[WAF]规则中增加请求Header长度限制和响应Header长度限制

2025-11-03 20:40:25 +08:00 · 2020-11-18 19:48:27 +08:00
parent b001883c54
commit 317f16746f
3 changed files with 52 additions and 10 deletions
--- a/pkg/serverconfigs/firewallconfigs/http_firewall_checkpoint_definition.go
+++ b/pkg/serverconfigs/firewallconfigs/http_firewall_checkpoint_definition.go
@@ -14,10 +14,11 @@ func NewKeyValue(name string, value string) *KeyValue {

 // check point definition
 type HTTPFirewallCheckpointDefinition struct {
-	Name        string            `json:"name"`
-	Description string            `json:"description"`
-	Prefix      string            `json:"prefix"`
-	IsRequest   bool              `json:"isRequest"`
-	Params      []*KeyValue       `json:"params"`
-	Options     []OptionInterface `json:"options"`
+	Name        string            `json:"name"`        // 名称
+	Description string            `json:"description"` // 描述
+	Prefix      string            `json:"prefix"`      // 前缀
+	IsRequest   bool              `json:"isRequest"`   // 是否为请求
+	Params      []*KeyValue       `json:"params"`      // 参数
+	Options     []OptionInterface `json:"options"`     // 选项
+	IsComposed  bool              `json:"isComposed"`  // 是否为组合的checkpoint
 }
--- a/pkg/serverconfigs/firewallconfigs/http_firewall_checkpoints.go
+++ b/pkg/serverconfigs/firewallconfigs/http_firewall_checkpoints.go
@@ -7,6 +7,20 @@ import (

 // all check points list
 var AllCheckpoints = []*HTTPFirewallCheckpointDefinition{
+	{
+		Name:        "通用请求Header长度限制",
+		Prefix:      "requestGeneralHeaderLength",
+		Description: "通用Header比如Cache-Control、Accept之类的长度限制，防止缓冲区溢出攻击",
+		IsRequest:   true,
+		IsComposed:  true,
+	},
+	{
+		Name:        "通用响应Header长度限制",
+		Prefix:      "responseGeneralHeaderLength",
+		Description: "通用Header比如Cache-Control、Date之类的长度限制，防止缓冲区溢出攻击",
+		IsRequest:   false,
+		IsComposed:  true,
+	},
 	{
 		Name:        "客户端地址（IP）",
 		Prefix:      "remoteAddr",
@@ -268,12 +282,22 @@ var AllCheckpoints = []*HTTPFirewallCheckpointDefinition{
 	},
 }

-// find a check point definition
+// 查找Checkpoint定义
 func FindCheckpointDefinition(prefix string) *HTTPFirewallCheckpointDefinition {
-	for _, def := range AllCheckpoints {
-		if def.Prefix == prefix {
-			return def
+	for _, checkpoint := range AllCheckpoints {
+		if checkpoint.Prefix == prefix {
+			return checkpoint
 		}
 	}
 	return nil
 }
+
+// 判断Checkpoint是否为组合的
+func CheckCheckpointIsComposed(prefix string) bool {
+	for _, checkpoint := range AllCheckpoints {
+		if checkpoint.Prefix == prefix {
+			return checkpoint.IsComposed
+		}
+	}
+	return false
+}
--- a/pkg/serverconfigs/firewallconfigs/http_firewall_rule.go
+++ b/pkg/serverconfigs/firewallconfigs/http_firewall_rule.go
@@ -1,5 +1,12 @@
 package firewallconfigs

+import (
+	"regexp"
+	"strings"
+)
+
+var namedParamReg = regexp.MustCompile(`^\${\s*(.+)\s*}$`)
+
 type HTTPFirewallRule struct {
 	Id                int64                  `yaml:"id" json:"id"`
 	IsOn              bool                   `yaml:"isOn" json:"isOn"`
@@ -15,3 +22,13 @@ func (this *HTTPFirewallRule) Init() error {
 	// TODO 执行更严谨的校验
 	return nil
 }
+
+func (this *HTTPFirewallRule) Prefix() string {
+	result := namedParamReg.FindStringSubmatch(this.Param)
+	if len(result) > 0 {
+		param := result[1]
+		pieces := strings.Split(param, ".")
+		return pieces[0]
+	}
+	return this.Param
+}