Item12393: new plugin to filter incoming requests based on lookups of…

… project honeypot

git-svn-id: http://svn.foswiki.org/trunk/HoneyPotPlugin@16534 0b4bb1d4-4e5a-0410-9cc4-b2b747904278

data/System/HoneyPotPlugin.txt

@@ -0,0 +1,61 @@
+%META:TOPICPARENT{name="Plugins"}%
+<!--
+   * Set SHORTDESCRIPTION = %SHORTDESCRIPTION%
+-->
+---+!! Honey Pot Plugin
+
+%SHORTDESCRIPTION%
+
+%TOC%
+
+Public wiki sites are often plagued with spammers and other unwelcome visitors,
+such as search engine indexers that can suck the life out of an otherwise
+fast site.
+
+[[http://www.projecthoneypot.org][Project HoneyPot]] has been set up to 
+record data about IP addresses that constitute a threat to websites, either
+because they are an excessive drain on the resources of the sites
+or because they are known sources of spam.
+
+This plugin checks incoming requests against the honeypot database and
+rejects operations from IP addresses found there.
+
+The admin has full control over the operations that are checked, and the
+nature of the checks. Configuration is done using the =%SCRIPTURL{configure}%=
+interface.
+
+---++ REST handler
+The plugin also publishes a REST handler that can be used to check an IP
+address against the database. The handler is called =check= and is passed
+the parameters =ip= (the IP address to check) and =tests= (a comma-separated
+list of tests to perform). If any of the tests fails, the handler will respond
+with a 403 (forbidden) with the name of the failing test in the response body.
+For example,
+<verbatim>
+http://my.foswiki/rest/HoneyPotPlugin/check?ip=12.34.56.78&tests=is_search_engine,is_harvester
+</verbatim>
+A description of the available tests can be found at http://search.cpan.org/dist/WWW-Honeypot-httpBL/lib/WWW/Honeypot/httpBL.pm
+
+---++ API
+There is also an API that other plugins can use when this plugin is loaded:
+
+=Foswiki::Plugins::HoneyPotPlugin::check($domain, $tests) -> $result=
+   * =$domain= - domain name or IP address to check
+   * =$tests= - either an array of predicate names or a comma-separated
+     string list of predicates to perform e.g. 'is_comment_spammer,is_search_engine'
+
+---++ Installation
+%$INSTALL_INSTRUCTIONS%
+
+---++ Info
+
+|  Author: | Foswiki:Main.CrawfordCurrie |
+|  Copyright: | &copy; 2013, Foswiki Contributors |
+|  License: | GPL ([[http://www.gnu.org/copyleft/gpl.html][GNU General Public License]]) |
+|  Release: | %$RELEASE% |
+|  Version: | %$VERSION% |
+|  Change&nbsp;History: | <!-- versions below in reverse order -->&nbsp; |
+|  1.0.0 (13 Feb 2013): | Initial version |
+|  Home: | http://foswiki.org/Extensions/%TOPIC% |
+|  Support: | http://foswiki.org/Support/%TOPIC% |
+

