We received may bot created reports, is it possible to implement a CAPTCHA system or similar to prevent DOS attacks? about globaleaks HOT 6 CLOSED

Hello @nigeltrego

Would you please describe the type of attack that you received and how many reports did you receive?
Can you provide a link to the platform where we could see the type of questionnaire implemented?

At the moment GlobaLeaks implements an automatic proof of work based on the hashcash concept and other automatic techniques that is intended to slow down attacks and we have always considered graphical captchas to be ineffective and easily circumvented.

What is your advice? Do you consider there is an open source library that we could use that you consider a good solution to the problem?

from globaleaks.

Hi Evillaliv3, sorry for taking so long to get back to you, I have been on vacation and then tied up with other projects. When we received the 700 or so bot generated reports, I went ahead and deleted them as the receivers complained that they had 700 emails in there inbox :-). I assume that they are no gone forever, unless there is a way to retrieve them, I cannot send you an example. We have had GL shut down during the Xmas break. I will look at restarting to see if we get any more bot generated reports and I will forward on an example to you. Thanks, Nigel

from globaleaks.

Hi, so we received another 70 reports today, all the same and all seem to be bot generated. I have attached a copy to this post. Any help would be appreciated.
report-1.zip

from globaleaks.

The this report was created, I received 166 emails, content below:-Platform:
Host: leaks.zeon.eu (rd6lbqjf25qz6eckk2ugbz56c6tav64m3m3nxo7hgqf3g32z5o7zu7ad.onion)
Version: 4.14.3

sqlalchemy.exc.IntegrityError Wraps a DB-API IntegrityError.

Traceback (most recent call last):

File "/usr/lib/python3/dist-packages/sqlalchemy/engine/base.py", line 1236, in _execute_context
cursor, statement, parameters, context

File "/usr/lib/python3/dist-packages/sqlalchemy/engine/default.py", line 536, in do_execute
cursor.execute(statement, parameters)

sqlite3.IntegrityError: UNIQUE constraint failed: internalfile.id

The above exception was the direct cause of the following exception:

Traceback (most recent call last):

File "/usr/lib/python3/dist-packages/twisted/python/threadpool.py", line 250, in inContext
result = inContext.theWork()

File "/usr/lib/python3/dist-packages/twisted/python/threadpool.py", line 266, in
inContext.theWork = lambda: context.call(ctx, func, *args, **kw)

File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 122, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)

File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 85, in callWithContext
return func(*args,**kw)

File "/usr/lib/python3/dist-packages/globaleaks/orm.py", line 187, in _wrap
session.commit()

File "/usr/lib/python3/dist-packages/sqlalchemy/orm/session.py", line 1023, in commit
self.transaction.commit()

File "/usr/lib/python3/dist-packages/sqlalchemy/orm/session.py", line 487, in commit
self._prepare_impl()

File "/usr/lib/python3/dist-packages/sqlalchemy/orm/session.py", line 466, in _prepare_impl
self.session.flush()

File "/usr/lib/python3/dist-packages/sqlalchemy/orm/session.py", line 2446, in flush
self._flush(objects)

File "/usr/lib/python3/dist-packages/sqlalchemy/orm/session.py", line 2584, in _flush
transaction.rollback(_capture_exception=True)

File "/usr/lib/python3/dist-packages/sqlalchemy/util/langhelpers.py", line 67, in exit
compat.reraise(exc_type, exc_value, exc_tb)

File "/usr/lib/python3/dist-packages/sqlalchemy/util/compat.py", line 277, in reraise
raise value

File "/usr/lib/python3/dist-packages/sqlalchemy/orm/session.py", line 2544, in _flush
flush_context.execute()

File "/usr/lib/python3/dist-packages/sqlalchemy/orm/unitofwork.py", line 416, in execute
rec.execute(self)

File "/usr/lib/python3/dist-packages/sqlalchemy/orm/unitofwork.py", line 583, in execute
uow,

File "/usr/lib/python3/dist-packages/sqlalchemy/orm/persistence.py", line 245, in save_obj
insert,

File "/usr/lib/python3/dist-packages/sqlalchemy/orm/persistence.py", line 1063, in _emit_insert_statements
c = cached_connections[connection].execute(statement, multiparams)

File "/usr/lib/python3/dist-packages/sqlalchemy/engine/base.py", line 980, in execute
return meth(self, multiparams, params)

File "/usr/lib/python3/dist-packages/sqlalchemy/sql/elements.py", line 273, in _execute_on_connection
return connection._execute_clauseelement(self, multiparams, params)

File "/usr/lib/python3/dist-packages/sqlalchemy/engine/base.py", line 1099, in _execute_clauseelement
distilled_params,

File "/usr/lib/python3/dist-packages/sqlalchemy/engine/base.py", line 1240, in _execute_context
e, statement, parameters, cursor, context

File "/usr/lib/python3/dist-packages/sqlalchemy/engine/base.py", line 1458, in _handle_dbapi_exception
util.raise_from_cause(sqlalchemy_exception, exc_info)

File "/usr/lib/python3/dist-packages/sqlalchemy/util/compat.py", line 296, in raise_from_cause
reraise(type(exception), exception, tb=exc_tb, cause=cause)

File "/usr/lib/python3/dist-packages/sqlalchemy/util/compat.py", line 276, in reraise
raise value.with_traceback(tb)

