feat: proxy-pac-url support

Author: trixter-osec

.gitignore

@@ -2,3 +2,4 @@
 /src/config.js
 .terraform*
 *.tfstate*
+.idea

Dockerfile

@@ -1,13 +1,13 @@
 # syntax=docker/dockerfile:1.4.3
 
-FROM node:18.9.0-buster-slim AS build
+FROM node:24-slim AS build
 WORKDIR /app
 RUN apt-get update && apt-get install -y \
   g++ make cmake unzip libcurl4-openssl-dev autoconf libtool python3 curl
 COPY package.json package-lock.json ./
 RUN npm ci
 
-FROM node:18.9.0-buster-slim
+FROM node:24-slim
 WORKDIR /app
 RUN apt-get update && apt-get install -y --no-install-recommends \
   libglib2.0-0 libnss3 libatk1.0-0 libatk-bridge2.0-0 libcups2 libdrm2 \

README.md

@@ -37,13 +37,13 @@ After applying, Terraform outputs a `submit_url`. To submit a URL to the admin b
 
 ### GCP
 
-2. Build and push the image to [`gcr.io`](https://cloud.google.com/container-registry) or [`pkg.dev`](https://cloud.google.com/artifact-registry).
-1. Use the [Terraform module](https://registry.terraform.io/modules/redpwn/admin-bot/google/latest) to deploy to Cloud Run.
+1. Build and push the image to [`gcr.io`](https://cloud.google.com/container-registry) or [`pkg.dev`](https://cloud.google.com/artifact-registry).
+2. Use the [Terraform module](https://registry.terraform.io/modules/redpwn/admin-bot/google/latest) to deploy to Cloud Run.
 
 ### AWS
 
-2. Build and push the image to [ECR](https://aws.amazon.com/ecr/).
-1. Use the [Terraform module](https://registry.terraform.io/modules/redpwn/admin-bot/aws/latest) to deploy to Fargate and Lambda.
+1. Build and push the image to [ECR](https://aws.amazon.com/ecr/).
+2. Use the [Terraform module](https://registry.terraform.io/modules/redpwn/admin-bot/aws/latest) to deploy to Fargate and Lambda.
 
 ## Challenge Configuration
 
@@ -54,11 +54,22 @@ The key of each entry is its challenge ID. To submit a URL to the admin bot, vis
 The value of each entry is an object with properties:
 
 * `name`: the display name of the challenge
+* `restrict_domains`: see below for a more in-depth explanation
 * `timeout`: the timeout in milliseconds for each admin bot visit
 * `handler`: a function which returns a `Promise` and accepts the submitted URL and a [Puppeteer `BrowserContext`](https://pptr.dev/#?show=api-class-browsercontext)
 * `urlRegex` (optional): a regex to check the URL against (default: `/^https?:\/\//`)
 
-To mitigate possible Chrome vulnerabilities, JIT/WebAssembly is disabled.
+To prevent cookie tossing (and other cheeses) from another vulnerable challenge on the same domain, we also support providing the
+`restrict_domains` option, where one can provide a list of domains and their subdomains that should be accessible. Any subdomain of a domain that is not part of the list will automatically
+fail.  For example, if all challenges are hosted under `example.com`, one can restrict access to only the challenge-specific subdomain `one.example.com` with the following configuration:
+```js
+    restrict_domains: {
+        'example.com': ['one.example.com']
+    }
+```
+Behind the scenes, the --proxy-pac-url flag is used to tell browser how the restricted URLs should be handled.
+
+Additionally, to mitigate possible Chrome vulnerabilities, JIT/WebAssembly is disabled.
 
 ## Terraform Configuration
 

examples/image/config.js

@@ -3,6 +3,9 @@ const sleep = time => new Promise(resolve => setTimeout(resolve, time))
 const challenges = new Map([
   ['one', {
     name: 'Challenge One',
+    restrict_domains: {
+      'example.com': ['one.example.com'],
+    },
     timeout: 10000,
     handler: async (url, ctx) => {
       const page = await ctx.newPage()