From 0e1b2f985a5f24325af08f759939ba582073f06b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 11 Oct 2023 22:31:19 +0000 Subject: [PATCH 1/3] Bump golang.org/x/net from 0.10.0 to 0.17.0 Bumps [golang.org/x/net](https://github.com/golang/net) from 0.10.0 to 0.17.0. - [Commits](https://github.com/golang/net/compare/v0.10.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- go.mod | 8 ++++---- go.sum | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index 3e3e559..1a1c0a1 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( github.com/joho/godotenv v1.5.1 github.com/miekg/dns v1.1.54 github.com/radovskyb/watcher v1.0.7 - golang.org/x/net v0.10.0 + golang.org/x/net v0.17.0 ) require ( @@ -17,9 +17,9 @@ require ( github.com/go-jose/go-jose/v3 v3.0.0 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.19 // indirect - golang.org/x/crypto v0.9.0 // indirect + golang.org/x/crypto v0.14.0 // indirect golang.org/x/mod v0.10.0 // indirect - golang.org/x/sys v0.8.0 // indirect - golang.org/x/text v0.9.0 // indirect + golang.org/x/sys v0.13.0 // indirect + golang.org/x/text v0.13.0 // indirect golang.org/x/tools v0.9.3 // indirect ) diff --git a/go.sum b/go.sum index 1419173..29d10f8 100644 --- a/go.sum +++ b/go.sum @@ -30,23 +30,23 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g= -golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0= +golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= +golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= -golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU= -golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE= -golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/tools v0.9.3 h1:Gn1I8+64MsuTb/HpH+LmQtNas23LhUVr3rYZ0eKuaMM= golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From c83b6cb066712be4545aa8f95bcbd0a37f82ab9b Mon Sep 17 00:00:00 2001 From: sudosammy Date: Mon, 20 Nov 2023 21:28:08 +0800 Subject: [PATCH 2/3] bump dependancies & require golang 1.20 --- .circleci/config.yml | 2 +- README.md | 2 +- go.mod | 22 ++++++++-------- go.sum | 48 +++++++++++++++++------------------ libknary/dns_test.go | 4 +-- libknary/lego/cert_storage.go | 9 ++++--- 6 files changed, 44 insertions(+), 43 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 1835350..5c0fec5 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -5,7 +5,7 @@ jobs: build: working_directory: ~/repo docker: - - image: cimg/go:1.18-node + - image: cimg/go:1.20-node parallelism: 3 steps: - checkout diff --git a/README.md b/README.md index 12b0f83..9bf04f1 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ Defenders also use canaries as tripwires that can alert them of an attacker with 1. Download the [applicable 64-bit knary binary](https://github.com/sudosammy/knary/releases) __OR__ build knary from source: -__Prerequisite:__ You need Go >=1.18 to build knary. +__Prerequisite:__ You need Go >=1.20 to build knary. ``` go install github.com/sudosammy/knary/v3@latest ``` diff --git a/go.mod b/go.mod index 1a1c0a1..2f59538 100644 --- a/go.mod +++ b/go.mod @@ -4,22 +4,22 @@ go 1.18 require ( github.com/blang/semver/v4 v4.0.0 - github.com/fatih/color v1.15.0 - github.com/go-acme/lego/v4 v4.12.1 + github.com/fatih/color v1.16.0 + github.com/go-acme/lego/v4 v4.14.2 github.com/joho/godotenv v1.5.1 - github.com/miekg/dns v1.1.54 + github.com/miekg/dns v1.1.57 github.com/radovskyb/watcher v1.0.7 - golang.org/x/net v0.17.0 + golang.org/x/net v0.18.0 ) require ( github.com/cenkalti/backoff/v4 v4.2.1 // indirect - github.com/go-jose/go-jose/v3 v3.0.0 // indirect + github.com/go-jose/go-jose/v3 v3.0.1 // indirect github.com/mattn/go-colorable v0.1.13 // indirect - github.com/mattn/go-isatty v0.0.19 // indirect - golang.org/x/crypto v0.14.0 // indirect - golang.org/x/mod v0.10.0 // indirect - golang.org/x/sys v0.13.0 // indirect - golang.org/x/text v0.13.0 // indirect - golang.org/x/tools v0.9.3 // indirect + github.com/mattn/go-isatty v0.0.20 // indirect + golang.org/x/crypto v0.15.0 // indirect + golang.org/x/mod v0.14.0 // indirect + golang.org/x/sys v0.14.0 // indirect + golang.org/x/text v0.14.0 // indirect + golang.org/x/tools v0.15.0 // indirect ) diff --git a/go.sum b/go.sum index 29d10f8..2bdef96 100644 --- a/go.sum +++ b/go.sum @@ -4,12 +4,12 @@ github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqy github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= -github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs= -github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw= -github.com/go-acme/lego/v4 