File "/usr/lib/python3/dist-packages/sqlalchemy/engine/base.py", line 1236, in _execute_context
cursor, statement, parameters, context

File "/usr/lib/python3/dist-packages/sqlalchemy/engine/default.py", line 536, in do_execute
cursor.execute(statement, parameters)

sqlalchemy.exc.IntegrityError: (sqlite3.IntegrityError) UNIQUE constraint failed: internalfile.id [SQL: 'INSERT INTO internalfile (id, creation_date, internaltip_id, name, content_type, size, new, reference_id) VALUES (?, ?, ?, ?, ?, ?, ?, ?)'] [parameters: ('26fa96d4-7eeb-41d8-a37d-7b634c315a2b', '2024-01-25 05:22:36.294407', 'afcf8859-e977-404e-b3fc-284da86786e9', '2OhTGxDihJIIFnZzGW5EJok8SHD2MqMsljzzDOyZURYma9s6almvwr5686tdRLsuIbU80pOC6rqOnW9pQ0yvXZNgWSzsgGBWhtsz0iG+Gz+1+qhZ2/thyNnQsLs11WEydARynuHWSJxSNbIgf0CtY ... (710 characters truncated) ... WzoAIZ5UuhUnzpynMjiEBmd4DL2VyvYnPti+19GrDJHxUDNlAenOdE27r0C6mHcO0s5yNSsAmwo3Sp/Q86hG2Jm0K8NsZpy38C1ETRASFC2+MXfLdSSkXiqjc7Rj972nm4vbdG0LqtCGbw2kVKyk=', '"aD8O/ocw9jIQSj5ei7VjsZL2c/97xyVFS30OKVAaLFY9WqtThe/gfSe5H8+bkNcDBk5tHWmasaFscntq4uhqDeiGN4YPld8t42ZELAW7s3RmlV1Ad+R88mUOCAlZZxRd+YhGrpHQUdbPrPzWREmx ... (776 characters truncated) ... U5UK/hv92zRWzPGMBYHdCKdAxKvSnte9UJl/xMQ5oR8YiJ/AMlEvN5fUH8t/Rm5IHzK7dtKqnz+pbPXClQ3kq/zuXIk8nYh/o6z6x+coiQG8TGTINf+c8lp9n+Gx7k4J5aJvoabMNSY260kl0xQ="', '"1ibAMyI0YQqUMRFwHKHm2dpkajPlDHH8PbWrJ/NPfThwie81FYU0mlhXCYTq4cE6eOfdLWznVgsN8Nr0e2xc7HYvv9IPNBrxgXLtlkCqHuFQYyfihlz3RYVInW/3rgl8M9LN5+d8EWiPFWloXqrI ... (664 characters truncated) ... QBZzdR/wekgCcMcKD5vgBiUizp8rNiqXLJesOsuDoSecHwmLpUwwsEanBGVBTiOuObndwJmDOFLMcrkJsWb4ZWJcygVxytpNH+oDZmac+K2cRLtlIYKzlhQSzoRzILuOm1km8b7UM5OTIASAajI="', 1, '')] (Background on this error at: http://sqlalche.me/e/gkpj)

from globaleaks.

Hi all,

We saw the same behaviour yesterday (version 4.14.7) with dozens of fake reports generated.
A network dump revealed a Malaysian IP address requesting the platform. I had to firewall it temporarily. I was receiving emails with errors identical to those reported by @nigeltrego but also some others regarding some kind of code injection attempt in process.file.upload() like :

_Platform:
Host: xxxxx (o7kzazypqubozxbfutix5krpaf65m5kmcd7dzogdihnuogzznyfh6zad.onion)
Version: 4.14.7

ValueError Inappropriate argument value (of correct type).

Traceback (most recent call last):

File "/usr/lib/python3/dist-packages/twisted/web/server.py", line 227, in process
self.render(resrc)

File "/usr/lib/python3/dist-packages/twisted/web/server.py", line 292, in render
body = resrc.render(self)

File "/usr/lib/python3/dist-packages/globaleaks/rest/api.py", line 430, in render
self.handler.process_file_upload()

File "/usr/lib/python3/dist-packages/globaleaks/handlers/base.py", line 343, in process_file_upload
total_file_size = int(self.request.args[b'flowTotalSize'][0])

ValueError: invalid literal for int() with base 10: b'-1" OR 2+646-646-1=0+0+0+1 -- '_

Platform:
Host: xxxx (o7kzazypqubozxbfutix5krpaf65m5kmcd7dzogdihnuogzznyfh6zad.onion)
Version: 4.14.7

ValueError Inappropriate argument value (of correct type).

Traceback (most recent call last):

File "/usr/lib/python3/dist-packages/twisted/web/server.py", line 227, in process
self.render(resrc)

File "/usr/lib/python3/dist-packages/twisted/web/server.py", line 292, in render
body = resrc.render(self)

File "/usr/lib/python3/dist-packages/globaleaks/rest/api.py", line 430, in render
self.handler.process_file_upload()

File "/usr/lib/python3/dist-packages/globaleaks/handlers/base.py", line 343, in process_file_upload
total_file_size = int(self.request.args[b'flowTotalSize'][0])

ValueError: invalid literal for int() with base 10: b'if(now()=sysdate(),sleep(15),0)'

from globaleaks.

Closing in favour of #4052

from globaleaks.