From d37054efb5d9b1a014fc7e382d6eba18a7c010d2 Mon Sep 17 00:00:00 2001
From: GoEdgeLab <goedgecloud@gmail.com>
Date: Sat, 9 Dec 2023 17:02:01 +0800
Subject: [PATCH] =?UTF-8?q?WAF=E8=A7=84=E5=88=99=E6=A8=A1=E6=9D=BF?=
 =?UTF-8?q?=E4=B8=ADXSS=E6=B3=A8=E5=85=A5=E6=A3=80=E6=B5=8B=E8=A7=84?=
 =?UTF-8?q?=E5=88=99=E4=BD=BF=E7=94=A8=E2=80=9C=E5=8C=85=E5=90=ABXSS?=
 =?UTF-8?q?=E6=B3=A8=E5=85=A5=E2=80=9D=E6=93=8D=E4=BD=9C=E7=AC=A6=E6=9B=BF?=
 =?UTF-8?q?=E4=BB=A3=E4=BB=A5=E5=BE=80=E7=9A=84=E6=AD=A3=E5=88=99=E8=A1=A8?=
 =?UTF-8?q?=E8=BE=BE=E5=BC=8F?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../firewallconfigs/http_firewall_template.go | 59 +++----------------
 1 file changed, 9 insertions(+), 50 deletions(-)

diff --git a/pkg/serverconfigs/firewallconfigs/http_firewall_template.go b/pkg/serverconfigs/firewallconfigs/http_firewall_template.go
index 3f69daf..ed4c51c 100644
--- a/pkg/serverconfigs/firewallconfigs/http_firewall_template.go
+++ b/pkg/serverconfigs/firewallconfigs/http_firewall_template.go
@@ -27,62 +27,21 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
 		{
 			var set = &HTTPFirewallRuleSet{}
 			set.IsOn = true
-			set.Name = "Javascript事件"
-			set.Code = "1001"
+			set.Name = "XSS攻击检测"
+			set.Code = "1010"
 			set.Connector = HTTPFirewallRuleConnectorOr
 			set.Actions = []*HTTPFirewallActionConfig{
 				{
-					Code: HTTPFirewallActionBlock,
+					Code:    HTTPFirewallActionPage,
+					Options: maps.Map{"status": 403, "body": ""},
 				},
 			}
 			set.AddRule(&HTTPFirewallRule{
 				IsOn:              true,
-				Param:             "${requestURI}",
-				Operator:          HTTPFirewallRuleOperatorMatch,
-				Value:             `(onmouseover|onmousemove|onmousedown|onmouseup|onerror|onload|onclick|ondblclick|onkeydown|onkeyup|onkeypress)\s*=`, // TODO more keywords here
-				IsCaseInsensitive: true,
-			})
-			group.AddRuleSet(set)
-		}
-
-		{
-			var set = &HTTPFirewallRuleSet{}
-			set.IsOn = true
-			set.Name = "Javascript函数"
-			set.Code = "1002"
-			set.Connector = HTTPFirewallRuleConnectorOr
-			set.Actions = []*HTTPFirewallActionConfig{
-				{
-					Code: HTTPFirewallActionBlock,
-				},
-			}
-			set.AddRule(&HTTPFirewallRule{
-				IsOn:              true,
-				Param:             "${requestURI}",
-				Operator:          HTTPFirewallRuleOperatorMatch,
-				Value:             `(alert|eval|prompt|confirm)\s*\(`, // TODO more keywords here
-				IsCaseInsensitive: true,
-			})
-			group.AddRuleSet(set)
-		}
-
-		{
-			var set = &HTTPFirewallRuleSet{}
-			set.IsOn = true
-			set.Name = "HTML标签"
-			set.Code = "1003"
-			set.Connector = HTTPFirewallRuleConnectorOr
-			set.Actions = []*HTTPFirewallActionConfig{
-				{
-					Code: HTTPFirewallActionBlock,
-				},
-			}
-			set.AddRule(&HTTPFirewallRule{
-				IsOn:              true,
-				Param:             "${requestURI}",
-				Operator:          HTTPFirewallRuleOperatorMatch,
-				Value:             `<(script|iframe|link)`, // TODO more keywords here
-				IsCaseInsensitive: true,
+				Param:             "${requestAll}",
+				Operator:          HTTPFirewallRuleOperatorContainsXSS,
+				Value:             "",
+				IsCaseInsensitive: false,
 			})
 			group.AddRuleSet(set)
 		}
@@ -273,7 +232,7 @@ func HTTPFirewallTemplate() *HTTPFirewallPolicy {
 		{
 			var set = &HTTPFirewallRuleSet{}
 			set.IsOn = true
-			set.Name = "检测SQL注入"
+			set.Name = "SQL注入检测"
 			set.Code = "7010"
 			set.Connector = HTTPFirewallRuleConnectorOr
 			set.Actions = []*HTTPFirewallActionConfig{