johan
/
inou
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
inou/portal/defense.go

297 lines
7.3 KiB
Go
Raw Permalink Blame History

package main
import (
"fmt"
"inou/lib"
"net/http"
"regexp"
"strings"
"time"
)
// Matches 16-char hex IDs (inou format) or standard UUIDs
var guidPattern = regexp.MustCompile(`[0-9a-fA-F]{16}|[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}`)
const tarpitDuration = 30 * time.Second
var tarpitPatterns = []string{
// PHP/CMS
"php", "wp-", "xmlrpc", "phpmyadmin", "pma", "adminer",
"joomla", "drupal", "magento", "administrator",
// Config/Secrets
".env", ".git", ".svn", ".htaccess", ".htpasswd",
".aws", ".docker", ".bak", ".sql",
// Java/Spring
"actuator", "jolokia", "console",
// ColdFusion
"cfide", "cf_scripts",
// Shells/Exploits
"shell", "cgi-bin", "elfinder", "filemanager", "fckeditor",
// Infrastructure
"/manager/", "jenkins", "jmx-console", "web-console",
"solr", "telescope", "elmah",
// Network devices
"goform", "hnap", "stssys",
}
var validPaths = []string{
"/",
"/static/",
"/robots.txt",
"/sitemap.xml",
"/favicon.ico",
"/apple-touch-icon.png",
"/apple-touch-icon-precomposed.png",
"/app-ads.txt",
"/llms.txt",
"/send-code",
"/verify",
"/onboard",
"/logout",
"/dashboard",
"/connect",
"/install",
"/start",
"/invite",
"/set-lang",
"/privacy-policy",
"/security",
"/legal/dpa",
"/legal/terms",
"/demo",
"/oauth/authorize",
"/oauth/token",
"/oauth/userinfo",
"/oauth/revoke",
"/.well-known/",
"/register",
"/styleguide",
"/pricing",
"/faq",
"/dossier/",
"/viewer/",
"/data/",
"/image/",
"/contact-sheet.webp/",
"/download/",
// API - specific routes only (no broad /api prefix)
"/api/docs",
"/api/openapi.yaml",
"/api/token/",
"/api/version",
"/api/dossier", // covers /api/dossier and /api/dossiers
"/api/studies",
"/api/series",
"/api/slices",
"/api/labs/",
"/api/access",
"/api/audit",
"/api/entries",
"/api/trackers",
"/api/v1/auth/",
"/api/v1/dashboard",
"/api/v1/trackers",
"/api/v1/health",
"/api/v1/token",
"/api/v1/dossiers",
"/api/v1/images/",
"/api/v1/categories",
}
var whitelistedIPs = map[string]bool{
"82.22.36.202": true, // our vulnerability scanner
}
func isLocalIP(ip string) bool {
return strings.HasPrefix(ip, "192.168.")
}
func getIP(r *http.Request) string {
if fwd := r.Header.Get("X-Forwarded-For"); fwd != "" {
return strings.Split(fwd, ",")[0]
}
return strings.Split(r.RemoteAddr, ":")[0]
}
func isValidPath(path string) bool {
if path == "/api" || path == "/mcp" {
return true
}
for _, p := range validPaths {
if p == "/" && path == "/" {
return true
}
if p != "/" && strings.HasPrefix(path, p) {
return true
}
}
return false
}
func shouldTarpit(path string) bool {
lower := strings.ToLower(path)
if strings.HasSuffix(lower, ".js") &&
lower != "/static/upload.js" &&
lower != "/static/carousel.js" &&
lower != "/static/viewer.js" {
return true
}
for _, pattern := range tarpitPatterns {
if strings.Contains(lower, pattern) {
return true
}
}
return false
}
// hasGUID checks if path or query contains a GUID-like token
// This indicates a legitimate client with invalid/expired credentials
func hasGUID(r *http.Request) bool {
// Check path
if guidPattern.MatchString(r.URL.Path) {
return true
}
// Check query params (token=xxx, dossier=xxx, etc.)
