Skip to content

Commit fba0278

Browse files
committed
Enhance Albatross documentation with recent updates, including static sitemap implementation, cross-browser ASCII art rendering fixes, and security hardening in deployment pipeline.
1 parent 94d376b commit fba0278

1 file changed

Lines changed: 216 additions & 20 deletions

File tree

staging/2025-06-10-albatross.md

Lines changed: 216 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,18 @@ tags: [blazorWebAssembly, cloudflareWorkers, devSecOps, webDevelopment, cyberSec
1515
Built **Albatross**, a secure IP abuse checker using Blazor WebAssembly + Cloudflare Workers. Key features:
1616
- 🔐 **Secure API proxy** with HMAC authentication (no exposed API keys)
1717
-**Fast client-side app** with server-side API protection
18+
- �️ **Real-time IP reputation checking** via AbuseIPDB
19+
- 🏗️ **Modern architecture** combining the best of client and edge computing
20+
21+
This algorithm efficiently compares IP addresses against CIDR ranges by:
22+
1. **Splitting the CIDR** notation (e.g., "10.0.0.0/8")
23+
2. **Converting to bytes** for efficient comparison
24+
3. **Comparing full bytes** first (faster than bit-by-bit)
25+
4. **Handling remainder bits** with bitwise masking
26+
5. **Early termination** on mismatch for performance
27+
28+
## Security Implementationion (no exposed API keys)
29+
-**Fast client-side app** with server-side API protection
1830
- 🛡️ **Real-time IP reputation checking** via AbuseIPDB
1931
- 🏗️ **Modern architecture** combining the best of client and edge computing
2032

@@ -39,8 +51,8 @@ For Albatross, I chose a different path: **Cloudflare Workers as a secure API pr
3951
```
4052
┌─────────────────┐ HMAC Auth ┌─────────────────┐ API Key ┌─────────────────┐
4153
│ │ ──────────→ │ │ ──────────→ │ │
42-
│ Blazor WASM │ │ Cloudflare │ │ AbuseIPDB │
43-
│ Client │ ←────────── │ Worker │ ←────────── │ API │
54+
│ Blazor WASM │ │ Cloudflare │ │ AbuseIPDB │
55+
│ Client │ ←────────── │ Worker │ ←────────── │ API │
4456
│ │ CORS + JSON │ │ JSON Data │ │
4557
└─────────────────┘ └─────────────────┘ └─────────────────┘
4658
```
@@ -59,12 +71,20 @@ One of the most innovative aspects of Albatross is its build-time authentication
5971
### PowerShell Key Generation Script
6072

