From 727ffe03650003a513f857f245ee46052cc3e112 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adolfo=20G=C3=B3mez=20Garc=C3=ADa?= <dkmaster@dkmon.com>
Date: Sat, 3 Jul 2021 16:25:07 +0200
Subject: [PATCH] Added a basic bot check to request middleware to forbid bots
 access

---
 .../src/uds/core/util/middleware/request.py   | 38 +++++++++++--------
 1 file changed, 22 insertions(+), 16 deletions(-)

diff --git a/server/src/uds/core/util/middleware/request.py b/server/src/uds/core/util/middleware/request.py
index 767cf049..31aaa8af 100644
--- a/server/src/uds/core/util/middleware/request.py
+++ b/server/src/uds/core/util/middleware/request.py
@@ -28,9 +28,8 @@
 """
 .. moduleauthor:: Adolfo Gómez, dkmaster at dkmon dot com
 """
-import threading
+import re
 import datetime
-import weakref
 import logging
 import typing
 
@@ -50,6 +49,9 @@ from uds.models import User
 
 logger = logging.getLogger(__name__)
 
+# Simple Bot detection
+bot = re.compile('bot|spider', re.IGNORECASE)
+
 # How often to check the requests cache for stuck objects
 CHECK_SECONDS = 3600 * 24  # Once a day is more than enough
 
@@ -60,19 +62,6 @@ class GlobalRequestMiddleware:
     def __init__(self, get_response: typing.Callable[[HttpRequest], HttpResponse]):
         self._get_response: typing.Callable[[HttpRequest], HttpResponse] = get_response
 
-    def _process_request(self, request: ExtendedHttpRequest) -> None:
-        # Store request on cache
-        setRequest(request=request)
-
-        # Add IP to request
-        GlobalRequestMiddleware.fillIps(request)
-        # Ensures request contains os
-        request.os = OsDetector.getOsFromUA(
-            request.META.get('HTTP_USER_AGENT', 'Unknown')
-        )
-        # Ensures that requests contains the valid user
-        GlobalRequestMiddleware.getUser(request)
-
     def _process_response(self, request: ExtendedHttpRequest, response: HttpResponse):
         # Remove IP from global cache (processing responses after this will make global request unavailable,
         # but can be got from request again)
@@ -83,7 +72,24 @@ class GlobalRequestMiddleware:
         return response
 
     def __call__(self, request: ExtendedHttpRequest):
-        self._process_request(request)
+        # Add IP to request
+        GlobalRequestMiddleware.fillIps(request)
+
+        # If bot, break now
+        ua = request.META.get('HTTP_USER_AGENT', 'Unknown')
+        if bot.search(ua):
+            # Return emty response if bot is detected
+            logger.info('Denied Bot %s from %s to %s', ua, request.ip, request.path)
+            return HttpResponse(content='Forbbiden', status=403)
+
+        # Store request on cache
+        setRequest(request=request)
+
+        # Ensures request contains os
+        request.os = OsDetector.getOsFromUA(ua)
+
+        # Ensures that requests contains the valid user
+        GlobalRequestMiddleware.getUser(request)
 
         # Now, check if session is timed out...
         if request.user: