various fixes - ttl on /bans api, dnsbl undercover bug, greylist, whitelist and wrong path in realip job

2023-05-13 03:24:55 +02:00 · 2023-05-13 03:24:55 +02:00 · 5c415afa18
parent 3dde3ac0aa
commit 5c415afa18
9 changed files with 45 additions and 37 deletions
--- a/src/bw/Dockerfile
+++ b/src/bw/Dockerfile
@ -18,6 +18,7 @@ RUN apk add --no-cache --virtual .build-deps py3-pip && \
 	pip install --no-cache-dir --upgrade pip && \
 	pip install wheel && \
 	mkdir -p /usr/share/bunkerweb/deps/python && \
+	export MAKEFLAGS="-j$(nproc)" && \
 	pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt && \
 	apk del .build-deps

--- a/src/bw/lua/bunkerweb/api.lua
+++ b/src/bw/lua/bunkerweb/api.lua
@ -141,12 +141,12 @@ api.global.GET["^/bans$"] = function(self)
 				return self:response(ngx.HTTP_INTERNAL_SERVER_ERROR, "error",
 					"can't access " .. k .. " from datastore : " + reason)
 			end
-			local ttl, err = self.datastore:ttl(k)
-			if not ttl then
+			local ok, ttl = self.datastore:ttl(k)
+			if not ok then
 				return self:response(ngx.HTTP_INTERNAL_SERVER_ERROR, "error",
-					"can't access ttl " .. k .. " from datastore : " .. err)
+					"can't access ttl " .. k .. " from datastore : " .. ttl)
 			end
-			local ban = { ip = k:sub(9, #k), reason = reason, exp = ttl }
+			local ban = { ip = k:sub(9, #k), reason = reason, exp = math.floor(ttl) }
 			table.insert(data, ban)
 		end
 	end
--- a/src/bw/lua/bunkerweb/utils.lua
+++ b/src/bw/lua/bunkerweb/utils.lua
@ -383,7 +383,7 @@ utils.get_ips = function(fqdn)
 	local ips = {}
 	for i, answer in ipairs(answers) do
 		if answer.address then
-			table.insert(ips, answer.addres)
+			table.insert(ips, answer.address)
 		end
 	end
 	return ips, "success"
--- a/src/common/cli/CLI.py
+++ b/src/common/cli/CLI.py
@ -26,7 +26,7 @@ def format_remaining_time(seconds):
    if minutes > 0:
        time_parts.append(f"{int(minutes)} minute{'' if minutes == 1 else 's'}")
    if seconds > 0:
-        time_parts.append(f"{seconds:.2f} second{'' if seconds == 1 else 's'}")
+        time_parts.append(f"{seconds} second{'' if seconds == 1 else 's'}")