6173
```powershell
62-
# Generate-AuthKey.ps1
74+
# Generate-AuthKey.ps1 - Updated implementation
6375
function Generate-SecureKey {
64-
$rng = [System.Security.Cryptography.RNGCryptoServiceProvider]::Create()
76+
# Generate a cryptographically secure random key
6577
$keyBytes = New-Object byte[] 32 # 256 bits
78+
$rng = [System.Security.Cryptography.RandomNumberGenerator]::Create()
6679
$rng.GetBytes($keyBytes)
67-
return [Convert]::ToBase64String($keyBytes)
80+
81+
# Convert to Base64 and make UTF-8 compatible
82+
$randomBase64 = [System.Convert]::ToBase64String($keyBytes)
83+
$authKeyString = $randomBase64.Substring(0, [Math]::Min(32, $randomBase64.Length)).Replace("/", "_").Replace("+", "-")
84+
85+
# Convert UTF-8 string to base64 for storage
86+
$authKeyBytes = [System.Text.Encoding]::UTF8.GetBytes($authKeyString)
87+
return [System.Convert]::ToBase64String($authKeyBytes)
6888
}
6989
7090
$authKey = Generate-SecureKey
@@ -83,7 +103,7 @@ This approach provides several security benefits:
83103
The key generation is seamlessly integrated into the .NET build process using custom MSBuild targets:
84104

85105
```xml
86-
<Target Name="GenerateAuthKey" BeforeTargets="CoreCompile">
106+
<Target Name="GenerateAuthKey" BeforeTargets="BeforeCompile" Condition="'$(SkipCodeGeneration)' != 'true' AND '$(DesignTimeBuild)' != 'true'">
87107
<Exec Command="pwsh -ExecutionPolicy Bypass -File &quot;$(ProjectDir)Generate-AuthKey.ps1&quot;"
88108
ContinueOnError="false" />
89109
</Target>
@@ -103,9 +123,35 @@ The authentication system uses HMAC-SHA256 to sign requests, ensuring both authe
103123
```csharp
104124
private string GenerateHmacToken(string requestUrl)
105125
{
106-
using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(BuildConstants.AuthKey));
107-
var hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(requestUrl.ToLower()));
108-
return Convert.ToBase64String(hash);
126+
if (string.IsNullOrEmpty(_authKey))
127+
{
128+
Console.WriteLine("Debug: Auth key is null or empty");
129+
return string.Empty;
130+
}
131+
132+
if (string.IsNullOrEmpty(requestUrl))
133+
{
134+
Console.WriteLine("Debug: Request URL is null or empty");
135+
return string.Empty;
136+
}
137+
138+
try
139+
{
140+
Console.WriteLine($"Debug: Generating HMAC for URL: {requestUrl}");
141+
Console.WriteLine($"Debug: Using auth key: {_authKey}");
142+
143+
using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(_authKey));
144+
var hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(requestUrl));
145+
var token = Convert.ToBase64String(hash);
146+
147+
Console.WriteLine($"Debug: Generated HMAC hash: {token}");
148+
return token;
149+
}
150+
catch (Exception ex)
151+
{
152+
Console.WriteLine($"Debug: Exception in GenerateHmacToken: {ex.Message}");
153+
return string.Empty;
154+
}
109155
}
110156
```
111157

@@ -114,7 +160,7 @@ private string GenerateHmacToken(string requestUrl)
114160
```javascript
115161
async function validateHmacToken(receivedToken, requestUrl) {
116162
const keyBytes = new TextEncoder().encode(AUTH_KEY);
117-
const messageBytes = new TextEncoder().encode(requestUrl);
163+
const messageBytes = new TextEncoder().encode(message);
118164

119165
const cryptoKey = await crypto.subtle.importKey(
120166
'raw', keyBytes,
@@ -412,23 +458,38 @@ private bool IsIpInRange(IPAddress ipAddress, string cidrRange)
412458
var networkAddress = IPAddress.Parse(parts[0]);
413459
var prefixLength = int.Parse(parts[1]);
414460

415-
// Convert to bytes for bitwise operations
416461
var ipBytes = ipAddress.GetAddressBytes();
417462
var networkBytes = networkAddress.GetAddressBytes();
418463

419-
// Handle IPv4 vs IPv6 compatibility
420464
if (ipBytes.Length != networkBytes.Length)
421465
return false;
422-
423-
// Calculate subnet mask
424-
var totalBits = ipBytes.Length * 8;
425-
var maskBits = prefixLength;
426466

427-
// Perform bitwise comparison
428-
for (int byteIndex = 0; byteIndex < ipBytes.Length; byteIndex++)
467+
var bytesToCheck = prefixLength / 8;
468+
var remainderBits = prefixLength % 8;
469+
470+
// Compare full bytes
471+
for (int i = 0; i < bytesToCheck; i++)
472+
{
473+
if (ipBytes[i] != networkBytes[i])
474+
return false;
475+
}
476+
477+
// Check remainder bits if any
478+
if (remainderBits > 0 && bytesToCheck < ipBytes.Length)
429479
{
430-
var bitsInThisByte = Math.Min(8, Math.Max(0, maskBits - (byteIndex * 8)));
431-
if (bitsInThisByte == 0) break;
480+
var mask = (byte)(0xFF << (8 - remainderBits));
481+
if ((ipBytes[bytesToCheck] & mask) != (networkBytes[bytesToCheck] & mask))
482+
return false;
483+
}
484+
485+
return true;
486+
}
487+
catch
488+
{
489+
return false;
490+
}
491+
}
492+
```
432493
433494
var mask = (byte)(0xFF << (8 - bitsInThisByte));
434495
if ((ipBytes[byteIndex] & mask) != (networkBytes[byteIndex] & mask))
@@ -576,6 +637,140 @@ Several exciting improvements are planned:
576637

