Add a basic proof-of-work CAPTCHA.

MER-C · MER-C · commit 8df3883d4755 · 2025-04-18T17:19:12.000+01:00
diff --git a/src/org/wikipedia/servlets/ServletUtils.java b/src/org/wikipedia/servlets/ServletUtils.java
@@ -1,6 +1,6 @@
 /**
- *  @(#)ServletUtils.java 0.01 22/02/2011
- *  Copyright (C) 2011 - 2023 MER-C
+ *  @(#)ServletUtils.java 0.02 13/04/2025
+ *  Copyright (C) 2011 - 2025 MER-C
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU Affero General Public License as
@@ -18,13 +18,20 @@
 
 package org.wikipedia.servlets;
 
+import java.io.*;
+import java.math.BigInteger;
 import java.nio.charset.StandardCharsets;
 import java.net.URLEncoder;
-import java.util.Objects;
+import java.security.*;
+import java.time.OffsetDateTime;
+import java.util.*;
+
+import jakarta.servlet.http.*;
 
 /**
  *  Common servlet code so that I can maintain it easier.
  *  @author MER-C
+ *  @since 0.02
  */
 public class ServletUtils
 {
@@ -161,4 +168,108 @@ public static String generatePagination(String urlbase, int current, int amount,
             sb.append("</a>");
         return sb.toString();
     }
+    
+    /**
+     *  Presents a SHA-256 proof of work CAPTCHA. To pass the CAPTCHA, the  
+     *  client needs to compute a nonce such that 
+     *  sha256(nonce + timestamp + selected concatenated HTTP parameters) begins 
+     *  with some quantity of zeros (difficulty is customisable, default 3).
+     *  A CAPTCHA page is shown when the user submits a request. When complete, 
+     *  the CAPTCHA page redirects to the expected results. A solved CAPTCHA
+     *  adds URL parameters <code>powans</code> (the solution), <code>powts</code>,
+     *  <code>nonce</code> and <code>powdif</code> (the difficulty). The CAPTCHA 
+     *  expires after five minutes.
+     * 
+     *  @param req a servlet request
+     *  @param response the corresponding response
+     *  @param params the request parameters to concatenate to form the challenge
+     *  string. The challenge string cannot contain new lines.
+     *  @param captcha_string_nonce a nonce, for Content Security Policy purposes,
+     *  to protect an inline script that defines the challenge string only
+     *  @return whether to continue servlet execution
+     *  @throws IOException if a network error occurs
+     *  @see captcha.js
+     *  @since 0.02
+     */
+    public static boolean showCaptcha(HttpServletRequest req, HttpServletResponse response, List<String> params, String captcha_string_nonce) throws IOException
+    {
+        // no captcha for the initial input
+        if (req.getParameterMap().isEmpty())
+            return true;
+        
+        // TODO: captcha.js does not propagate POST parameters
+        
+        PrintWriter out = response.getWriter();
+        String answer = req.getParameter("powans");
+        String timestamp = req.getParameter("powts");
+        String nonce = req.getParameter("nonce");
+        String difficulty = req.getParameter("powdif");
+        
+        StringBuilder paramstr = new StringBuilder();
+        for (String param : params)
+            paramstr.append(req.getParameter(param));
+        String challenge = sanitizeForAttribute(paramstr.toString());
+        String tohash = nonce + timestamp + challenge;
+
+        // captcha not attempted, show CAPTCHA screen
+        if (answer == null && timestamp == null && nonce == null && difficulty == null)
+        {
+            out.println("""
+                    <!doctype html>
+                    <html>
+                    <head>
+                    <title>CAPTCHA</title>""");
+            out.println("<script nonce=\"" + captcha_string_nonce + "\">");
+            out.println("    window.chl = \"" + challenge + "\";");
+            out.println("""
+                    </script>
+                    <script src="captcha.js" defer></script>
+                    </head>
+                    <body>
+                    <h1>Verifying you are not a bot</h1>
+                    <p>You should be redirected to your results shortly. Unfortunately JavaScript is required for this to work.
+                    </body>
+                    </html>
+                    """);
+            return false;
+        }
+        // incomplete parameters = fail
+        else if (answer == null || timestamp == null || nonce == null || difficulty == null)
+        {
+            response.setStatus(403);
+            out.println("Incomplete CAPTCHA parameters");
+            return false;
+        }
+        
+        // not recent = fail
+        OffsetDateTime odt = OffsetDateTime.parse(timestamp);
+        if (OffsetDateTime.now().minusMinutes(5).isAfter(odt))
+        {
+            response.setStatus(403);
+            out.println("CAPTCHA expired");
+            return false;
+        }
+                        
+        try
+        {
+            MessageDigest digest = MessageDigest.getInstance("SHA-256");
+            byte[] hash = digest.digest(tohash.getBytes(StandardCharsets.UTF_8));
+            String expected = "%064x".formatted(new BigInteger(1, hash));
+            String prefix = "0".repeat(Integer.parseInt(difficulty));
+            if (answer.startsWith(prefix) && expected.equals(answer))
+                return true;
+            
+            response.setStatus(403);
+            out.println("CAPTCHA failed");
+            return false;
+            
+        }
+        catch (NoSuchAlgorithmException ex)
+        {
+            response.setStatus(302);
+            response.setHeader("Location", "/timeout.html");
+            response.getWriter().close();
+            return false;
+        }
+    }
 }
diff --git a/src/org/wikipedia/servlets/extlinkchecker.jsp b/src/org/wikipedia/servlets/extlinkchecker.jsp
@@ -8,6 +8,8 @@
 -->
 <%@ include file="security.jspf" %>
 <%
+    if (!ServletUtils.showCaptcha(request, response, List.of("title", "wiki"), captcha_script_nonce))
+        throw new SkipPageException();
     request.setAttribute("toolname", "External link checker");
 
