Block expensive svnweb operations without a cookie

If an expensive request comes in from anyone without a cookie attached,
redirect to a page where the cookie is set using JavaScript, then
redirect back. This should block robots from these paths, most of which
do not support JavaScript. The collateral damage is that a JavaScript
browser is now required for users to access those paths.  The contents
of the cookie is not currently checked, merely that it is set.

3 files changed, 45 insertions, 0 deletions

diff --git a/modules/apache/templates/vhost_fcgid.conf b/modules/apache/templates/vhost_fcgid.conf
index 75ac9300..3aed1ea2 100644
--- a/modules/apache/templates/vhost_fcgid.conf
+++ b/modules/apache/templates/vhost_fcgid.conf
@@ -23,6 +23,15 @@ RewriteCond %{QUERY_STRING} pathrev=|r1=
 RewriteCond %{HTTP_USER_AGENT} "Googlebot|GoogleOther|bingbot|Yahoo! Slurp|ClaudeBot|Amazonbot|YandexBot|SemrushBot|Barkrowler|DataForSeoBot|PetalBot|facebookexternalhit|GPTBot|ImagesiftBot|spider|Spider|iPod|Trident|Presto"
 RewriteRule . - [R=403,L]
 
+# Only let expensive operations through when a cookie is set. If no cookie is
+# set, redirect to a page where it will be set using JavaScript and redirect
+# back. This will block requests from user agents that do not support
+# JavaScript, which includes many robots.
+RewriteCond %{QUERY_STRING} pathrev=|r1=
+RewriteCond %{REQUEST_URI} !/_check
+RewriteCond %{HTTP_COOKIE} !session=([^;]+) [novary]
+RewriteRule . %{REQUEST_SCHEME}://%{SERVER_NAME}:%{SERVER_PORT}/_check?to=%{REQUEST_URI}?%{QUERY_STRING} [R=302,L]
+
 # Block abusive spiders by IP address who don't identify themselves in the
 # User-Agent: string
 RewriteCond expr "-R '47.76.0.0/14' || -R '47.80.0.0/14' || -R '47.208.0.0/16' || -R '47.238.0.0/16' || -R '8.210.0.0/16' || -R '8.218.0.0/16' || -R '188.239.0.0/18' || -R '166.108.192.0/18' || -R '124.243.160.0/19' || -R '101.46.0.0/20'"
diff --git a/modules/viewvc/files/setcookieredirect.html b/modules/viewvc/files/setcookieredirect.html
new file mode 100644
index 00000000..d1b7ada4
--- /dev/null
+++ b/modules/viewvc/files/setcookieredirect.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <title>User check</title>
+        <script type="text/javascript" defer>
+            const randomValue = Math.random().toString(36).substring(2);
+            document.cookie = `session=${randomValue}; path=/; expires=${new Date(Date.now() + 24*3600*1000).toUTCString()}`;
+            const params = new Proxy(new URLSearchParams(window.location.search), {
+              get: (searchParams, prop) => searchParams.get(prop),
+            });
+            let url = params.to;
+            // Sanitize redirect path to avoid malicious arbitrary redirects
+            if (/^\/[-_a-zA-Z0-9~.?&=/]*$/.test(url)) {
+                window.location.href = url;
+            } else {
+                window.onload = function() {
+                    document.getElementById('error').innerHTML = 'Error! Bad redirect location!';
+                }
+            }
+        </script>
+    </head>
+    <body>
+        Redirecting back...
+        <br>
+        <p id="error"><!-- space for error message --></p>
+    </body>
+</html>
diff --git a/modules/viewvc/manifests/init.pp b/modules/viewvc/manifests/init.pp
index 99acec90..e1d336c9 100644
--- a/modules/viewvc/manifests/init.pp
+++ b/modules/viewvc/manifests/init.pp
@@ -40,9 +40,18 @@ class viewvc {
         source => 'puppet:///modules/viewvc/robots.txt',
     }
 
+    file { "$viewvc_docroot/setcookieredirect.html":
+        ensure => present,
+        mode   => '0644',
+        owner  => root,
+        group  => root,
+        source => 'puppet:///modules/viewvc/setcookieredirect.html',
+    }
+
     $vhost_aliases = {
         '/viewvc' => $viewvc_docroot,
         '/robots.txt' => $robotsfile,
+        '/_check' => "$viewvc_docroot/setcookieredirect.html",
     }
 
     $script_aliases = {