    if len(time_parts) > 1:
        time_parts[-1] = f"and {time_parts[-1]}"
--- a/src/common/core/blacklist/blacklist.lua
+++ b/src/common/core/blacklist/blacklist.lua
@ -22,6 +22,7 @@ function blacklist:initialize()
 		local lists, err = self.datastore:get("plugin_blacklist_lists")
 		if not lists then
 			self.logger:log(ngx.ERR, err)
+			self.lists = {}
 		else
 			self.lists = cjson.decode(lists)
 		end
@ -39,6 +40,9 @@ function blacklist:initialize()
 		}
 		for kind, _ in pairs(kinds) do
 			for data in self.variables["BLACKLIST_" .. kind]:gmatch("%S+") do
+				if not self.lists[kind] then
+					self.lists[kind] = {}
+				end
 				table.insert(self.lists[kind], data)
 			end
 		end
@ -116,7 +120,7 @@ function blacklist:access()
 		elseif cached and cached ~= "ok" then
 			return self:ret(true, k .. " is in cached blacklist (info : " .. cached .. ")", utils.get_deny_status())
 		end
-		if cached then
+		if ok and cached then
 			already_cached[k] = true
 		end
 	end
--- a/src/common/core/dnsbl/dnsbl.lua
+++ b/src/common/core/dnsbl/dnsbl.lua
@ -27,6 +27,10 @@ function dnsbl:access()
 	if self.variables["DNSBL_LIST"] == "" then
 		return self:ret(true, "dnsbl list is empty")
 	end
+	-- Don't go further if IP is not global
+	if not ngx.ctx.bw.ip_is_global then
+		return self:ret(true, "client IP is not global, skipping DNSBL check")
+	end
 	-- Check if IP is in cache
 	local ok, cached = self:is_in_cache(ngx.ctx.bw.remote_addr)
 	if not ok then
@ -37,14 +41,6 @@ function dnsbl:access()
 		end
 		return self:ret(true, "client IP " .. ngx.ctx.bw.remote_addr .. " is in DNSBL cache (server = " .. cached .. ")", utils.get_deny_status())
 	end
-	-- Don't go further if IP is not global
-	if not ngx.ctx.bw.ip_is_global then
-		local ok, err = self:add_to_cache(ngx.ctx.bw.remote_addr, "ok")
-		if not ok then
-			return self:ret(false, "error while adding element to cache : " .. err)
-		end
-		return self:ret(true, "client IP is not global, skipping DNSBL check")
-	end
 	-- Loop on DNSBL list
 	for server in self.variables["DNSBL_LIST"]:gmatch("%S+") do
 		local result, err = self:is_in_dnsbl(ngx.ctx.bw.remote_addr, server)
@ -52,7 +48,7 @@ function dnsbl:access()
 			self.logger:log(ngx.ERR, "error while sending DNS request to " .. server .. " : " .. err)
 		end
 		if result then
-			local ok, err self:add_to_cache(ngx.ctx.bw.remote_addr, server)
+			local ok, err = self:add_to_cache(ngx.ctx.bw.remote_addr, server)
 			if not ok then
 				return self:ret(false, "error while adding element to cache : " .. err)
 			end
@ -72,7 +68,7 @@ function dnsbl:preread()
 end

 function dnsbl:is_in_cache(ip)
-	local ok, data = self.cachestore:get("plugin_dnsbl_" .. ip)
+	local ok, data = self.cachestore:get("plugin_dnsbl_" .. ngx.ctx.bw.server_name .. ip)
 	if not ok then
 		return false, data
 	end
@ -80,7 +76,7 @@ function dnsbl:is_in_cache(ip)
 end

 function dnsbl:add_to_cache(ip, value)
-	local ok, err = self.cachestore:set("plugin_dnsbl_" .. ip, value, 86400)
+	local ok, err = self.cachestore:set("plugin_dnsbl_" .. ngx.ctx.bw.server_name .. ip, value, 86400)
 	if not ok then
 		return false, err
 	end 
@ -88,14 +84,13 @@ function dnsbl:add_to_cache(ip, value)
 end

