From 8c7640aa095c66f8263f88ce1bf8fa8a5e59bad8 Mon Sep 17 00:00:00 2001 From: Xe Iaso Date: Fri, 9 May 2025 12:24:23 -0400 Subject: [PATCH] v1.18.0: Varis zos Galvus The big ticket feature in this release is [CEL expression matching support](https://anubis.techaro.lol/docs/admin/configuration/expressions). This allows you to tailor your approach for the individual services you are protecting. These can be as simple as: ```yaml - name: allow-api-requests action: ALLOW expression: all: - '"Accept" in headers' - 'headers["Accept"] == "application/json"' - 'path.startsWith("/api/")' ``` Or as complicated as: ```yaml - name: allow-git-clients action: ALLOW expression: all: - >- ( userAgent.startsWith("git/") || userAgent.contains("libgit") || userAgent.startsWith("go-git") || userAgent.startsWith("JGit/") || userAgent.startsWith("JGit-") ) - '"Git-Protocol" in headers' - headers["Git-Protocol"] == "version=2" ``` The docs have more information, but here's a tl;dr of the variables you have access to in expressions: | Name | Type | Explanation | Example | | :-------------- | :-------------------- | :---------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------------------------- | | `headers` | `map[string, string]` | The [headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers) of the request being processed. | `{"User-Agent": "Mozilla/5.0 Gecko/20100101 Firefox/137.0"}` | | `host` | `string` | The [HTTP hostname](https://web.dev/articles/url-parts#host) the request is targeted to. | `anubis.techaro.lol` | | `method` | `string` | The [HTTP method](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods) in the request being processed. | `GET`, `POST`, `DELETE`, etc. | | `path` | `string` | The [path](https://web.dev/articles/url-parts#pathname) of the request being processed. | `/`, `/api/memes/create` | | `query` | `map[string, string]` | The [query parameters](https://web.dev/articles/url-parts#query) of the request being processed. | `?foo=bar` -> `{"foo": "bar"}` | | `remoteAddress` | `string` | The IP address of the client. | `1.1.1.1` | | `userAgent` | `string` | The [`User-Agent`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/User-Agent) string in the request being processed. | `Mozilla/5.0 Gecko/20100101 Firefox/137.0` | This will be made more elaborate in the future. Give me time. This is a [simple, lovable, and complete](https://longform.asmartbear.com/slc/) implementation of this feature so that administrators can get hacking ASAP. Other changes: - Use CSS variables to deduplicate styles - Fixed native packages not containing the stdlib and botPolicies.yaml - Change import syntax to allow multi-level imports - Changed the startup logging to use JSON formatting as all the other logs do. - Added the ability to do [expression matching with CEL](./admin/configuration/expressions.mdx) - Add a warning for clients that don't store cookies - Disable Open Graph passthrough by default ([#435](https://github.com/TecharoHQ/anubis/issues/435)) - Clarify the license of the mascot images ([#442](https://github.com/TecharoHQ/anubis/issues/442)) - Started Suppressing 'Context canceled' errors from http in the logs ([#446](https://github.com/TecharoHQ/anubis/issues/446)) Signed-off-by: Xe Iaso --- VERSION | 2 +- docs/docs/CHANGELOG.md | 51 ++++++++++++++++++++++++++++++++++++++++++ package-lock.json | 6 ++--- package.json | 4 ++-- 4 files changed, 57 insertions(+), 6 deletions(-) diff --git a/VERSION b/VERSION index 7616ade..84cc529 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.18.0-pre1 +1.18.0 diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md index 71769e1..ddd1722 100644 --- a/docs/docs/CHANGELOG.md +++ b/docs/docs/CHANGELOG.md @@ -11,6 +11,57 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## v1.18.0: Varis zos Galvus + +The big ticket feature in this release is [CEL expression matching support](https://anubis.techaro.lol/docs/admin/configuration/expressions). This allows you to tailor your approach for the individual services you are protecting. + +These can be as simple as: + +```yaml +- name: allow-api-requests + action: ALLOW + expression: + all: + - '"Accept" in headers' + - 'headers["Accept"] == "application/json"' + - 'path.startsWith("/api/")' +``` + +Or as complicated as: + +```yaml +- name: allow-git-clients + action: ALLOW + expression: + all: + - >- + ( + userAgent.startsWith("git/") || + userAgent.contains("libgit") || + userAgent.startsWith("go-git") || + userAgent.startsWith("JGit/") || + userAgent.startsWith("JGit-") + ) + - '"Git-Protocol" in headers' + - headers["Git-Protocol"] == "version=2" +``` + +The docs have more information, but here's a tl;dr of the variables you have access to in expressions: + +| Name | Type | Explanation | Example | +| :-------------- | :-------------------- | :---------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------------------------- | +| `headers` | `map[string, string]` | The [headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers) of the request being processed. | `{"User-Agent": "Mozilla/5.0 Gecko/20100101 Firefox/137.0"}` | +| `host` | `string` | The [HTTP hostname](https://web.dev/articles/url-parts#host) the request is targeted to. | `anubis.techaro.lol` | +| `method` | `string` | The [HTTP method](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods) in the request being processed. | `GET`, `POST`, `DELETE`, etc. | +| `path` | `string` | The [path](https://web.dev/articles/url-parts#pathname) of the request being processed. | `/`, `/api/memes/create` | +| `query` | `map[string, string]` | The [query parameters](https://web.dev/articles/url-parts#query) of the request being processed. | `?foo=bar` -> `{"foo": "bar"}` | +| `remoteAddress` | `string` | The IP address of the client. | `1.1.1.1` | +| `userAgent` | `string` | The [`User-Agent`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/User-Agent) string in the request being processed. | `Mozilla/5.0 Gecko/20100101 Firefox/137.0` | + +This will be made more elaborate in the future. Give me time. This is a [simple, lovable, and complete](https://longform.asmartbear.com/slc/) implementation of this feature so that administrators can get hacking ASAP. + +Other changes: + - Use CSS variables to deduplicate styles - Fixed native packages not containing the stdlib and botPolicies.yaml - Change import syntax to allow multi-level imports diff --git a/package-lock.json b/package-lock.json index 106d9e5..3f479a2 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@techaro/anubis", - "version": "1.18.0-pre1", + "version": "1.18.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@techaro/anubis", - "version": "1.18.0-pre1", + "version": "1.18.0", "license": "ISC", "devDependencies": { "cssnano": "^7.0.6", @@ -2739,4 +2739,4 @@ } } } -} +} \ No newline at end of file diff --git a/package.json b/package.json index ba59987..ca9f06e 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@techaro/anubis", - "version": "1.18.0-pre1", + "version": "1.18.0", "description": "", "main": "index.js", "scripts": { @@ -25,4 +25,4 @@ "postcss-import-url": "^7.2.0", "postcss-url": "^10.1.3" } -} +} \ No newline at end of file