mirrors
/
rspamd
spogulis no https://github.com/vstakhov/rspamd.git
Vērot 1
Pievienot zvaigznīti 0
Atdalīts 0
Kods Problēmas 0 Laidieni 159 Vikivietne Aktivitāte
Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.
21071 Revīzija
30 Atzari
Koks: 7769774962
Atzari Tagi
${ item.name }
Izveidot atzaru ${ searchTerm }
no '7769774962'
${ noResults }
rspamd/src/plugins/lua/replies.lua

replies.lua 9.4KB
Neapstrādāts Vainot Vēsture

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328 
  1. --[[

  2. Copyright (c) 2022, Vsevolod Stakhov <vsevolod@rspamd.com>

  3. Copyright (c) 2016, Andrew Lewis <nerf@judo.za.org>

  4. 

  5. Licensed under the Apache License, Version 2.0 (the "License");

  6. you may not use this file except in compliance with the License.

  7. You may obtain a copy of the License at

  8. 

  9.     http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11. Unless required by applicable law or agreed to in writing, software

  12. distributed under the License is distributed on an "AS IS" BASIS,

  13. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14. See the License for the specific language governing permissions and

  15. limitations under the License.

  16. ]]--

  17. 

  18. if confighelp then

  19.   return

  20. end

  21. 

  22. local rspamd_logger = require 'rspamd_logger'

  23. local hash = require 'rspamd_cryptobox_hash'

  24. local lua_util = require 'lua_util'

  25. local lua_redis = require 'lua_redis'

  26. local fun = require "fun"

  27. 

  28. -- A plugin that implements replies check using redis

  29. 

  30. -- Default port for redis upstreams

  31. local redis_params

  32. local settings = {

  33.   action = nil,

  34.   expire = 86400, -- 1 day by default

  35.   key_prefix = 'rr',

  36.   key_size = 20,

  37.   message = 'Message is reply to one we originated',

  38.   symbol = 'REPLY',

  39.   score = -4, -- Default score

  40.   use_auth = true,

  41.   use_local = true,

  42.   cookie = nil,

  43.   cookie_key = nil,

  44.   cookie_is_pattern = false,

  45.   cookie_valid_time = '2w', -- 2 weeks by default

  46.   min_message_id = 2, -- minimum length of the message-id header

  47. }

  48. 

  49. local N = "replies"

  50. 

  51. local function make_key(goop, sz, prefix)

  52.   local h = hash.create()

  53.   h:update(goop)

  54.   local key

  55.   if sz then

  56.     key = h:base32():sub(1, sz)

  57.   else

  58.     key = h:base32()

  59.   end

  60. 

  61.   if prefix then

  62.     key = prefix .. key

  63.   end

  64. 

  65.   return key

  66. end

  67. 

  68. local function replies_check(task)

  69.   local in_reply_to

  70.   local function check_recipient(stored_rcpt)

  71.     local rcpts = task:get_recipients('mime')

  72. 

  73.     if rcpts then

  74.       local filter_predicate = function(input_rcpt)

  75.         local real_rcpt_h = make_key(input_rcpt:lower(), 8)

  76. 

  77.         return real_rcpt_h == stored_rcpt

  78.       end

  79. 

  80.       if fun.any(filter_predicate, fun.map(function(rcpt)

  81.         return rcpt.addr or ''

  82.       end, rcpts)) then

  83.         lua_util.debugm(N, task, 'reply to %s validated', in_reply_to)

  84.         return true

  85.       end

  86. 

  87.       rspamd_logger.infox(task, 'ignoring reply to %s as no recipients are matching hash %s',

  88.           in_reply_to, stored_rcpt)

  89.     else

  90.       rspamd_logger.infox(task, 'ignoring reply to %s as recipient cannot be detected for hash %s',

  91.           in_reply_to, stored_rcpt)

  92.     end

  93. 

  94.     return false

  95.   end

  96. 