 function dnsbl:is_in_dnsbl(ip, server)
-	local request = resolver.arpa_str(ip) .. "." .. server
+	local request = resolver.arpa_str(ip):gsub("%.in%-addr%.arpa", ""):gsub("%.ip6%.arpa", "") .. "." .. server
 	local ips, err = utils.get_ips(request)
 	if not ips then
 		return nil, err
 	end
 	for i, ip in ipairs(ips) do
-		local a, b, c, d = ip:match("([%d]+).([%d]+).([%d]+).([%d]+)")
-		if a == "127" then
+		if ip:find("^127%.0%.0%.") then
 			return true, "success"
 		end
 	end
--- a/src/common/core/greylist/greylist.lua
+++ b/src/common/core/greylist/greylist.lua
@ -21,6 +21,7 @@ function greylist:initialize()
 		local lists, err = self.datastore:get("plugin_greylist_lists")
 		if not lists then
 			self.logger:log(ngx.ERR, err)
+			self.lists = {}
 		else
 			self.lists = cjson.decode(lists)
 		end
@ -33,6 +34,9 @@ function greylist:initialize()
 		}
 		for kind, _ in pairs(kinds) do
 			for data in self.variables["GREYLIST_" .. kind]:gmatch("%S+") do
+				if not self.lists[kind] then
+					self.lists[kind] = {}
+				end
 				table.insert(self.lists[kind], data)
 			end
 		end
@ -98,13 +102,13 @@ function greylist:access()
 		["UA"] = false
 	}
 	for k, v in pairs(checks) do
-		local cached, err = self:is_in_cache(v)
-		if not cached and err ~= "success" then
-			self.logger:log(ngx.ERR, "error while checking cache : " .. err)
-		elseif cached and cached ~= "ok" then
-			return self:ret(true, k .. " is in cached greylist", utils.get_deny_status())
+		local ok, cached = self:is_in_cache(v)
+		if not ok then
+			self.logger:log(ngx.ERR, "error while checking cache : " .. cached)
+		elseif cached and cached ~= "ko" then
+			return self:ret(true, k .. " is in cached greylist (info : " .. cached .. ")")
 		end
-		if cached then
+		if ok and cached then
 			already_cached[k] = true
 		end
 	end
@ -115,23 +119,23 @@ function greylist:access()
 	-- Perform checks
 	for k, v in pairs(checks) do
 		if not already_cached[k] then
-			local greylisted, err = self:is_greylisted(k)
-			if greylisted == nil then
-				self.logger:log(ngx.ERR, "error while checking if " .. k .. " is greylisted : " .. err)
+			local ok, greylisted = self:is_greylisted(k)
+			if ok == nil then
+				self.logger:log(ngx.ERR, "error while checking if " .. k .. " is greylisted : " .. greylisted)
 			else
-				local ok, err = self:add_to_cache(self:kind_to_ele(k), greylisted or "ok")
+				local ok, err = self:add_to_cache(self:kind_to_ele(k), greylisted)
 				if not ok then
 					self.logger:log(ngx.ERR, "error while adding element to cache : " .. err)
 				end
-				if greylisted == "ko" then
-					return self:ret(true, k .. " is not in greylist", utils.get_deny_status())
+				if greylisted ~= "ko" then
+					return self:ret(true, k .. " is in greylist")
 				end
 			end
 		end
 	end

 	-- Return
-	return self:ret(true, "greylisted")
+	return self:ret(true, "not in greylist", utils.get_deny_status())
 end

 function greylist:preread()
--- a/src/common/core/realip/jobs/realip-download.py
+++ b/src/common/core/realip/jobs/realip-download.py
@ -119,7 +119,7 @@ try:

    # Put file in cache
    cached, err = cache_file(
-        "/var/tmp/bunkerweb/realip-combined.list",
+        "/var/tmp/bunkerweb/realip/combined.list",
        "/var/cache/bunkerweb/realip/combined.list",
        new_hash,
        db,
--- a/src/common/core/whitelist/whitelist.lua
+++ b/src/common/core/whitelist/whitelist.lua
@ -23,6 +23,7 @@ function whitelist:initialize()
 		local lists, err = self.datastore:get("plugin_whitelist_lists")
 		if not lists then
 			self.logger:log(ngx.ERR, err)
+			self.lists = {}
 		else
 			self.lists = cjson.decode(lists)
 		end
@ -35,6 +36,9 @@ function whitelist:initialize()
 		}
 		for kind, _ in pairs(kinds) do
 			for data in self.variables["WHITELIST_" .. kind]:gmatch("%S+") do
+				if not self.lists[kind] then
+					self.lists[kind] = {}
+				end
 				table.insert(self.lists[kind], data)
 			end
 		end
@ -166,7 +170,7 @@ function whitelist:check_cache()
 		checks["URI"] = "uri" .. ngx.ctx.bw.uri
 	end
 	local already_cached = {}
-	for i, k in ipairs(checks) do
+	for k, v in pairs(checks) do
 		already_cached[k] = false
 	end
 	for k, v in pairs(checks) do
@ -176,7 +180,7 @@ function whitelist:check_cache()
 		elseif cached and cached ~= "ok" then
 			return true, k .. " is in cached whitelist (info : " .. cached .. ")"
 		end
-		if cached then
+		if ok and cached then
 			already_cached[k] = true
 		end
 	end