577638
The Cloud IP Manifest Search feature demonstrates how modern web applications can provide enterprise-grade functionality while maintaining simplicity and performance. By leveraging official cloud provider data and efficient client-side processing, Albatross delivers accurate, real-time cloud infrastructure attribution that's invaluable for security professionals and network administrators.
578639

640+
## Recent Enhancements (July 2025)
641+
642+
Since the June updates, Albatross has received several critical improvements focused on deployment reliability, security hardening, and cross-browser compatibility:
643+
644+
### Static Sitemap Implementation
645+
646+
A significant architectural change was made to improve SEO and deployment reliability:
647+
648+
- **Removed Dynamic Generation**: Eliminated all dynamic sitemap.xml generation from MSBuild targets and PowerShell scripts
649+
- **Static SEO Optimization**: Implemented a manually-maintained sitemap.xml with fixed URLs and appropriate metadata
650+
- **Improved Indexing**: Better search engine discoverability with consistent sitemap structure
651+
- **Simplified Deployment**: Reduced build complexity by removing dynamic XML generation
652+
653+
The static sitemap approach provides more reliable SEO benefits while simplifying the build process:
654+
655+
```xml
656+
<?xml version="1.0" encoding="UTF-8"?>
657+
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
658+
<url>
659+
<loc>https://albatross.devnomadic.com/</loc>
660+
<lastmod>2025-07-12</lastmod>
661+
<changefreq>weekly</changefreq>
662+
<priority>1.0</priority>
663+
</url>
664+
<!-- IP Manifest Files -->
665+
<url>
666+
<loc>https://albatross.devnomadic.com/ip-manifests/AWS.json</loc>
667+
<lastmod>2025-07-12</lastmod>
668+
<changefreq>daily</changefreq>
669+
<priority>0.8</priority>
670+
</url>
671+
</urlset>
672+
```
673+
674+
### Cross-Browser ASCII Art Rendering
675+
676+
Addressed significant rendering differences between Chrome and Firefox for ASCII art images:
677+
678+
- **Pixel-Perfect Rendering**: Added comprehensive `image-rendering` CSS properties for consistent display across browsers
679+
- **Cross-Browser Compatibility**: Implemented browser-specific rendering hints for Chrome, Firefox, Safari, and IE
680+
- **Responsive Scaling**: Enhanced mobile responsiveness with proper pixel scaling for ASCII art
681+
- **Performance Optimization**: Eliminated image interpolation artifacts that caused blurry ASCII art
682+
683+
```css
684+
img[alt="ascii-text-art-albatross"] {
685+
width: 25% !important;
686+
max-width: 40% !important;
687+
/* Pixel-perfect rendering for ASCII art */
688+
image-rendering: pixelated !important;
689+
image-rendering: -moz-crisp-edges !important;
690+
image-rendering: crisp-edges !important;
691+
image-rendering: -webkit-optimize-contrast !important;
692+
-ms-interpolation-mode: nearest-neighbor !important;
693+
}
694+
```
695+
696+
### Production Deployment Security Hardening
697+
698+
Major security improvements were implemented in the GitHub Actions deployment pipeline:
699+
700+
#### **Fixed Script Injection Vulnerability**
701+
The deployment pipeline was vulnerable to script injection through commit messages. This was resolved with comprehensive input sanitization:
702+
703+
```bash
704+
# Safely sanitize commit message to prevent injection
705+
SAFE_COMMIT_MESSAGE="$( printf '%s' '${{ github.event.head_commit.message }}' | head -c 500 | tr -d '\0\r' | sed 's/[`$"\\]/\\&/g' )"
706+
```
707+
708+
**Security Controls:**
709+
- **Character Limiting**: Truncated to 500 characters to prevent excessive payloads
710+
- **Dangerous Character Escaping**: Escaped backticks, dollar signs, quotes, and backslashes
711+
- **Null Byte Removal**: Eliminated null characters and carriage returns
712+
- **Command Injection Prevention**: Blocked all forms of command substitution and variable expansion
713+
714+
#### **Enhanced Release Naming**
715+
Improved GitHub release naming to match application build identifiers:
716+
717+
