v1.15.1: Zenos yae Galvus: Echo 1 (#181)
* version 1.15.0 (#144) Signed-off-by: Xe Iaso <me@xeiaso.net> * cmd/anubis actually check the result with the correct difficulty Signed-off-by: Xe Iaso <me@xeiaso.net> * v1.15.1: Zenos yae Galvus: Echo 1 Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net> Co-authored-by: Henri Vasserman <henv@hot.ee>
This commit is contained in:
Xe Iaso
GitHub
parent
4b8efcba9b
commit
f844fffd1e
3 changed files with 22 additions and 11 deletions
2
VERSION
2
VERSION
|
|
@ -1 +1 @@
|
||||||
1.15.0
|
1.15.1
|
||||||
|
|
|
||||||
|
|
@ -11,6 +11,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||||
|
|
||||||
## [Unreleased]
|
## [Unreleased]
|
||||||
|
|
||||||
|
## v1.15.1
|
||||||
|
|
||||||
|
Zenos yae Galvus: Echo 1
|
||||||
|
|
||||||
|
Fixes a recurrence of [CVE-2025-24369](https://github.com/Xe/x/security/advisories/GHSA-56w8-8ppj-2p4f)
|
||||||
|
due to an incorrect logic change in a refactor. This allows an attacker to mint a valid
|
||||||
|
access token by passing any SHA-256 hash instead of one that matches the proof-of-work
|
||||||
|
test.
|
||||||
|
|
||||||
|
This case has been added as a regression test. It was not when CVE-2025-24369 was released
|
||||||
|
due to the project not having the maturity required to enable this kind of regression testing.
|
||||||
|
|
||||||
## v1.15.0
|
## v1.15.0
|
||||||
|
|
||||||
Zenos yae Galvus
|
Zenos yae Galvus
|
||||||
|
|
|
||||||
|
|
@ -145,14 +145,13 @@ func New(opts Options) (*Server, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
type Server struct {
|
type Server struct {
|
||||||
mux *http.ServeMux
|
mux *http.ServeMux
|
||||||
next http.Handler
|
next http.Handler
|
||||||
priv ed25519.PrivateKey
|
priv ed25519.PrivateKey
|
||||||
pub ed25519.PublicKey
|
pub ed25519.PublicKey
|
||||||
policy *policy.ParsedConfig
|
policy *policy.ParsedConfig
|
||||||
opts Options
|
opts Options
|
||||||
DNSBLCache *decaymap.Impl[string, dnsbl.DroneBLResponse]
|
DNSBLCache *decaymap.Impl[string, dnsbl.DroneBLResponse]
|
||||||
ChallengeDifficulty int
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
@ -428,9 +427,9 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// compare the leading zeroes
|
// compare the leading zeroes
|
||||||
if !strings.HasPrefix(response, strings.Repeat("0", s.ChallengeDifficulty)) {
|
if !strings.HasPrefix(response, strings.Repeat("0", rule.Challenge.Difficulty)) {
|
||||||
s.ClearCookie(w)
|
s.ClearCookie(w)
|
||||||
lg.Debug("difficulty check failed", "response", response, "difficulty", s.ChallengeDifficulty)
|
lg.Debug("difficulty check failed", "response", response, "difficulty", rule.Challenge.Difficulty)
|
||||||
templ.Handler(web.Base("Oh noes!", web.ErrorPage("invalid response")), templ.WithStatus(http.StatusForbidden)).ServeHTTP(w, r)
|
templ.Handler(web.Base("Oh noes!", web.ErrorPage("invalid response")), templ.WithStatus(http.StatusForbidden)).ServeHTTP(w, r)
|
||||||
failedValidations.Inc()
|
failedValidations.Inc()
|
||||||
return
|
return
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue