ci: trigger on tags

ci: change push trigger
challenges: add refresh via JavaScript window.location
2025-05-03 22:14:15 +02:00 · 2025-05-03 22:12:13 +02:00 · 2025-05-03 21:35:12 +02:00 · 2025-05-03 21:21:13 +02:00
6 changed files with 36 additions and 19 deletions
--- a/.drone.jsonnet
+++ b/.drone.jsonnet
@@ -144,8 +144,8 @@ local goVersion = "1.24";
 local mirror = "https://mirror.gcr.io";

 [
-    Build(mirror, goVersion, alpineVersion, "linux", "amd64") + {"trigger": {event: ["push"], branch: ["*"], }},
-    Build(mirror, goVersion, alpineVersion, "linux", "arm64") + {"trigger": {event: ["push"], branch: ["*"], }},
+    Build(mirror, goVersion, alpineVersion, "linux", "amd64") + {"trigger": {event: ["push", "tag"], }},
+    Build(mirror, goVersion, alpineVersion, "linux", "arm64") + {"trigger": {event: ["push", "tag"], }},

    # Test PRs
    Build(mirror, goVersion, alpineVersion, "linux", "amd64") + {"name": "test-pr", "trigger": {event: ["pull_request"], }},
--- a/.drone.yml
+++ b/.drone.yml
@@ -66,10 +66,9 @@ steps:
  mirror: https://mirror.gcr.io
  name: test-wasm-fail
 trigger:
-  branch:
-  - '*'
  event:
  - push
+  - tag
 type: docker
 ---
 environment:
@@ -139,10 +138,9 @@ steps:
  mirror: https://mirror.gcr.io
  name: test-wasm-fail
 trigger:
-  branch:
-  - '*'
  event:
  - push
+  - tag
 type: docker
 ---
 environment:
@@ -505,6 +503,6 @@ trigger:
 type: docker
 ---
 kind: signature
-hmac: 5200d5eb519acb0f74a7b62b103399da23d6e994d63c20052b41b10a4654b37a
+hmac: df53e4ea6f1c47df4d2a3f89b931b8513e83daa9c6c15baba2662d8112a721c8

 ...
--- a/examples/forgejo.yml
+++ b/examples/forgejo.yml
@@ -50,7 +50,7 @@ conditions:

  is-suspicious-crawler:
    # TLS Fingerprint for specific agent without ALPN
-    - '(userAgent.startsWith("Mozilla/") || userAgent.startsWith("Opera/")) && ("ja4" in fp && fp.ja4.matches("^t[0-9a-z]+00_")) && !(userAgent.contains("facebookexternalhit/") || userAgent.contains("Twitterbot/"))'
+    - '(userAgent.startsWith("Mozilla/") || userAgent.startsWith("Opera/")) && ("ja4" in fp && fp.ja4.matches("^t[0-9a-z]+00_")) && !(userAgent.contains("compatible;") || userAgent.contains("+http") || userAgent.contains("facebookexternalhit/") || userAgent.contains("Twitterbot/"))'
    # Old engines
    - 'userAgent.contains("Presto/") || userAgent.contains("Trident/")'
    # Old IE browsers
@@ -147,7 +147,7 @@ rules:
      - name: 0
        action: check
        settings:
-          challenges: [js-pow-sha256, http-cookie-check]
+          challenges: [js-refresh, http-cookie-check]
      - name: 1
        action: check
        settings:
@@ -173,7 +173,7 @@ rules:
      - 'path.matches("^/[^/]+/[^/]+/archive/.*\\.(bundle|zip|tar\\.gz)") && ($is-generic-browser)'
    action: challenge
    settings:
-      challenges: [ js-pow-sha256 ]
+      challenges: [ js-refresh ]

  - name: allow-git-operations
    conditions:
@@ -242,11 +242,11 @@ rules:
      - name: 0
        action: check
        settings:
-          challenges: [preload-link, header-refresh, js-pow-sha256, http-cookie-check]
+          challenges: [preload-link, header-refresh, js-refresh, http-cookie-check]
      - name: 1
        action: check
        settings:
-          challenges: [ resource-load, js-pow-sha256, http-cookie-check ]
+          challenges: [ resource-load, js-refresh, http-cookie-check ]

  - name: standard-bots
    action: check
@@ -274,7 +274,7 @@ rules:
      # if DNSBL fails, check additional challenges
      fail: check
      fail-settings:
-        challenges: [js-pow-sha256, http-cookie-check]
+        challenges: [js-refresh, http-cookie-check]

  # Allow PUT/DELETE/PATCH/POST requests in general
  - name: non-get-request
@@ -321,7 +321,7 @@ rules:
  - name: standard-browser
    action: challenge
    settings:
-      challenges: [http-cookie-check, preload-link, meta-refresh, resource-load, js-pow-sha256]
+      challenges: [http-cookie-check, preload-link, meta-refresh, resource-load, js-refresh, js-pow-sha256]
    conditions:
      - '($is-generic-browser)'

--- a/examples/generic.yml
+++ b/examples/generic.yml
@@ -98,7 +98,7 @@ rules:
      - name: 0
        action: check
        settings:
-          challenges: [js-pow-sha256]
+          challenges: [js-refresh]
      - name: 1
        action: check
        settings:
@@ -122,12 +122,12 @@ rules:
      # if DNSBL fails, check additional challenges
      fail: check
      fail-settings:
-        challenges: [js-pow-sha256]
+        challenges: [js-refresh]

  - name: suspicious-fetchers
    action: check
    settings:
-      challenges: [js-pow-sha256]
+      challenges: [js-refresh]
    conditions:
      - 'userAgent.contains("facebookexternalhit/") || userAgent.contains("facebookcatalog/")'

@@ -170,7 +170,7 @@ rules:
  - name: standard-browser
    action: challenge
    settings:
-      challenges: [preload-link, meta-refresh, resource-load, js-pow-sha256]
+      challenges: [preload-link, meta-refresh, resource-load, js-refresh]
    conditions:
      - '($is-generic-browser)'

--- a/examples/snippets/challenge-js-refresh.yml
+++ b/examples/snippets/challenge-js-refresh.yml
@@ -0,0 +1,6 @@
+challenges:
+  js-refresh:
+    # Challenges with a redirect via window.location (requires HTML parsing and JavaScript logic)
+    runtime: "refresh"
+    parameters:
+      refresh-via: "javascript"
--- a/lib/challenge/refresh/refresh.go
+++ b/lib/challenge/refresh/refresh.go
@@ -1,9 +1,12 @@
 package refresh

 import (
+	"encoding/json"
+	"fmt"
 	"git.gammaspectra.live/git/go-away/lib/challenge"
 	"github.com/goccy/go-yaml"
 	"github.com/goccy/go-yaml/ast"
+	"html/template"
 	"net/http"
 	"time"
 )
@@ -45,7 +48,17 @@ func FillRegistration(state challenge.StateInterface, reg *challenge.Registratio
 			return challenge.VerifyResultFail
 		}

-		if params.Mode == "meta" {
+		if params.Mode == "javascript" {
+			data, err := json.Marshal(uri.String())
+			if err != nil {
+				return challenge.VerifyResultFail
+			}
+			state.ChallengePage(w, r, state.Settings().ChallengeResponseCode, reg, map[string]any{
+				"EndTags": []template.HTML{
+					template.HTML(fmt.Sprintf("<script type=\"text/javascript\">window.location = %s;</script>", string(data))),
+				},
+			})
+		} else if params.Mode == "meta" {
 			state.ChallengePage(w, r, state.Settings().ChallengeResponseCode, reg, map[string]any{
 				"MetaTags": []map[string]string{
 					{
Author	SHA1	Message	Date
WeebDataHoarder	816d0fef90	ci: trigger on tags	2025-05-03 22:14:15 +02:00
WeebDataHoarder	06aca367a1	ci: change push trigger	2025-05-03 22:12:13 +02:00
WeebDataHoarder	44c9114ae5	challenges: add refresh via JavaScript window.location	2025-05-03 21:35:12 +02:00
WeebDataHoarder	4b1878f1ac	examples/forgejo: exclude fetchers from suspicious crawler	2025-05-03 21:21:13 +02:00