Merge pull request #508 from bunkerity/dev

Merge branch "dev" into branch "staging"

src/bw/Dockerfile

@@ -69,7 +69,7 @@ RUN apk add --no-cache pcre bash python3 && \
 	ln -s /proc/1/fd/1 /var/log/nginx/access.log
 
 # Fix CVEs
-RUN apk add "libcrypto3>=3.0.8-r4" "libssl3>=3.0.8-r4" "curl>=8.1.0-r0" "libcurl>=8.1.0-r0" "libwebp>=1.2.4-r2"
+RUN apk add "libcrypto3>=3.0.8-r4" "libssl3>=3.0.8-r4" "curl>=8.1.0-r0" "libcurl>=8.1.0-r0" "libwebp>=1.2.4-r2" "ncurses-libs>=6.3_p20221119-r1" "ncurses-terminfo-base>=6.3_p20221119-r1"
 
 VOLUME /data /etc/nginx
 

src/bw/lua/bunkerweb/plugin.lua

@@ -12,7 +12,7 @@ function plugin:initialize(id)
     self.id = id
     local multisite = false
     local current_phase = ngx.get_phase()
-    for i, check_phase in ipairs({ "set", "access", "content", "header", "log", "preread", "log_stream", "log_default" }) do
+    for i, check_phase in ipairs({ "set", "access", "content", "header_filter", "log", "preread", "log_stream", "log_default" }) do
         if current_phase == check_phase then
             multisite = true
             break

src/common/core/antibot/antibot.lua

@@ -221,6 +221,11 @@ function antibot:display_challenge()
 	if self.variables["USE_ANTIBOT"] == "hcaptcha" then
 		template_vars.hcaptcha_sitekey = self.variables["ANTIBOT_HCAPTCHA_SITEKEY"]
 	end
+	
+	-- Turnstile case
+	if self.variables["USE_ANTIBOT"] == "turnstile" then
+		template_vars.turnstile_sitekey = self.variables["ANTIBOT_TURNSTILE_SITEKEY"]
+	end
 
 	-- Render content
 	template.render(self.variables["USE_ANTIBOT"] .. ".html", template_vars)
@@ -346,6 +351,45 @@ function antibot:check_challenge()
 		self.session_data.time_valid = ngx.now()
 		return true, "resolved", self.session_data.original_uri
 	end
+	
+	-- Turnstile case
+	if self.variables["USE_ANTIBOT"] == "turnstile" then
+		ngx.req.read_body()
+		local args, err = ngx.req.get_post_args(1)
+		if err == "truncated" or not args or not args["token"] then
+			return nil, "missing challenge arg", nil
+		end
+		local httpc, err = http.new()
+		if not httpc then
+			return nil, "can't instantiate http object : " .. err, nil, nil
+		end
+		local data = {
+			secret=self.variables["ANTIBOT_TURNSTILE_SECRET"],
+			response=args["token"],
+			remoteip=ngx.ctx.bw.remote_addr
+		}
+		local res, err = httpc:request_uri("https://challenges.cloudflare.com/turnstile/v0/siteverify", {
+			method = "POST",
+			body = cjson.encode(data),
+			headers = {
+				["Content-Type"] = "application/x-www-form-urlencoded"
+			}
+		})
+		httpc:close()
+		if not res then
+			return nil, "can't send request to Turnstile API : " .. err, nil
+		end
+		local ok, tdata = pcall(cjson.decode, res.body)
+		if not ok then
+			return nil, "error while decoding JSON from Turnstile API : " .. data, nil
+		end
+		if not tdata.success then
+			return false, "client failed challenge", nil
+		end
+		self.session_data.resolved = true
+		self.session_data.time_valid = ngx.now()
+		return true, "resolved", self.session_data.original_uri
+	end
 
 	return nil, "unknown", nil
 end

src/common/core/antibot/plugin.json

@@ -11,7 +11,7 @@
       "help": "Activate antibot feature.",
       "id": "use-antibot",
       "label": "Antibot challenge",
-      "regex": "^(no|cookie|javascript|captcha|recaptcha|hcaptcha)$",
+      "regex": "^(no|cookie|javascript|captcha|recaptcha|hcaptcha|turnstile)$",
       "type": "select",
       "select": [
         "no",
@@ -19,7 +19,8 @@
         "javascript",
         "captcha",
         "recaptcha",
-        "hcaptcha"
+        "hcaptcha",
+        "turnstile"
       ]
     },
     "ANTIBOT_URI": {
@@ -76,6 +77,24 @@
       "regex": "^(0x[a-zA-Z0-9]+)?$",
       "type": "password"
     },
+    "ANTIBOT_TURNSTILE_SITEKEY": {
+      "context": "multisite",
+      "default": "",
+      "help": "Sitekey for Turnstile challenge.",
+      "id": "antibot-turnstile-sitekey",
+      "label": "Turnstile sitekey",
+      "regex": "^(0x[\\w-]+)?$",
+      "type": "text"
+    },
+    "ANTIBOT_TURNSTILE_SECRET": {
+      "context": "multisite",
+      "default": "",
+      "help": "Secret for Turnstile challenge.",
+      "id": "antibot-turnstile-secret",
+      "label": "Turnstile secret",
+      "regex": "^(0x[\\w-]+)?$",
+      "type": "password"
+    },
     "ANTIBOT_TIME_RESOLVE": {
       "context": "multisite",
       "default": "60",

src/common/core/misc/misc.lua

@@ -21,7 +21,7 @@ function misc:access()
             return self:ret(true, "method " .. method .. " is allowed")
         end
     end
-    return self:ret(true, "method " .. method .. " not is allowed", ngx.HTTP_NOT_ALLOWED)
+    return self:ret(true, "method " .. method .. " is not allowed", ngx.HTTP_NOT_ALLOWED)
 end
 
 return misc