     String wiki = ServletUtils.sanitizeForAttributeOrDefault(request.getParameter("wiki"), "en.wikipedia.org");
diff --git a/src/org/wikipedia/servlets/linksearch.jsp b/src/org/wikipedia/servlets/linksearch.jsp
@@ -8,6 +8,8 @@
 -->
 <%@ include file="security.jspf" %>
 <%
+    if (!ServletUtils.showCaptcha(request, response, List.of("link"), captcha_script_nonce))
+        throw new SkipPageException();
     request.setAttribute("toolname", "Cross-wiki linksearch");
     request.setAttribute("scripts", new String[] { "common.js", "XWikiLinksearch.js" });
     int limit = 500;
diff --git a/src/org/wikipedia/servlets/nppcheck.jsp b/src/org/wikipedia/servlets/nppcheck.jsp
@@ -9,7 +9,8 @@
 <%@ include file="security.jspf" %>
 <%@ include file="datevalidate.jspf" %>
 <%
-    request.setAttribute("toolname", "NPP/AFC checker");
+    if (!ServletUtils.showCaptcha(request, response, List.of("username"), captcha_script_nonce))
+        throw new SkipPageException();    request.setAttribute("toolname", "NPP/AFC checker");
 
     String username = ServletUtils.sanitizeForAttribute(request.getParameter("username"));
     NPPCheck.Mode mode = NPPCheck.Mode.fromString(request.getParameter("mode"));
diff --git a/src/org/wikipedia/servlets/prefixcontribs.jsp b/src/org/wikipedia/servlets/prefixcontribs.jsp
@@ -8,6 +8,8 @@
 -->
 <%@ include file="security.jspf" %>
 <%
+    if (!ServletUtils.showCaptcha(request, response, List.of("prefix"), captcha_script_nonce))
+        throw new SkipPageException();
     request.setAttribute("toolname", "Prefix contributions");
     request.setAttribute("earliest_default", LocalDate.now(ZoneOffset.UTC).minusDays(7));
 
diff --git a/src/org/wikipedia/servlets/security.jspf b/src/org/wikipedia/servlets/security.jspf
@@ -19,6 +19,7 @@
 <%@ page import="java.io.*" %>
 <%@ page import="java.net.*" %>
 <%@ page import="java.nio.charset.StandardCharsets" %>
+<%@ page import="java.security.SecureRandom" %>
 <%@ page import="java.util.*" %>
 <%@ page import="java.util.stream.*" %>
 <%@ page import="java.time.*" %>
@@ -46,16 +47,22 @@
     WMFWikiFarm sessions = WMFWikiFarm.instance();
     sessions.setInitializer(wiki_ -> wiki_.setMaxLag(-1));
     response.setCharacterEncoding("UTF-8");
+    
+    // compute nonce for inline script setting captcha challenge string
+    SecureRandom sr = new SecureRandom();
+    byte[] barrtemp = new byte[32];
+    sr.nextBytes(barrtemp);
+    String captcha_script_nonce = new String(Base64.getEncoder().encode(barrtemp));
 
     // Set security headers
 
     // Enable HSTS (force HTTPS)
     response.setHeader("Strict-Transport-Security", "max-age=31536000");
     response.setHeader("Content-Security-Policy", 
         "frame-ancestors 'none'; " + // disable framing
-        "default-src 'none'; " +     // disable everything by default
-        "script-src 'self'; " +      // allow only scripts from this domain
-        "style-src 'self'");         // allow only stylesheets from this domain
+        "default-src 'none'; " + // disable everything by default
+        "script-src 'self' 'nonce-" + captcha_script_nonce + "'; " + // allow only scripts from this domain
+        "style-src 'self'"); // allow only stylesheets from this domain
     // disable the Referer header
     response.setHeader("Referrer-Policy", "no-referrer");
 %>
diff --git a/src/org/wikipedia/servlets/spamarchivesearch.jsp b/src/org/wikipedia/servlets/spamarchivesearch.jsp
@@ -8,6 +8,8 @@
 -->
 <%@ include file="security.jspf" %>
 <%
+    if (!ServletUtils.showCaptcha(request, response, List.of("query"), captcha_script_nonce))
+        throw new SkipPageException();
     request.setAttribute("toolname", "Spam archive search");
     String query = request.getParameter("query");
 %>
diff --git a/src/org/wikipedia/servlets/userwatchlist.jsp b/src/org/wikipedia/servlets/userwatchlist.jsp
@@ -8,6 +8,8 @@
 -->
 <%@ include file="security.jspf" %>
 <%
+    if (!ServletUtils.showCaptcha(request, response, List.of("page"), captcha_script_nonce))
+        throw new SkipPageException();
     request.setAttribute("toolname", "User watchlist");
     request.setAttribute("earliest_default", LocalDate.now(ZoneOffset.UTC).minusDays(30));
 
@@ -26,7 +28,7 @@
     boolean newonly = (request.getParameter("newonly") != null);
     
