Impact
The default ruleset has the following entry:
{
"name": "rss-readers",
"path_regex": ".*\\.(rss|xml|atom|json)$",
"action": "ALLOW"
},The intent of this rule was to allow for RSS readers to work with my blog in particular.
Frameworks like Rails will treat these specially, meaning that going to /things/12345-whateverhaha.json could bypass Anubis.
If your webapp doesn't use a framework with slug resolution rules like that, this is not a security risk.
Patches
v1.14.2 fixes this issue for the default configuration.
Workarounds
Anyone with a custom bot policy file is unaffected.
References
See #67 for more information.
Credits
Thanks Graham Sutherland for reporting this over email.
Impact
The default ruleset has the following entry:
{ "name": "rss-readers", "path_regex": ".*\\.(rss|xml|atom|json)$", "action": "ALLOW" },The intent of this rule was to allow for RSS readers to work with my blog in particular.
Frameworks like Rails will treat these specially, meaning that going to /things/12345-whateverhaha.json could bypass Anubis.
If your webapp doesn't use a framework with slug resolution rules like that, this is not a security risk.
Patches
v1.14.2 fixes this issue for the default configuration.
Workarounds
Anyone with a custom bot policy file is unaffected.
References
See #67 for more information.
Credits
Thanks Graham Sutherland for reporting this over email.