lib/Foswiki/Plugins/HoneyPotPlugin.pm

@@ -0,0 +1,176 @@
+# See bottom of file for default license and copyright information
+
+=begin TML
+
+---+ package Foswiki::Plugins::HoneyPotPlugin
+
+=cut
+
+package Foswiki::Plugins::HoneyPotPlugin;
+
+# Always use strict to enforce variable scoping
+use strict;
+use warnings;
+
+use Foswiki::Func         ();
+use Foswiki::Plugins      ();
+use WWW::Honeypot::httpBL ();
+
+use version; our $VERSION = version->declare("v1.0.0");
+use Error ':try';
+
+our $RELEASE = '2013-02-13';
+our $SHORTDESCRIPTION =
+'Use Project !HoneyPot to detect and filter operations initiated from suspected spammers, search engines etc.';
+our $NO_PREFS_IN_TOPIC = 1;
+our $honeypotChecked   = 0;
+
+sub initPlugin {
+    my ( $topic, $web, $user, $installWeb ) = @_;
+    Foswiki::Func::registerRESTHandler( 'check', \&rest_check );
+
+    # We have called all the handlers that are used in honeypot
+    # checking. Reset the globvar for subsequent calls.
+    $honeypotChecked = 0;
+    return 1;
+}
+
+# This preload handler is only called in Foswiki 1.2.0 and later. Prior
+# to that, the earlyInitHandler is the earliest we can do the honeypot
+# check.
+sub earlyInitPlugin {
+    unless ($honeypotChecked) {
+        preload($Foswiki::Plugins::SESSION);
+    }
+    return 0;
+}
+
+# preload handler, called way before anything exciting happens
+sub preload {
+    my ($session) = @_;
+
+    # get the request
+    my $request = $session->{request};
+    if ( $request->can('remote_addr') ) {
+        my $ipad   = $request->remote_addr();
+        my $action = $request->action();
+        my $conditions =
+          $Foswiki::cfg{Plugins}{HoneyPotPlugin}{Conditions}{$action};
+        if ($conditions) {
+            my $status = check( $ipad, $conditions );
+            if ($status) {
+
+                # Can't use Foswiki logs because they may not be set up yet
+                # So use the web server log instead.
+                my $mess =
+                  "Foswiki: HoneyPot rejected '$action' from $ipad: $status";
+                print STDERR $mess;
+                throw Foswiki::EngineException( 403, $mess );
+            }
+        }
+    }
+    $honeypotChecked = 1;
+}
+
+=begin TML
+
+---++ StaticMethod check($domain, $tests) -> $result
+
+   * =$domain= - domain name or IP address to check
+   * =$tests= - either an array of predicate names or a comma-separated
+     string list of predicates to perform e.g.
+     'is_comment_spammer,is_search_engine'
+
+Check Project Honeypot for the given domain (or IP address string).
+If it's OK, return '', otherwise return the name of the check that
+failed.
+
+Note that if the domain name can't be resolved to a valid IP address,
+then the honeypot will *not* reject it.
+
+=cut
+
+sub check {
+    my ( $domain, $hp_rej ) = @_;
+    my $hp_key = $Foswiki::cfg{Plugins}{HoneyPotPlugin}{APIKey};
+    return '' unless ( $hp_key && $hp_rej );
+    unless ( ref($hp_rej) ) {
+        $hp_rej = [ split( /[,\s]+/, $hp_rej ) ];
+    }
+    return '' unless ( $hp_rej && scalar(@$hp_rej) );
+
+    my $ipad;
+    if ( $domain =~ /^\d+\.\d+\.\d+\.\d+$/ ) {
+
+        # Already an IP address
+        $ipad = $domain;
+    }
+    else {
+
+        # Get IP address
+        my $packed_ip = gethostbyname($domain);
+        $ipad = $packed_ip ? Socket::inet_ntoa($packed_ip) : undef;
+    }
+
+    # No IP address to check
+    return '' unless $ipad;
+
+    return '' if $ipad eq '127.0.0.1';
+
+    my $honeypot = WWW::Honeypot::httpBL->new( { access_key => $hp_key } );
+    $honeypot->fetch($ipad);
+    foreach my $criterium (@$hp_rej) {
+
+        # is_harvester is_comment_spammer is_search_engine is_suspicious
+        if ( $honeypot->can($criterium) && $honeypot->$criterium() ) {
+            return $criterium;    # reject!
+        }
+    }
+    return '';
+}
+
+sub rest_check {
+    my ( $session, $subject, $verb, $response ) = @_;
+    my $query = Foswiki::Func::getCgiQuery();
+    unless ($query) {
+        print CGI::header( -status => 500 );
+        return undef;
+    }
+    my $ip     = $query->param('ip');
+    my $tests  = $query->param('tests');
+    my $result = '';
+    if ( $ip && $tests ) {
+        $result = check( $ip, $tests );
+    }
+    my $status = $result ? 403 : 200;
+    $response->header(
+        -status  => $status,
+        -type    => 'text/plain',
+        -charset => 'UTF-8'
+    );
+    $response->body($result);
+    return undef;
+}
+
+1;
+
+__END__
+Foswiki - The Free and Open Source Wiki, http://foswiki.org/
+
+Author: CrawfordCurrie
+
+Copyright (C) 2013 Foswiki Contributors. Foswiki Contributors
+are listed in the AUTHORS file in the root of this distribution.
+NOTE: Please extend that file, not this notice.
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version. For
+more details read LICENSE in the root of this distribution.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+As per the GPL, removal of this notice is prohibited.

lib/Foswiki/Plugins/HoneyPotPlugin/Config.spec

@@ -0,0 +1,20 @@
+# ---+ Extensions
+# ---++ HoneyPotPlugin
+# **STRING 40**
+# Your Project Honeypot http:BL API key (if you have one; if not, register at <a href='http://www.projecthoneypot.org'>http://www.projecthoneypot.org</a> and get one). Leave blank if honeypot checking is not required.
+$Foswiki::cfg{Plugins}{HoneyPotPlugin}{APIKey}  = '';
+
+# **PERL**
+# Lists of conditions to test against the honeypot for different actions e.g.
+# view, attach, save, edit. Each list is a list of names of predicates e.g.
+# <tt>is_comment_spammer,is_suspicious</tt>. Visit <a href='http://search.cpan.org/dist/WWW-Honeypot-httpBL/lib/WWW/Honeypot/httpBL.pm'>http://search.cpan.org/dist/WWW-Honeypot-httpBL/lib/WWW/Honeypot/httpBL.pm</a>
+# for more details on the available predicates. If the IP address of the
+# source of the save request triggers any of these predicates, then the
+# save will be rejected.
+$Foswiki::cfg{Plugins}{HoneyPotPlugin}{Conditions} = {
+    'save' => [ 'is_comment_spammer', 'is_suspicious' ],
+    'attach' => [ 'is_comment_spammer', 'is_suspicious' ],
+    'view' => [ 'is_harvester' ],
+    'edit' => [ 'is_search_engine', 'is_harvester', 'is_suspicious' ],
+    'rest' => [ 'is_comment_spammer', 'is_search_engine', 'is_harvester', 'is_suspicious' ],
+};

