Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix issues when running JS challenge #1395

Merged
merged 7 commits into from
Mar 31, 2020
Merged

Fix issues when running JS challenge #1395

merged 7 commits into from
Mar 31, 2020

Conversation

vankoven
Copy link
Contributor

@vankoven vankoven commented Mar 27, 2020
edited by krizhanovsky
Loading

Fix #1393

Changes:

  • Don't treat */* token in Accept: header as allowing to send JS challenge
  • Lower pressure on Tempesta by legitimate clients processing JS challenge by eliminating favicon.ico request. Empty favicon is integrated into JS challenge template.
  • Don't allow 'unchallengeable' requests to pass the challenge by mistake
  • Restart challenge if client has a cookie value from the last run. E.g. If the the challenge is failed, user still can reload the page and try challenge once again.

@krizhanovsky krizhanovsky self-requested a review March 28, 2020 13:43
@krizhanovsky krizhanovsky self-assigned this Mar 28, 2020
@krizhanovsky krizhanovsky mentioned this pull request Mar 28, 2020
Closed
3 tasks
krizhanovsky
krizhanovsky requested changes Mar 28, 2020
View reviewed changes
Copy link
Contributor

@krizhanovsky krizhanovsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes do make sense and looks good except #1203 degradation.

tempesta_fw/http_parser.c Outdated Show resolved Hide resolved
tempesta_fw/t/unit/test_http_parser.c Show resolved Hide resolved
tempesta_fw/http_sess.c Show resolved Hide resolved
vankoven added 5 commits March 30, 2020 12:00
@vankoven
Don't send JavaScript challenge if '*/*' was spotted in Accept: req…
a579460 
…uest header

First browser request always contains `text/html` token since it tries
to load DOM. Even if it tries to load image. But in the same time
`*/*` is forwarded in almost all browser request, thus every image,
favicon and other requests are treated by Tempesta as requests allowed
to run JS code. That's not true and this requests violate JS challenge
conditions.
@vankoven
JS Challenge: Avoid favicon load by browser
d9d8abe 
Give an empty file as favicon image, so browser never sends a
`/favicon.ico`. This reduce requests during JS challenge processing
from two to one.
The code was borrowed from https://stackoverflow.com/questions/1321878/how-to-prevent-favicon-ico-requests
@vankoven
Restart JS challenge if cookie was too old to run the challenge
0937fed
@vankoven
Bump copyrights
e61898d
@vankoven
Make Accept header parsing more strict: don't allow '*' at type/subty…
fe73233 
…pe start
@krizhanovsky krizhanovsky mentioned this pull request Mar 30, 2020
Closed
krizhanovsky
krizhanovsky approved these changes Mar 30, 2020
View reviewed changes
Copy link
Contributor

@krizhanovsky krizhanovsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with the small code improvements

tempesta_fw/http_parser.c Outdated
TRY_STR("html", Req_I_AfterTextSlash, Req_I_AcceptHtml);
if (c == '*')
__FSM_I_MOVE(I_EoT);
__FSM_I_JMP(Req_I_AfterTextSlashToken);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just fall through

tempesta_fw/http_parser.c Outdated
@@ -5294,27 +5298,29 @@ __h2_req_parse_accept(TfwHttpReq *req, unsigned char *data, size_t len,
}

__FSM_STATE(Req_I_AfterTextSlash) {
if (c == '*')
__FSM_H2_I_MOVE(I_EoT);
__FSM_I_JMP(Req_I_AfterTextSlashToken);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the same - just fall through, no need to jump

@vankoven vankoven merged commit f66b243 into master Mar 31, 2020
@vankoven vankoven deleted the ik-fix-jsch branch March 31, 2020 03:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@krizhanovsky krizhanovsky krizhanovsky approved these changes

Assignees

@krizhanovsky krizhanovsky

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

JS/sticky cookie challenge fails
2 participants
@vankoven @krizhanovsky