Merge 1c9b28968d into cd384a8a60

[upd] pypi: Bump selenium from 4.25.0 to 4.26.1
Bumps [selenium](https://github.com/SeleniumHQ/Selenium) from 4.25.0 to 4.26.1. - [Release notes](https://github.com/SeleniumHQ/Selenium/releases) - [Commits](https://github.com/SeleniumHQ/Selenium/commits) --- updated-dependencies: - dependency-name: selenium dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
2024-11-07 18:18:41 +08:00 · 2024-11-06 10:01:13 +01:00 · 2024-11-06 08:16:21 +01:00 · 2024-11-06 08:16:21 +01:00 · 2024-10-27 13:42:57 +01:00
11 changed files with 242 additions and 172 deletions
--- a/.github/workflows/checker.yml
+++ b/.github/workflows/checker.yml
@ -1,5 +1,5 @@
 name: "Checker"
-on:
+on:  # yamllint disable-line rule:truthy
  schedule:
    - cron: "0 4 * * 5"
  workflow_dispatch:
--- a/.github/workflows/data-update.yml
+++ b/.github/workflows/data-update.yml
@ -1,5 +1,5 @@
 name: "Update searx.data"
-on:
+on:  # yamllint disable-line rule:truthy
  schedule:
    - cron: "59 23 28 * *"
  workflow_dispatch:
--- a/.github/workflows/integration.yml
+++ b/.github/workflows/integration.yml
@ -1,6 +1,6 @@
 name: Integration

-on:
+on:  # yamllint disable-line rule:truthy
  push:
    branches: ["master"]
  pull_request:
@ -16,7 +16,7 @@ jobs:
    strategy:
      matrix:
        os: [ubuntu-20.04]
-        python-version:  ["3.9", "3.10", "3.11", "3.12",]
+        python-version: ["3.9", "3.10", "3.11", "3.12"]
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@ -111,7 +111,7 @@ jobs:
          BRANCH: gh-pages
          FOLDER: dist/docs
          CLEAN: true  # Automatically remove deleted files from the deploy branch
-        SINGLE_COMMIT: True
+          SINGLE_COMMIT: true
          COMMIT_MESSAGE: '[doc] build from commit ${{ github.sha }}'

  babel:
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@ -1,5 +1,5 @@
 name: "Security checks"
-on:
+on:  # yamllint disable-line rule:truthy
  schedule:
    - cron: "42 05 * * *"
  workflow_dispatch:
--- a/.github/workflows/translations-update.yml
+++ b/.github/workflows/translations-update.yml
@ -1,5 +1,5 @@
 name: "Update translations"
-on:
+on:  # yamllint disable-line rule:truthy
  schedule:
    - cron: "05 07 * * 5"
  workflow_dispatch:
--- a/docs/src/searx.botdetection.rst
+++ b/docs/src/searx.botdetection.rst
@ -53,6 +53,9 @@ Probe HTTP headers
 .. automodule:: searx.botdetection.http_user_agent
  :members:

+.. automodule:: searx.botdetection.sec_fetch
+  :members:
+
 .. _botdetection config:

 Config
--- a/2
+++ b/2
@ -57,7 +57,7 @@ while IFS= read -r line; do
    if [ "$line" != "tests/unit/settings/syntaxerror_settings.yml" ]; then
        YAMLLINT_FILES+=("$line")
    fi
-done <<< "$(git ls-files './tests/*.yml' './searx/*.yml' './utils/templates/etc/searxng/*.yml')"
+done <<< "$(git ls-files './tests/*.yml' './searx/*.yml' './utils/templates/etc/searxng/*.yml' '.github/*.yml' '.github/*/*.yml')"

 RST_FILES=(
    'README.rst'
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@ -4,7 +4,7 @@ cov-core==1.15.0
 black==24.3.0
 pylint==3.3.1
 splinter==0.21.0
-selenium==4.25.0
+selenium==4.26.1
 Pallets-Sphinx-Themes==2.3.0
 Sphinx==7.4.7
 sphinx-issues==5.0.0
--- a/searx/botdetection/_helpers.py
+++ b/searx/botdetection/_helpers.py
@ -31,6 +31,9 @@ def dump_request(request: flask.Request):
        + " || Content-Length: %s" % request.headers.get('Content-Length')
        + " || Connection: %s" % request.headers.get('Connection')
        + " || User-Agent: %s" % request.headers.get('User-Agent')
+        + " || Sec-Fetch-Site: %s" % request.headers.get('Sec-Fetch-Site')
+        + " || Sec-Fetch-Mode: %s" % request.headers.get('Sec-Fetch-Mode')
+        + " || Sec-Fetch-Dest: %s" % request.headers.get('Sec-Fetch-Dest')
    )


