Make dark mode diff lines readable in the documentation - Fix CI based browser smoke test Users running Anubis' test suite may run into issues with the integration tests on Windows hosts. This is a known issue and will be fixed at some point in the future. In the meantime, use the Windows Subsystem for Linux (WSL).
PreviousNext