- **Build Timestamp Format**: Uses the same `yyyyMMdd-HHmm` format displayed in the application
718+
- **Short SHA Integration**: Includes 8-character commit SHA for unique identification
719+
- **Consistent Versioning**: Release names now match internal build identifiers
720+
721+
```yaml
722+
RELEASE_NAME="${{ needs.build-and-deploy.outputs.build-timestamp }} (${{ needs.build-and-deploy.outputs.build-id }})"
723+
# Example: "Albatross Build 20250719-1430 (a1b2c3d4)"
724+
```
725+
726+
#### **Cloudflare Pages Production Deployment Fix**
727+
Resolved deployment issues where builds were incorrectly deploying to preview environments:
728+
729+
- **Removed Branch Parameters**: Eliminated `--branch` and `--production` flags that were causing deployment confusion
730+
- **Default Production Behavior**: Leveraged Cloudflare Pages' default production deployment when no branch is specified
731+
- **Simplified Command**: Streamlined deployment command for reliability
732+
733+
```bash
734+
# Simplified production deployment (deploys to production by default)
735+
npx wrangler pages deploy ./dist/wwwroot --project-name ${{ secrets.CLOUDFLARE_PAGES_PROJECT }}
736+
```
737+
738+
#### **Artifact Security Enhancement**
739+
Improved release artifact handling to exclude sensitive files:
740+
741+
- **Excluded Worker Files**: Prevented `cloudflare-worker.js` from being included in public releases
742+
- **Security Logging**: Added clear audit trail showing which files are excluded and why
743+
- **Compressed Archives**: Enhanced artifact upload with compressed directory archives
744+
- **Selective Distribution**: Only includes safe artifacts (SPA files, build constants, version info)
745+
746+
```bash
747+
# Skip sensitive files during artifact upload
748+
if [ -f "$file" ] && [ "$file" != "cloudflare-worker.js" ]; then
749+
echo "Uploading file: $file"
750+
gh release upload "${TAG_NAME}" "$file"
751+
elif [ -f "$file" ] && [ "$file" = "cloudflare-worker.js" ]; then
752+
echo "Skipping cloudflare-worker.js (contains sensitive data)"
753+
fi
754+
```
755+
756+
### Mobile Loading Screen Fix
757+
758+
Addressed visual issues with the loading screen on mobile devices:
759+
760+
- **Fixed Icon Stretching**: Resolved aspect ratio issues on mobile screens
761+
- **Enhanced CSS Specificity**: Added `!important` declarations to prevent style conflicts
762+
- **Responsive Sizing**: Proper scaling for different device sizes (80px desktop, 64px tablet, 48px mobile)
763+
- **Conflict Resolution**: Changed alt text to prevent generic image style conflicts
764+
765+
### Build System Reliability
766+
767+
Multiple improvements to the build and deployment pipeline:
768+
769+
- **Dependency Management**: Enhanced npm package handling in CI/CD
770+
- **Error Handling**: Improved build script error detection and reporting
771+
- **Version Consistency**: Aligned version numbering between application and releases
772+
- **Deployment Validation**: Added verification steps for successful deployments
773+
579774
## Recent Enhancements (June 2025)
580775

581776
Since the initial release, Albatross has received several significant improvements that enhance both functionality and user experience:
@@ -670,6 +865,7 @@ Whether you're building your own API proxy or exploring modern web security patt
670865

671866
## 📋 Changelog
672867

868+
- **2025-07-19:** Major deployment and security update with static sitemap implementation, cross-browser ASCII art rendering fixes, script injection vulnerability patching, Cloudflare Pages production deployment fixes, mobile loading screen improvements, and enhanced release artifact security
673869
- **2025-06-22:** Enhanced security with comprehensive public IP validation (RFC compliant), improved UI layout stability, better error messaging, and enhanced user guidance
674870
- **2025-06-16:** Major update with Oracle Cloud Infrastructure support, enhanced CloudMatch data structures, ASN integration with Cloudflare Radar API, improved UI/UX, and build system fixes
675871
- **2025-06-15:** Updated tag format and added changelog

0 commit comments

Comments
 (0)