From 52e5e550d9aa3b5a9dd4d73d08081e71e5f35289 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=88=98=E7=A5=A5=E8=B6=85?= <iwind.liu@gmail.com>
Date: Wed, 18 Nov 2020 19:48:27 +0800
Subject: [PATCH] =?UTF-8?q?[WAF]=E8=A7=84=E5=88=99=E4=B8=AD=E5=A2=9E?=
 =?UTF-8?q?=E5=8A=A0=E8=AF=B7=E6=B1=82Header=E9=95=BF=E5=BA=A6=E9=99=90?=
 =?UTF-8?q?=E5=88=B6=E5=92=8C=E5=93=8D=E5=BA=94Header=E9=95=BF=E5=BA=A6?=
 =?UTF-8?q?=E9=99=90=E5=88=B6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../http_firewall_checkpoint_definition.go    | 13 ++++----
 .../http_firewall_checkpoints.go              | 32 ++++++++++++++++---
 .../firewallconfigs/http_firewall_rule.go     | 17 ++++++++++
 3 files changed, 52 insertions(+), 10 deletions(-)

diff --git a/pkg/serverconfigs/firewallconfigs/http_firewall_checkpoint_definition.go b/pkg/serverconfigs/firewallconfigs/http_firewall_checkpoint_definition.go
index 787f78d..450a5f6 100644
--- a/pkg/serverconfigs/firewallconfigs/http_firewall_checkpoint_definition.go
+++ b/pkg/serverconfigs/firewallconfigs/http_firewall_checkpoint_definition.go
@@ -14,10 +14,11 @@ func NewKeyValue(name string, value string) *KeyValue {
 
 // check point definition
 type HTTPFirewallCheckpointDefinition struct {
-	Name        string            `json:"name"`
-	Description string            `json:"description"`
-	Prefix      string            `json:"prefix"`
-	IsRequest   bool              `json:"isRequest"`
-	Params      []*KeyValue       `json:"params"`
-	Options     []OptionInterface `json:"options"`
+	Name        string            `json:"name"`        // 名称
+	Description string            `json:"description"` // 描述
+	Prefix      string            `json:"prefix"`      // 前缀
+	IsRequest   bool              `json:"isRequest"`   // 是否为请求
+	Params      []*KeyValue       `json:"params"`      // 参数
+	Options     []OptionInterface `json:"options"`     // 选项
+	IsComposed  bool              `json:"isComposed"`  // 是否为组合的checkpoint
 }
diff --git a/pkg/serverconfigs/firewallconfigs/http_firewall_checkpoints.go b/pkg/serverconfigs/firewallconfigs/http_firewall_checkpoints.go
index 62473ef..6b8bb62 100644
--- a/pkg/serverconfigs/firewallconfigs/http_firewall_checkpoints.go
+++ b/pkg/serverconfigs/firewallconfigs/http_firewall_checkpoints.go
@@ -7,6 +7,20 @@ import (
 
 // all check points list
 var AllCheckpoints = []*HTTPFirewallCheckpointDefinition{
+	{
+		Name:        "通用请求Header长度限制",
+		Prefix:      "requestGeneralHeaderLength",
+		Description: "通用Header比如Cache-Control、Accept之类的长度限制，防止缓冲区溢出攻击",
+		IsRequest:   true,
+		IsComposed:  true,
+	},
+	{
+		Name:        "通用响应Header长度限制",
+		Prefix:      "responseGeneralHeaderLength",
+		Description: "通用Header比如Cache-Control、Date之类的长度限制，防止缓冲区溢出攻击",
+		IsRequest:   false,
+		IsComposed:  true,
+	},
 	{
 		Name:        "客户端地址（IP）",
 		Prefix:      "remoteAddr",
@@ -268,12 +282,22 @@ var AllCheckpoints = []*HTTPFirewallCheckpointDefinition{
 	},
 }
 
-// find a check point definition
+// 查找Checkpoint定义
 func FindCheckpointDefinition(prefix string) *HTTPFirewallCheckpointDefinition {
-	for _, def := range AllCheckpoints {
-		if def.Prefix == prefix {
-			return def
+	for _, checkpoint := range AllCheckpoints {
+		if checkpoint.Prefix == prefix {
+			return checkpoint
 		}
 	}
 	return nil
 }
+
+// 判断Checkpoint是否为组合的
+func CheckCheckpointIsComposed(prefix string) bool {
+	for _, checkpoint := range AllCheckpoints {
+		if checkpoint.Prefix == prefix {
+			return checkpoint.IsComposed
+		}
+	}
+	return false
+}
diff --git a/pkg/serverconfigs/firewallconfigs/http_firewall_rule.go b/pkg/serverconfigs/firewallconfigs/http_firewall_rule.go
index 6e8e8f5..c08ebc1 100644
--- a/pkg/serverconfigs/firewallconfigs/http_firewall_rule.go
+++ b/pkg/serverconfigs/firewallconfigs/http_firewall_rule.go
@@ -1,5 +1,12 @@
 package firewallconfigs
 
+import (
+	"regexp"
+	"strings"
+)
+
+var namedParamReg = regexp.MustCompile(`^\${\s*(.+)\s*}$`)
+
 type HTTPFirewallRule struct {
 	Id                int64                  `yaml:"id" json:"id"`
 	IsOn              bool                   `yaml:"isOn" json:"isOn"`
@@ -15,3 +22,13 @@ func (this *HTTPFirewallRule) Init() error {
 	// TODO 执行更严谨的校验
 	return nil
 }
+
+func (this *HTTPFirewallRule) Prefix() string {
+	result := namedParamReg.FindStringSubmatch(this.Param)
+	if len(result) > 0 {
+		param := result[1]
+		pieces := strings.Split(param, ".")
+		return pieces[0]
+	}
+	return this.Param
+}