if guidPattern.MatchString(r.URL.RawQuery) {
return true
}
// Check Authorization header
if auth := r.Header.Get("Authorization"); auth != "" {
if guidPattern.MatchString(auth) {
return true
}
}
return false
}
// tarpit holds connection silent then closes - no HTTP response
func tarpit(w http.ResponseWriter, r *http.Request, label string) {
ip := getIP(r)
logAccess("\033[33m%s %s %s %s %s\033[0m",
time.Now().Format("2006-01-02 15:04:05"),
ip, label, r.Method, r.URL.RequestURI())
w.WriteHeader(444)
}
func defense(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
path := r.URL.Path
ip := getIP(r)
// Known bad patterns - tarpit immediately (unless GUID present)
if shouldTarpit(strings.ToLower(path)) {
if hasGUID(r) {
// Looks like a real client with bad/expired token - give proper error
logAccess("\033[33m%s %s INVALID_TOKEN %s %s\033[0m",
time.Now().Format("2006-01-02 15:04:05"),
ip, r.Method, r.URL.RequestURI())
http.Error(w, "Invalid or expired token", http.StatusUnauthorized)
return
}
tarpit(w, r, "TARPIT")
return
}
// MCP without Bearer token - not a legitimate client
if path == "/mcp" && !isLocalIP(ip) {
if !strings.HasPrefix(r.Header.Get("Authorization"), "Bearer ") {
tarpit(w, r, "MCP_NO_AUTH")
return
}
}
// Unknown paths from non-local IPs
if !isValidPath(path) && !isLocalIP(ip) {
if hasGUID(r) {
// Looks like a real client with bad/expired token - give proper error
logAccess("\033[33m%s %s INVALID_TOKEN %s %s\033[0m",
time.Now().Format("2006-01-02 15:04:05"),
ip, r.Method, r.URL.RequestURI())
http.Error(w, "Invalid or expired token", http.StatusUnauthorized)
return
}
tarpit(w, r, "PROBE")
return
}
next.ServeHTTP(w, r)
})
}
type statusCapture struct {
http.ResponseWriter
status int
r *http.Request
}
func (s *statusCapture) WriteHeader(code int) {
s.status = code
if code == 404 && s.r.URL.Path != "/favicon.ico" {
ip := getIP(s.r)
if !whitelistedIPs[ip] {
lib.SendSignal(fmt.Sprintf("404: %s %s", ip, s.r.URL.Path))
}
}
s.ResponseWriter.WriteHeader(code)
}
func notifyOn404(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
capture := &statusCapture{ResponseWriter: w, status: 200, r: r}
next.ServeHTTP(capture, r)
})
}
func normalizeQuery(next http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
raw := r.URL.RawQuery
raw = strings.ReplaceAll(raw, "&amp%253B", "&")
raw = strings.ReplaceAll(raw, "&amp%3B", "&")
raw = strings.ReplaceAll(raw, "&", "&")
raw = strings.ReplaceAll(raw, "%26amp%3B", "&")
raw = strings.ReplaceAll(raw, "%26amp;", "&")
r.URL.RawQuery = raw
next(w, r)
}
}
// httpsRedirectMiddleware redirects HTTP requests to HTTPS
// Respects X-Forwarded-Proto header for deployments behind reverse proxy
func httpsRedirectMiddleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Skip redirect for health checks and local development
if r.URL.Path == "/api/v1/health" || isLocalIP(getIP(r)) {
next.ServeHTTP(w, r)
return
}
// Check if request is already HTTPS (direct or via proxy)
isHTTPS := r.TLS != nil || r.Header.Get("X-Forwarded-Proto") == "https"
if !isHTTPS {
// Build HTTPS URL
target := "https://" + r.Host + r.URL.RequestURI()
http.Redirect(w, r, target, http.StatusMovedPermanently)
return
}
next.ServeHTTP(w, r)
})
}
// hstsMiddleware adds HTTP Strict Transport Security headers
func hstsMiddleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Only add HSTS header for HTTPS requests
isHTTPS := r.TLS != nil || r.Header.Get("X-Forwarded-Proto") == "https"
if isHTTPS {
// max-age=1 year (31536000 seconds), include subdomains, preload ready
w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload")
}
next.ServeHTTP(w, r)
})
}
Reference in New Issue View Git Blame Copy Permalink