--- a/searx/botdetection/http_sec_fetch.py
+++ b/searx/botdetection/http_sec_fetch.py
@ -0,0 +1,59 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+"""
+Method ``http_sec_fetch``
+-------------------------
+
+The ``http_sec_fetch`` method protect resources from web attacks with `Fetch
+Metadata`_.  A request is filtered out in case of:
+
+- http header Sec-Fetch-Mode_ is invalid
+- http header Sec-Fetch-Dest_ is invalid
+
+.. _Fetch Metadata:
+   https://developer.mozilla.org/en-US/docs/Glossary/Fetch_metadata_request_header
+
+.. Sec-Fetch-Dest:
+   https://developer.mozilla.org/en-US/docs/Web/API/Request/destination
+
+.. Sec-Fetch-Mode:
+   https://developer.mozilla.org/en-US/docs/Web/API/Request/mode
+
+
+"""
+# pylint: disable=unused-argument
+
+from __future__ import annotations
+from ipaddress import (
+    IPv4Network,
+    IPv6Network,
+)
+
+import flask
+import werkzeug
+
+from . import config
+from ._helpers import logger
+
+
+def filter_request(
+    network: IPv4Network | IPv6Network,
+    request: flask.Request,
+    cfg: config.Config,
+) -> werkzeug.Response | None:
+
+    val = request.headers.get("Sec-Fetch-Mode", "")
+    if val != "navigate":
+        logger.debug("invalid Sec-Fetch-Mode '%s'", val)
+        return flask.redirect(flask.url_for('index'), code=302)
+
+    val = request.headers.get("Sec-Fetch-Site", "")
+    if val not in ('same-origin', 'same-site', 'none'):
+        logger.debug("invalid Sec-Fetch-Site '%s'", val)
+        flask.redirect(flask.url_for('index'), code=302)
+
+    val = request.headers.get("Sec-Fetch-Dest", "")
+    if val != "document":
+        logger.debug("invalid Sec-Fetch-Dest '%s'", val)
+        flask.redirect(flask.url_for('index'), code=302)
+
+    return None
--- a/searx/limiter.py
+++ b/searx/limiter.py
@ -111,6 +111,7 @@ from searx.botdetection import (
    http_accept_encoding,
    http_accept_language,
    http_user_agent,
+    http_sec_fetch,
    ip_limit,
    ip_lists,
    get_network,
@ -178,16 +179,17 @@ def filter_request(request: flask.Request) -> werkzeug.Response | None:
        logger.error("BLOCK %s: matched BLOCKLIST - %s", network.compressed, msg)
        return flask.make_response(('IP is on BLOCKLIST - %s' % msg, 429))

-    # methods applied on /
+    # methods applied on all requests

    for func in [
        http_user_agent,
    ]:
        val = func.filter_request(network, request, cfg)
        if val is not None:
+            logger.debug(f"NOT OK ({func.__name__}): {network}: %s", dump_request(flask.request))
            return val

-    # methods applied on /search
+    # methods applied on /search requests

    if request.path == '/search':

@ -196,12 +198,15 @@ def filter_request(request: flask.Request) -> werkzeug.Response | None:
            http_accept_encoding,
            http_accept_language,
            http_user_agent,
+            http_sec_fetch,
            ip_limit,
        ]:
            val = func.filter_request(network, request, cfg)
            if val is not None:
+                logger.debug(f"NOT OK ({func.__name__}): {network}: %s", dump_request(flask.request))
                return val
-    logger.debug(f"OK {network}: %s", dump_request(flask.request))
+        logger.debug(f"OK: {network}: %s", dump_request(flask.request))
+
    return None
Author	SHA1	Message	Date
Markus Heiser	53e85309f9	Merge `1c9b28968d` into `cd384a8a60`	2024-11-07 18:18:41 +08:00
dependabot[bot]	cd384a8a60	[upd] pypi: Bump selenium from 4.25.0 to 4.26.1 Bumps [selenium](https://github.com/SeleniumHQ/Selenium) from 4.25.0 to 4.26.1. - [Release notes](https://github.com/SeleniumHQ/Selenium/releases) - [Commits](https://github.com/SeleniumHQ/Selenium/commits) --- updated-dependencies: - dependency-name: selenium dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2024-11-06 10:01:13 +01:00
Markus Heiser	c4055e449f	[fix] issues reported by `make test.yamllint` Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>	2024-11-06 08:16:21 +01:00
Markus Heiser	2fdbf2622b	[mod] lint github YAML config files Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>	2024-11-06 08:16:21 +01:00
Markus Heiser	1c9b28968d	[mod] botdetection: HTTP Fetch Metadata Request Headers HTTP Fetch Metadata Request Headers [1][2] are used to detect bot requests. Bots with invalid Fetch Metadata will be redirected to the intro (`index`) page. [1] https://www.w3.org/TR/fetch-metadata/ [2] https://developer.mozilla.org/en-US/docs/Glossary/Fetch_metadata_request_header Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>	2024-10-27 13:42:57 +01:00