v4.12.1 h1:Cy3FS7wADLNBqCLpz2wdfdNrThW9rZy8RCAfnUrL2uE= -github.com/go-acme/lego/v4 v4.12.1/go.mod h1:UZoOlhVmUYP/N0z4tEbfUjoCNHRZNObzqWZtT76DIsc= -github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo= -github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= +github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= +github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= +github.com/go-acme/lego/v4 v4.14.2 h1:/D/jqRgLi8Cbk33sLGtu2pX2jEg3bGJWHyV8kFuUHGM= +github.com/go-acme/lego/v4 v4.14.2/go.mod h1:kBXxbeTg0x9AgaOYjPSwIeJy3Y33zTz+tMD16O4MO6c= +github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA= +github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= github.com/google/go-cmp v0.5.0 h1:/QaMHBdZ26BB3SSst0Iwl10Epc+xhTquomWX0oZEB6w= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0= @@ -17,38 +17,38 @@ github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwA github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= -github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA= -github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= -github.com/miekg/dns v1.1.54 h1:5jon9mWcb0sFJGpnI99tOMhCPyJ+RPVz5b63MQG0VWI= -github.com/miekg/dns v1.1.54/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY= +github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= +github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM= +github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/radovskyb/watcher v1.0.7 h1:AYePLih6dpmS32vlHfhCeli8127LzkIgwJGcwwe8tUE= github.com/radovskyb/watcher v1.0.7/go.mod h1:78okwvY5wPdzcb1UYnip1pvrZNIVEIh/Cm+ZuvsUYIg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= -golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= -golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= -golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA= +golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g= +golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= +golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= -golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= -golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI= +golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg= +golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ= +golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= -golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q= +golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= -golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -golang.org/x/tools v0.9.3 h1:Gn1I8+64MsuTb/HpH+LmQtNas23LhUVr3rYZ0eKuaMM= -golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/tools v0.15.0 h1:zdAyfUGbYmuVokhzVmghFl2ZJh5QhcfebBgmVPFYA+8= +golang.org/x/tools v0.15.0/go.mod h1:hpksKq4dtpQWS1uQ61JkdqWM3LscIS6Slf+VVkm+wQk= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/libknary/dns_test.go b/libknary/dns_test.go index d142cef..396c554 100644 --- a/libknary/dns_test.go +++ b/libknary/dns_test.go @@ -7,8 +7,8 @@ import ( "time" ) -//code for 3 functions below here is taken and modified from -//here: https://github.com/miekg/dns/blob/67373879ce327b5fd112d9301d0a4d62bad6b904/server_test.go +// code for 3 functions below here is taken and modified from +// here: https://github.com/miekg/dns/blob/67373879ce327b5fd112d9301d0a4d62bad6b904/server_test.go func GokuServer(w dns.ResponseWriter, req *dns.Msg) { m := new(dns.Msg) m.SetReply(req) diff --git a/libknary/lego/cert_storage.go b/libknary/lego/cert_storage.go index caa7155..10b0f55 100644 --- a/libknary/lego/cert_storage.go +++ b/libknary/lego/cert_storage.go @@ -21,13 +21,14 @@ import ( ) // GetCertPath(): -// /knary/certs/ -// └── root certificates directory +// +// /knary/certs/ +// └── root certificates directory // // archive file path: -// /knary/certs/archives/ -// └── archived certificates directory // +// /knary/certs/archives/ +// └── archived certificates directory func GetCertPath() string { var certFolderName string var certPath string From a46e38ab1027ac8f6ef58fe15eed075154b8d63e Mon Sep 17 00:00:00 2001 From: sudosammy Date: Mon, 20 Nov 2023 23:26:39 +0800 Subject: [PATCH 3/3] fix allowlist bug + fix user-agent bug --- README.md | 2 +- VERSION | 2 +- libknary/dns.go | 6 +++- libknary/http.go | 68 +++++++++++++++++++++--------------- libknary/notificationctrl.go | 11 +++--- libknary/util.go | 