Add response poisoning

2025-04-03 14:18:55 +02:00
parent fa727b8fc2
commit e9269338e7
10 changed files with 291 additions and 3 deletions
--- a/lib/http.go
+++ b/lib/http.go
@@ -14,12 +14,14 @@ import (
 	"git.gammaspectra.live/git/go-away/lib/policy"
 	"github.com/google/cel-go/common/types"
 	"html/template"
+	"io"
 	"log/slog"
 	"maps"
 	"net"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
+	"path"
 	"path/filepath"
 	"strconv"
 	"strings"
@@ -314,6 +316,47 @@ func (state *State) handleRequest(w http.ResponseWriter, r *http.Request) {
 					//TODO: configure block
 					fail(http.StatusForbidden, fmt.Errorf("access denied: blocked by administrative rule %s/%s", r.Header.Get("X-Away-Id"), rule.Hash))
 					return
+				case policy.RuleActionPOISON:
+					lg.Info("request poisoned", "rule", rule.Name, "rule_hash", rule.Hash)
+
+					mime := "text/html"
+					switch path.Ext(r.URL.Path) {
+					case ".css":
+					case ".json", ".js", ".mjs":
+
+					}
+
+					encodings := strings.Split(r.Header.Get("Accept-Encoding"), ",")
+					for i, encoding := range encodings {
+						encodings[i] = strings.TrimSpace(strings.ToLower(encoding))
+					}
+
+					reader, encoding := state.getPoison(mime, encodings)
+					if reader == nil {
+						mime = "application/octet-stream"
+						reader, encoding = state.getPoison(mime, encodings)
+					}
+
+					if reader != nil {
+						defer reader.Close()
+					}
+
+					w.Header().Set("Cache-Control", "max-age=0, private, must-revalidate, no-transform")
+					w.Header().Set("Vary", "Accept-Encoding")
+					w.Header().Set("Content-Type", mime)
+					w.Header().Set("X-Content-Type-Options", "nosniff")
+					if encoding != "" {
+						w.Header().Set("Content-Encoding", encoding)
+					}
+					w.WriteHeader(http.StatusOK)
+					if flusher, ok := w.(http.Flusher); ok {
+						// trigger chunked encoding
+						flusher.Flush()
+					}
+					if r != nil {
+						_, _ = io.Copy(w, reader)
+					}
+					return
 				}
 			}
 		}
--- a/lib/poison.go
+++ b/lib/poison.go
@@ -0,0 +1,26 @@
+package lib
+
+import (
+	go_away "git.gammaspectra.live/git/go-away"
+	"io"
+	"path"
+	"slices"
+	"strings"
+)
+
+var poisonEncodings = []string{"br", "zstd", "gzip"}
+
+func (state *State) getPoison(mime string, encodings []string) (r io.ReadCloser, encoding string) {
+	for _, encoding = range poisonEncodings {
+		if !slices.Contains(encodings, encoding) {
+			continue
+		}
+
+		p := path.Join("poison", strings.ReplaceAll(mime, "/", "_")+"."+encoding+".poison")
+		f, err := go_away.PoisonFs.Open(p)
+		if err == nil {
+			return f, encoding
+		}
+	}
+	return nil, ""
+}
--- a/lib/policy/rule.go
+++ b/lib/policy/rule.go
@@ -8,6 +8,7 @@ const (
 	RuleActionBLOCK     RuleAction = "BLOCK"
 	RuleActionCHALLENGE RuleAction = "CHALLENGE"
 	RuleActionCHECK     RuleAction = "CHECK"
+	RuleActionPOISON    RuleAction = "POISON"
 )

 type Rule struct {
--- a/lib/state.go
+++ b/lib/state.go
@@ -57,6 +57,8 @@ type State struct {

 	PublicKey  ed25519.PublicKey
 	PrivateKey ed25519.PrivateKey
+
+	Poison map[string][]byte
 }

 type RuleState struct {