  97.   local function redis_get_cb(err, data, addr)

  98.     if err ~= nil then

  99.       rspamd_logger.errx(task, 'redis_get_cb error when reading data from %s: %s', addr:get_addr(), err)

  100.       return

  101.     end

  102.     if data and type(data) == 'string' and check_recipient(data) then

  103.       -- Hash was found

  104.       task:insert_result(settings['symbol'], 1.0)

  105.       if settings['action'] ~= nil then

  106.         local ip_addr = task:get_ip()

  107.         if (settings.use_auth and

  108.             task:get_user()) or

  109.             (settings.use_local and ip_addr and ip_addr:is_local()) then

  110.           rspamd_logger.infox(task, "not forcing action for local network or authorized user");

  111.         else

  112.           task:set_pre_result(settings['action'], settings['message'], N)

  113.         end

  114.       end

  115.     end

  116.   end

  117.   -- If in-reply-to header not present return

  118.   in_reply_to = task:get_header_raw('in-reply-to')

  119.   if not in_reply_to then

  120.     return

  121.   end

  122.   -- Create hash of in-reply-to and query redis

  123.   local key = make_key(in_reply_to, settings.key_size, settings.key_prefix)

  124. 

  125.   local ret = lua_redis.redis_make_request(task,

  126.       redis_params, -- connect params

  127.       key, -- hash key

  128.       false, -- is write

  129.       redis_get_cb, --callback

  130.       'GET', -- command

  131.       { key } -- arguments

  132.   )

  133. 

  134.   if not ret then

  135.     rspamd_logger.errx(task, "redis request wasn't scheduled")

  136.   end

  137. end

  138. 

  139. local function replies_set(task)

  140.   local function redis_set_cb(err, _, addr)

  141.     if err ~= nil then

  142.       rspamd_logger.errx(task, 'redis_set_cb error when writing data to %s: %s', addr:get_addr(), err)

  143.     end

  144.   end

  145.   -- If sender is unauthenticated return

  146.   local ip = task:get_ip()

  147.   if settings.use_auth and task:get_user() then

  148.     lua_util.debugm(N, task, 'sender is authenticated')

  149.   elseif settings.use_local and (ip and ip:is_local()) then

  150.     lua_util.debugm(N, task, 'sender is from local network')

  151.   else

  152.     return

  153.   end

  154.   -- If no message-id present return

  155.   local msg_id = task:get_header_raw('message-id')

  156.   if msg_id == nil or msg_id:len() <= (settings.min_message_id or 2) then

  157.     return

  158.   end

  159.   -- Create hash of message-id and store to redis

  160.   local key = make_key(msg_id, settings.key_size, settings.key_prefix)

  161. 

  162.   local sender = task:get_reply_sender()

  163. 

  164.   if sender then

  165.     local sender_hash = make_key(sender:lower(), 8)

  166.     lua_util.debugm(N, task, 'storing id: %s (%s), reply-to: %s (%s) for replies check',

  167.         msg_id, key, sender, sender_hash)

  168.     local ret = lua_redis.redis_make_request(task,

  169.         redis_params, -- connect params

  170.         key, -- hash key

  171.         true, -- is write

  172.         redis_set_cb, --callback

  173.         'PSETEX', -- command

  174.         { key, tostring(math.floor(settings['expire'] * 1000)), sender_hash } -- arguments

  175.     )

  176.     if not ret then

  177.       rspamd_logger.errx(task, "redis request wasn't scheduled")

  178.     end

  179.   else

  180.     rspamd_logger.infox(task, "cannot find reply sender address")

  181.   end

  182. end

  183. 

  184. local function replies_check_cookie(task)

  185.   local function cookie_matched(extra, ts)

  186.     local dt = task:get_date { format = 'connect', gmt = true }

  187. 

  188.     if dt < ts then

  189.       rspamd_logger.infox(task, 'ignore cookie as its date is in future')

  190. 

  191.       return

  192.     end

  193. 

  194.     if settings.cookie_valid_time then

  195.       if dt - ts > settings.cookie_valid_time then

  196.         rspamd_logger.infox(task,

  197.             'ignore cookie as its timestamp is too old: %s (%s current time)',

  198.             ts, dt)

  199. 

  200.         return

  201.       end

  202.     end

  203. 

  204.     if extra then

  205.       task:insert_result(settings['symbol'], 1.0,

  206.           string.format('cookie:%s:%s', extra, ts))

  207.     else

  208.       task:insert_result(settings['symbol'], 1.0,

  209.           string.format('cookie:%s', ts))

  210.     end

  211.     if settings['action'] ~= nil then

  212.       local ip_addr = task:get_ip()

  213.       if (settings.use_auth and

  214.           task:get_user()) or

  215.           (settings.use_local and ip_addr and ip_addr:is_local()) then

  216.         rspamd_logger.infox(task, "not forcing action for local network or authorized user");

  217.       else

  218.         task:set_pre_result(settings['action'], settings['message'], N)

  219.       end

  220.     end

  221.   end

  222. 

