Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Watched/blacklisted IP should trigger on IP-only URLs #3722

Open
tripleee opened this issue Jan 21, 2020 · 3 comments
Open

Watched/blacklisted IP should trigger on IP-only URLs #3722

tripleee opened this issue Jan 21, 2020 · 3 comments
Assignees
@tripleee
Labels
area: spamchecks Detections or the process of testing posts. (No space in the label, is because of Hacktoberfest) status: confirmed Confirmed as something that needs working on. type: bug Aaaah! Kill it!

Comments

@tripleee
Copy link
Member

What problem has occurred? What issues has it caused?

https://metasmoke.erwaysoftware.com/post/220864 should have triggered "watched IP" because 199.192.31.7 is currently watched; but it did not.

What would you like to happen/not happen?

IP addresses in URLs should be checked against the CIDR lists.
@stale stale bot added the status: stale label Feb 21, 2020
@stale
Copy link

stale bot commented Feb 22, 2020

This issue has been closed because it has had no recent activity. If this is still important, please add another comment and find someone with write permissions to reopen the issue. Thank you for your contributions.

@stale stale bot closed this as completed Feb 22, 2020
@tripleee tripleee reopened this Feb 25, 2020
@tripleee tripleee added area: spamchecks Detections or the process of testing posts. (No space in the label, is because of Hacktoberfest) status: confirmed Confirmed as something that needs working on. type: bug Aaaah! Kill it! and removed status: stale labels Feb 25, 2020
@tripleee tripleee mentioned this issue Apr 2, 2020
Closed
tripleee added a commit to tripleee/SmokeDetector that referenced this issue Apr 3, 2020
@tripleee
findspam.py: Add IP addresses to websites, too (Charcoal-SE#3722)
298966f
@tripleee tripleee self-assigned this Apr 3, 2020
@user12986714
Copy link
Contributor

This is copy pasted from my comment on PR 3789 with minor changes
So the issue looks like that raw ip addresses in posts are not currently subject to ip or asn list checks. The nature of those two problems appears to be the same. Take ip watchlist for example. As we can see, in findspam.py, in function watched_ip_for_url_hostname(), it calls ip_for_url_host():

return ip_for_url_host(s, site, GlobalVars.watched_cidrs)

Then in ip_for_url_host(), it calls dns_query():

        a = dns_query(hostname, 'a')
        if a is not None:
            # Do something

The problem is, if hostname is a raw ip, dns_query() will return None (cannot resolve).

    try:
        starttime = datetime.utcnow()
        answer = dns.resolver.query(label, qtype)
    except dns.exception.DNSException as exc:
        # Some logging
        return None

Hence all raw ip won't be inspected by that rule.
A way to fix this is to detect raw ip address in dns_query() (with a regex like [1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9], and if detected, construct an answer with that ip, rather than treating it as a domain and hence fail to resolve.

@tripleee
Copy link
Member Author

I have a fork with a basic implementation of this but it's a little bit tortured. I'm thinking it would make sense to reduce code duplication by (finally) creating a class for parsed URLs with features like whitelisted, IP only, etc.

https://github.com/tripleee/SmokeDetector/tree/ip-only-watch-check

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tripleee tripleee

Labels
area: spamchecks Detections or the process of testing posts. (No space in the label, is because of Hacktoberfest) status: confirmed Confirmed as something that needs working on. type: bug Aaaah! Kill it!
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

findspam.py: Add IP addresses to websites, too (#3722) tripleee/SmokeDetector
2 participants
@tripleee @user12986714