From 44f06878deb1d12f91bbde1330a33d61d6a46985 Mon Sep 17 00:00:00 2001 From: girst Date: Fri, 5 Mar 2021 21:32:50 +0100 Subject: [PATCH] takes some shortcuts with captcha busting --- app/common/anticaptcha.py | 52 +++++++++++++++++---------------------- config/setup.sql | 1 - 2 files changed, 22 insertions(+), 31 deletions(-) diff --git a/app/common/anticaptcha.py b/app/common/anticaptcha.py index 3dd8b26..52cbf8c 100644 --- a/app/common/anticaptcha.py +++ b/app/common/anticaptcha.py @@ -1,4 +1,3 @@ -import json import secrets import sqlite3 import requests @@ -9,6 +8,12 @@ from werkzeug.exceptions import NotFound from ..common.common import cf, flask_logger +# NOTE: We are taking a few shortcuts here, that might bite us later: +# 1. we are not sending form data or request cookies +# 2. we are only storing the 'goojf' cookie +# 3. invidious has some extra cookie code for /sorry/index +# 4. we are expecting a response within 90 seconds (max is 5min) + class ExtractCaptcha(HTMLParser): def __init__(self, html): super().__init__() @@ -69,18 +74,17 @@ def submit_captcha(r): result = c.fetchone() if result: # already submitted (last_ago,) = result + flask_logger(f"last request submitted {last_ago}s ago") return int(last_ago) captcha = ExtractCaptcha(r.text) nonce = secrets.token_urlsafe(16) - inputs = json.dumps(captcha.inputs) - #^: {"action_recaptcha_verify2": "1", "next": "/watch?v=***&hl=en&gl=US"} # note: auto field for current datetime c.execute(""" - INSERT INTO captcha_requests(nonce, url, action, inputs) - VALUES (?, ?, ?, ?) - """, (nonce, r.url, captcha.action, inputs)) + INSERT INTO captcha_requests(nonce, url, action) + VALUES (?, ?, ?) + """, (nonce, r.url, captcha.action)) conn.commit() r2 = requests.post(f"{api_host}/createTask", json={ @@ -94,7 +98,7 @@ def submit_captcha(r): "callbackUrl": f"{public_uri}/captcha_response/v1/{nonce}", }) task_id = r2.json().get("taskId") - flask_logger(f"submitted captcha task with id {task_id}", "info") + flask_logger(f"submitted captcha task with id {task_id}") return True @@ -102,43 +106,31 @@ def solve_captcha(nonce, json_obj): with sqlite3.connect(cf['global']['database']) as conn: c = conn.cursor() c.execute(""" - SELECT url, action, inputs + SELECT url, action FROM captcha_requests WHERE nonce = ? -- AND timestamp > date('now', '-90 seconds') """, (nonce,)) try: - url, action, inputs = c.fetchone() - inputs = json.loads(inputs) + url, action = c.fetchone() except: raise NotFound # todo: ugly solution = json_obj.get("solution", {}) - inputs["g-recaptcha-response"] = solution.get("gRecaptchaResponse") - cookies = solution.get("cookies") r = requests.post( urljoin(url, action), - cookies=cookies, data=inputs, + data={"g-recaptcha-response": solution.get("gRecaptchaResponse")}, allow_redirects=False ) - captcha_cookies = r.cookies - #cargo-culted from invidious, but i don't believe it's necessary - # if enabled, use r.post(allow_redirects=False)! - #if action == "/sorry/index": - # from urllib.parse import parse_qs - # captcha_cookies, _, _ = parse_qs(r.headers["Location"]) \ - # .get("google_abuse", "") \ - # .partition(";") - # xxx: returns cookie header-value; parse to dict - - c.execute("DELETE FROM captcha_cookies") - # not using insert-or-replace-into to avoid keeping removed cookies - c.executemany(""" - INSERT INTO captcha_cookies(name, value) - VALUES (?, ?) - """, captcha_cookies.items()) + cookie_name = "goojf" + cookie_value = r.cookies.get(cookie_name) + c.execute(""" + INSERT OR REPLACE INTO captcha_cookies(name, value) + VALUES (?, ?) + """, (cookie_name, cookie_value)) + c.execute(""" DELETE FROM captcha_requests - WHERE nonce = ? OR timestamp < date('now', '-1 minute') + WHERE nonce = ? OR timestamp < date('now', '-90 seconds') """, (nonce,)) diff --git a/config/setup.sql b/config/setup.sql index a0334c1..df387e8 100644 --- a/config/setup.sql +++ b/config/setup.sql @@ -61,7 +61,6 @@ CREATE TABLE captcha_requests( nonce STRING, url STRING, action STRING, - inputs STRING, timestamp DATETIME DEFAULT CURRENT_TIMESTAMP); CREATE TABLE captcha_cookies( name STRING, -- 2.39.3