  223.   -- If in-reply-to header not present return

  224.   local irt = task:get_header('in-reply-to')

  225.   if irt == nil then

  226.     return

  227.   end

  228. 

  229.   local cr = require "rspamd_cryptobox"

  230.   -- Extract user part if needed

  231.   local extracted_cookie = irt:match('^%<?([^@]+)@.*$')

  232.   if not extracted_cookie then

  233.     -- Assume full message id as a cookie

  234.     extracted_cookie = irt

  235.   end

  236. 

  237.   local dec_cookie, ts = cr.decrypt_cookie(settings.cookie_key, extracted_cookie)

  238. 

  239.   if dec_cookie then

  240.     -- We have something that looks like a cookie

  241.     if settings.cookie_is_pattern then

  242.       local m = dec_cookie:match(settings.cookie)

  243. 

  244.       if m then

  245.         cookie_matched(m, ts)

  246.       end

  247.     else

  248.       -- Direct match

  249.       if dec_cookie == settings.cookie then

  250.         cookie_matched(nil, ts)

  251.       end

  252.     end

  253.   end

  254. end

  255. 

  256. local opts = rspamd_config:get_all_opt('replies')

  257. if not (opts and type(opts) == 'table') then

  258.   rspamd_logger.infox(rspamd_config, 'module is unconfigured')

  259.   return

  260. end

  261. if opts then

  262.   settings = lua_util.override_defaults(settings, opts)

  263.   redis_params = lua_redis.parse_redis_server('replies')

  264.   if not redis_params then

  265.     if not (settings.cookie and settings.cookie_key) then

  266.       rspamd_logger.infox(rspamd_config, 'no servers are specified, disabling module')

  267.       lua_util.disable_module(N, "redis")

  268.     else

  269.       -- Cookies mode

  270.       -- Check key sanity:

  271.       local pattern = { '^' }

  272.       for i = 1, 32 do

  273.         pattern[i + 1] = '[a-zA-Z0-9]'

  274.       end

  275.       pattern[34] = '$'

  276.       if not settings.cookie_key:match(table.concat(pattern, '')) then

  277.         rspamd_logger.errx(rspamd_config,

  278.             'invalid cookies key: %s, must be 32 hex digits', settings.cookie_key)

  279.         lua_util.disable_module(N, "config")

  280. 

  281.         return

  282.       end

  283. 

  284.       if settings.cookie_valid_time then

  285.         settings.cookie_valid_time = lua_util.parse_time_interval(settings.cookie_valid_time)

  286.       end

  287. 

  288.       local id = rspamd_config:register_symbol({

  289.         name = 'REPLIES_CHECK',

  290.         type = 'prefilter',

  291.         callback = replies_check_cookie,

  292.         flags = 'nostat',

  293.         priority = lua_util.symbols_priorities.medium,

  294.         group = "replies"

  295.       })

  296.       rspamd_config:register_symbol({

  297.         name = settings['symbol'],

  298.         parent = id,

  299.         type = 'virtual',

  300.         score = settings.score,

  301.         group = "replies",

  302.       })

  303.     end

  304.   else

  305.     rspamd_config:register_symbol({

  306.       name = 'REPLIES_SET',

  307.       type = 'idempotent',

  308.       callback = replies_set,

  309.       group = 'replies',

  310.       flags = 'explicit_disable,ignore_passthrough',

  311.     })

  312.     local id = rspamd_config:register_symbol({

  313.       name = 'REPLIES_CHECK',

  314.       type = 'prefilter',

  315.       flags = 'nostat',

  316.       callback = replies_check,

  317.       priority = lua_util.symbols_priorities.medium,

  318.       group = "replies"

  319.     })

  320.     rspamd_config:register_symbol({

  321.       name = settings['symbol'],

  322.       parent = id,

  323.       type = 'virtual',

  324.       score = settings.score,

  325.       group = "replies",

  326.     })

  327.   end

  328. end