4 +-- main.go | 2 +- 7 files changed, 56 insertions(+), 39 deletions(-) diff --git a/README.md b/README.md index 9bf04f1..599270e 100644 --- a/README.md +++ b/README.md @@ -69,7 +69,7 @@ If this were a denylist, it would stop knary from alerting on `www.knary.tld` bu If this were an allowlist, knary would alert on exact matches (`sam.knary.tld`) and subdomain matches (`website1.sam.knary.tld`). Use `ALLOWLIST_STRICT=true` to prevent this fuzzy matching and only alert on hits to `sam.knary.tld`. -You can use both a deny and allowlist simultaneously. **Note:** wildcards in these files are not supported. An entry of `*.knary.tld` will match that string exactly. +You can use both a deny and allowlist simultaneously, note the denylist always has the higher order of precedence. For example, a request to a subdomain that matches the allowlist, would still be denied if the User-Agent matches something in the denylist. **Note:** wildcards in these files are not supported. An entry of `*.knary.tld` will match that string exactly. 2. The `DNS_SUBDOMAIN` configuration allows you to specify a subdomain that knary must fuzzy match (i.e. `*.DNS_SUBDOMAIN.knary.tld`) before alerting on DNS hits. This configuration does not affect HTTP(S) requests and remains primarily to mimic legacy knary v2 functionality. **Consider using a deny/allowlist instead.** diff --git a/VERSION b/VERSION index 1cf8253..2aa5131 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.4.6 +3.4.7 diff --git a/libknary/dns.go b/libknary/dns.go index de4968e..b26ad78 100644 --- a/libknary/dns.go +++ b/libknary/dns.go @@ -89,7 +89,11 @@ func goSendMsg(ipaddr, reverse, name, record string) bool { Printy("Got "+record+" question for: "+name, 3) } - if !inAllowlist(name, ipaddr) || inBlacklist(name, ipaddr) { + if inBlacklist(name, ipaddr) { + return false // we check denylist first for consistent 'order of precedence' with the HTTP allow/denylist checking + } + + if !inAllowlist(name, ipaddr) { return false } diff --git a/libknary/http.go b/libknary/http.go index 58174cf..39ada22 100644 --- a/libknary/http.go +++ b/libknary/http.go @@ -156,6 +156,12 @@ func Accept443(ln net.Listener, wg *sync.WaitGroup, restart <-chan bool) { } } +func httpRespond(conn net.Conn) bool { + conn.Write([]byte(" ")) // necessary as a 0 byte response triggers some clients to resend the request + conn.Close() // v. important lol + return true +} + func handleRequest(conn net.Conn) bool { // set timeout for reading responses _ = conn.SetDeadline(time.Now().Add(time.Second * time.Duration(2))) // 2 seconds @@ -243,43 +249,49 @@ func handleRequest(conn net.Conn) bool { } } - // take off the header name for the user agent - userAgent = strings.TrimPrefix(strings.ToLower(userAgent), "user-agent:") - hostDomain := strings.TrimPrefix(strings.ToLower(host), "host:") // trim off the "Host:" section of header + // take off the headers for the allow/denylist search + searchUserAgent := strings.TrimPrefix(strings.ToLower(userAgent), "user-agent:") + searchDomain := strings.TrimPrefix(strings.ToLower(host), "host:") // trim off the "Host:" section of header - if inAllowlist(hostDomain, conn.RemoteAddr().String(), fwd) && !inBlacklist(hostDomain, conn.RemoteAddr().String(), fwd) && inAllowlist(userAgent) && !inBlacklist(userAgent) { - var msg string - var fromIP string + // these conditionals were bugged in <=3.4.6 whereby subdomains/ips in the allowlist weren't allowed unless the user-agent was ALSO in the allowlist + // it should be easier to grok now + if inBlacklist(searchUserAgent, searchDomain, conn.RemoteAddr().String(), fwd) { // inBlacklist returns false on empty/unused denylists + return httpRespond(conn) + } + + if !inAllowlist(searchUserAgent, searchDomain, conn.RemoteAddr().String(), fwd) { // inAllowlist returns true on empty/unused allowlists + return httpRespond(conn) + } + + var msg string + var fromIP string + + if fwd != "" { + fromIP = fwd // use this when burp collab mode is active + } else { + fromIP = conn.RemoteAddr().String() + } - if fwd != "" { - fromIP = fwd // use this when burp collab mode is active + if cookie != "" { + if os.Getenv("FULL_HTTP_REQUEST") != "" { + msg = fmt.Sprintf("%s\n```Query: %s\n%s\n%s\nFrom: %s\n\n---------- FULL REQUEST ----------\n%s\n----------------------------------", host, query, userAgent, cookie, fromIP, response) } else { - fromIP = conn.RemoteAddr().String() + msg = fmt.Sprintf("%s\n```Query: %s\n%s\n%s\nFrom: %s", host, query, userAgent, cookie, fromIP) } - - if cookie != "" { - if os.Getenv("FULL_HTTP_REQUEST") != "" { - msg = fmt.Sprintf("%s\n```Query: %s\n%s\n%s\nFrom: %s\n\n---------- FULL REQUEST ----------\n%s\n----------------------------------", host, query, userAgent, cookie, fromIP, response) - } else { - msg = fmt.Sprintf("%s\n```Query: %s\n%s\n%s\nFrom: %s", host, query, userAgent, cookie, fromIP) - } + } else { + if os.Getenv("FULL_HTTP_REQUEST") != "" { + msg = fmt.Sprintf("%s\n```Query: %s\n%s\nFrom: %s\n\n---------- FULL REQUEST ----------\n%s\n----------------------------------", host, query, userAgent, fromIP, response) } else { - if os.Getenv("FULL_HTTP_REQUEST") != "" { - msg = fmt.Sprintf("%s\n```Query: %s\n%s\nFrom: %s\n\n---------- FULL REQUEST ----------\n%s\n----------------------------------", host, query, userAgent, fromIP, response) - } else { - msg = fmt.Sprintf("%s\n```Query: %s\n%s\nFrom: %s", host, query, userAgent, fromIP) - } + msg = fmt.Sprintf("%s\n```Query: %s\n%s\nFrom: %s", host, query, userAgent, fromIP) } + } - go sendMsg(msg + "```") - if os.Getenv("DEBUG") == "true" { - logger("INFO", fromIP+" - "+host) - } + go sendMsg(msg + "```") + if os.Getenv("DEBUG") == "true" { + logger("INFO", fromIP+" - "+host) } } } - conn.Write([]byte(" ")) // necessary as a 0 byte response triggers some clients to resend the request - conn.Close() // v. important lol - return true + return httpRespond(conn) } diff --git a/libknary/notificationctrl.go b/libknary/notificationctrl.go index 58ea966..de9cf79 100644 --- a/libknary/notificationctrl.go +++ b/libknary/notificationctrl.go @@ -34,20 +34,18 @@ func (a *blacklist) updateD(term string) bool { if term == "" { return false // would happen if there's no X-Forwarded-For header } - item := standerdiseListItem(term) a.mutex.Lock() - a.deny[item] = time.Now() + a.deny[term] = time.Now() a.mutex.Unlock() return true } // search for a denied domain/IP func (a *blacklist) searchD(term string) bool { - item := standerdiseListItem(term) a.mutex.Lock() defer a.mutex.Unlock() - if _, ok := a.deny[item]; ok { + if _, ok := a.deny[term]; ok { return true // found! } return false @@ -116,7 +114,7 @@ func LoadBlacklist() (bool, error) { for scanner.Scan() { // foreach denied item if scanner.Text() != "" { - denied.updateD(scanner.Text()) + denied.updateD(standerdiseListItem(scanner.Text())) denyCount++ } } @@ -138,6 +136,7 @@ func inAllowlist(needles ...string) bool { // strict matching. don't match subdomains if needle == allowed[i].allow { if os.Getenv("DEBUG") == "true" { + logger("INFO", "Found "+needle+" in allowlist (strict mode)") Printy(needle+" matches allowlist", 3) } return true @@ -146,6 +145,7 @@ func inAllowlist(needles ...string) bool { // allow fuzzy matching if strings.HasSuffix(needle, allowed[i].allow) { if os.Getenv("DEBUG") == "true" { + logger("INFO", "Found "+needle+" in allowlist") Printy(needle+" matches allowlist", 3) } return true @@ -158,6 +158,7 @@ func inAllowlist(needles ...string) bool { func inBlacklist(needles ...string) bool { for _, needle := range needles { + needle := standerdiseListItem(needle) if denied.searchD(needle) { denied.updateD(needle) // found! diff --git a/libknary/util.go b/libknary/util.go index 00b87d7..1151c66 100644 --- a/libknary/util.go +++ b/libknary/util.go @@ -244,7 +244,7 @@ func HeartBeat(version string, firstrun bool) (bool, error) { // print allowed items (if any) if allowCount > 0 { - beatMsg += strconv.Itoa(allowCount) + " allowed subdomains / IPs: \n" + beatMsg += strconv.Itoa(allowCount) + " allowed subdomains, User-Agents, IPs: \n" if os.Getenv("ALLOWLIST_STRICT") == "true" { beatMsg += "(Operating in strict mode) \n" } @@ -257,7 +257,7 @@ func HeartBeat(version string, firstrun bool) (bool, error) { // print denied items (if any) if denyCount > 0 { - beatMsg += strconv.Itoa(denyCount) + " denied subdomains / User-Agents / IPs: \n" + beatMsg += strconv.Itoa(denyCount) + " denied subdomains, User-Agents, IPs: \n" beatMsg += "------------------------\n" for subdomain := range denied.deny { beatMsg += subdomain + "\n" diff --git a/main.go b/main.go index 1bec0d8..1718ac6 100644 --- a/main.go +++ b/main.go @@ -15,7 +15,7 @@ import ( ) const ( - VERSION = "3.4.6" + VERSION = "3.4.7" GITHUB = "https://github.com/sudosammy/knary" GITHUBVERSION = "https://raw.githubusercontent.com/sudosammy/knary/master/VERSION" )