lib/Foswiki/Plugins/HoneyPotPlugin/DEPENDENCIES

@@ -0,0 +1 @@
+WWW::Honeypot::httpBL,>0,perl,required

lib/Foswiki/Plugins/HoneyPotPlugin/MANIFEST

@@ -0,0 +1,4 @@
+!noci
+data/System/HoneyPotPlugin.txt 0644 Documentation page
+lib/Foswiki/Plugins/HoneyPotPlugin.pm 0444 Perl module
+lib/Foswiki/Plugins/HoneyPotPlugin/Config.spec 0444 Configuration

lib/Foswiki/Plugins/HoneyPotPlugin/build.pl

@@ -0,0 +1,76 @@
+#!/usr/bin/perl -w
+#
+# Example build class. Copy this file to the equivalent place in your
+# plugin or contrib and edit.
+#
+# Read the comments at the top of lib/Foswiki/Contrib/Build.pm for
+# details of how the build process works, and what files you
+# have to provide and where.
+#
+# Requires the environment variable FOSWIKI_LIBS (a colon-separated path
+# list) to be set to point at the build system and any required dependencies.
+# Usage: ./build.pl [-n] [-v] [target]
+# where [target] is the optional build target (build, test,
+# install, release, uninstall), test is the default.
+# Two command-line options are supported:
+# -n Don't actually do anything, just print commands
+# -v Be verbose
+#
+
+# Standard preamble
+use strict;
+use warnings;
+
+BEGIN { unshift @INC, split( /:/, $ENV{FOSWIKI_LIBS} ); }
+
+use Foswiki::Contrib::Build;
+
+# Create the build object
+my $build = new Foswiki::Contrib::Build('HoneyPotPlugin');
+
+# Build the target on the command line, or the default target
+$build->build( $build->{target} );
+
+=begin TML
+
+You can do a lot more with the build system if you want; for example, to add
+a new target, you could do this:
+
+<verbatim>
+{
+    package MyModuleBuild;
+    our @ISA = qw( Foswiki::Contrib::Build );
+
+    sub new {
+        my $class = shift;
+        return bless( $class->SUPER::new( "MyModule" ), $class );
+    }
+
+    sub target_mytarget {
+        my $this = shift;
+        # Do other build stuff here
+    }
+}
+
+# Create the build object
+my $build = new MyModuleBuild();
+</verbatim>
+
+You can also specify a different default target server for uploads.
+This can be any web on any accessible Foswiki installation.
+These defaults will be used when expanding tokens in .txt
+files, but be warned, they can be overridden at upload time!
+
+<verbatim>
+# name of web to upload to
+$build->{UPLOADTARGETWEB} = 'Extensions';
+# Full URL of pub directory
+$build->{UPLOADTARGETPUB} = 'http://foswiki.org/pub';
+# Full URL of bin directory
+$build->{UPLOADTARGETSCRIPT} = 'http://foswiki.org/bin';
+# Script extension
+$build->{UPLOADTARGETSUFFIX} = '';
+</verbatim>
+
+=cut
+

test/unit/HoneyPotPlugin/HoneyPotPluginSuite.pm

@@ -0,0 +1,34 @@
+# See bottom of file for license and copyright information
+package HoneyPotPluginSuite;
+
+use strict;
+use warnings;
+
+use Unit::TestSuite;
+our @ISA = 'Unit::TestSuite';
+
+sub name { 'HoneyPotPluginSuite' }
+
+sub include_tests { qw(HoneyPotPluginTests) }
+
+1;
+__END__
+Foswiki - The Free and Open Source Wiki, http://foswiki.org/
+
+Author: CrawfordCurrie
+
+Copyright (C) 2008-2011 Foswiki Contributors. Foswiki Contributors
+are listed in the AUTHORS file in the root of this distribution.
+NOTE: Please extend that file, not this notice.
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version. For
+more details read LICENSE in the root of this distribution.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+As per the GPL, removal of this notice is prohibited.