     Wiki enWiki = sessions.sharedSession("en.wikipedia.org");
-    enWiki.setQueryLimit(30000); // 60 network requests
+    enWiki.setQueryLimit(20000); // 40 network requests
     Users userUtils = Users.of(enWiki);
     Revisions revisionUtils = Revisions.of(enWiki);
     Pages pageUtils = Pages.of(enWiki);
diff --git a/web/captcha.js b/web/captcha.js
@@ -0,0 +1,110 @@
+/**
+ *  Calculates the SHA-256 hash of a string using SubtleCrypto
+ *  and returns it as a hexadecimal string.
+ *
+ *  @param {string} str - The input string.
+ *  @returns {Promise<string>} A Promise that resolves with the SHA-256 hash as a 64-character hex string.
+ *  @throws {Error} If SubtleCrypto is not available.
+ */
+async function sha256_hex(str)
+{
+    if (!crypto || !crypto.subtle || !crypto.subtle.digest)
+    {
+        throw new Error("SubtleCrypto API not available in this browser/context.");
+    }
+    if (typeof TextEncoder === 'undefined')
+    {
+        throw new Error("TextEncoder API not available in this browser/context.");
+    }
+
+    // Encode the string into a Uint8Array -> ArrayBuffer
+    const dataBuffer = new TextEncoder().encode(str);
+
+    // Calculate the hash using SubtleCrypto
+    const hashBuffer = await crypto.subtle.digest('SHA-256', dataBuffer);
+
+    // Convert the ArrayBuffer to a hexadecimal string
+    const hashArray = Array.from(new Uint8Array(hashBuffer)); // Convert buffer to byte array
+    const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join(''); // Convert bytes to hex
+
+    return hashHex;
+}
+
+/**
+ *  Solves a Proof-of-Work (PoW) challenge using SHA-256 via SubtleCrypto.
+ *  Finds a nonce such that the SHA-256 hash of (challenge + nonce)
+ *  starts with a specified number of zero characters (hexadecimal).
+ *
+ *  THIS FUNCTION IS ASYNCHRONOUS due to SubtleCrypto usage.
+ *
+ *  @param {string} challenge - A unique string for this specific PoW task.
+ *  @param {number} [difficulty=3] - The required number of leading zero hex characters (0-64).
+ *  Higher numbers are exponentially harder. **Requires tuning for desired runtime.**
+ *  @returns {Promise<{nonce: number, hash: string, duration: number, challenge: string, difficulty: number}>}
+ *  A Promise resolving to an object containing the found nonce, the resulting 64-char hex hash,
+ *  the time taken in milliseconds, the original challenge, and the difficulty used.
+ *  @throws {Error} If the challenge is not a non-empty string, difficulty is invalid,
+ *  or SubtleCrypto/TextEncoder is unavailable.
+ */
+async function solvePoWCaptchaSHA256(challenge, difficulty = 3)
+{
+    if (typeof challenge !== 'string' || challenge.length === 0)
+    {
+        throw new Error("PoW challenge must be a non-empty string.");
+    }
+    // SHA-256 produces a 64-character hex string (256 bits)
+    if (!Number.isInteger(difficulty) || difficulty <= 0 || difficulty > 64)
+    {
+        throw new Error("PoW difficulty must be a positive integer between 1 and 64.");
+    }
+    // Check for SubtleCrypto availability early
+    if (!crypto || !crypto.subtle || !crypto.subtle.digest || typeof TextEncoder === 'undefined')
+    {
+        throw new Error("Required cryptographic APIs (SubtleCrypto, TextEncoder) not available.");
+    }
+
+    console.log(`Starting SHA-256 PoW solve: Challenge="${challenge}", Difficulty=${difficulty}`);
+    const startTime = performance.now();
+
+    const targetPrefix = '0'.repeat(difficulty);
+    let nonce = 0;
+    let hash = '';
+    let data = '';
+
+    // Loop until a valid hash is found
+    while (true)
+    {
+        data = nonce + challenge; // Concatenate challenge and current nonce
+        hash = await sha256_hex(data); // Calculate the SHA-256 hash (asynchronously)
+
+        if (hash.startsWith(targetPrefix)) 
+        {
+            // Solution found!
+            const endTime = performance.now();
+            const duration = endTime - startTime;
+            console.log(`SHA-256 PoW Solved! Nonce: ${nonce}, Hash: ${hash}, Time: ${duration.toFixed(2)} ms`);
+
+            return {
+                nonce: nonce,
+                hash: hash,
+                duration: duration,
+                challenge: challenge,
+                difficulty: difficulty
+            };
+        }
+
+        nonce++; // Increment nonce and try again
+    }
+}
+
+// Everything above is courtesy of Gemini 2.5 Pro
+const date = new Date().toISOString();
+var captcha = solvePoWCaptchaSHA256(date + window.chl);
+const temp = new URL(window.location.href);
+captcha.then((result) => {
+    temp.searchParams.set("powans", result.hash);
+    temp.searchParams.set("nonce", result.nonce);
+    temp.searchParams.set("powts", date);
+    temp.searchParams.set("powdif", result.difficulty);
+    window.location.href = temp.toString();
+});
