2020-10-08 15:06:42 +08:00
|
|
|
|
package waf
|
|
|
|
|
|
|
|
|
|
|
|
import (
|
2024-07-27 15:42:50 +08:00
|
|
|
|
"net/http"
|
|
|
|
|
|
"net/url"
|
|
|
|
|
|
"strings"
|
|
|
|
|
|
"time"
|
|
|
|
|
|
|
2023-11-15 15:10:25 +08:00
|
|
|
|
"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
|
2021-07-18 15:51:49 +08:00
|
|
|
|
"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
|
|
|
|
|
|
"github.com/TeaOSLab/EdgeNode/internal/utils"
|
2024-04-11 16:14:14 +08:00
|
|
|
|
"github.com/TeaOSLab/EdgeNode/internal/utils/fasttime"
|
2020-10-08 15:06:42 +08:00
|
|
|
|
"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
|
2023-11-16 08:44:07 +08:00
|
|
|
|
wafutils "github.com/TeaOSLab/EdgeNode/internal/waf/utils"
|
2024-04-11 16:14:14 +08:00
|
|
|
|
"github.com/iwind/TeaGo/types"
|
2020-10-08 15:06:42 +08:00
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
|
CaptchaSeconds = 600 // 10 minutes
|
2021-07-18 15:51:49 +08:00
|
|
|
|
CaptchaPath = "/WAF/VERIFY/CAPTCHA"
|
2020-10-08 15:06:42 +08:00
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
type CaptchaAction struct {
|
2022-05-21 11:17:53 +08:00
|
|
|
|
BaseAction
|
2022-01-16 16:54:13 +08:00
|
|
|
|
|
2022-05-21 11:17:53 +08:00
|
|
|
|
Life int32 `yaml:"life" json:"life"`
|
|
|
|
|
|
MaxFails int `yaml:"maxFails" json:"maxFails"` // 最大失败次数
|
|
|
|
|
|
FailBlockTimeout int `yaml:"failBlockTimeout" json:"failBlockTimeout"` // 失败拦截时间
|
|
|
|
|
|
FailBlockScopeAll bool `yaml:"failBlockScopeAll" json:"failBlockScopeAll"` // 是否全局有效
|
|
|
|
|
|
|
|
|
|
|
|
CountLetters int8 `yaml:"countLetters" json:"countLetters"`
|
|
|
|
|
|
|
2023-11-15 15:10:25 +08:00
|
|
|
|
CaptchaType firewallconfigs.CaptchaType `yaml:"captchaType" json:"captchaType"`
|
|
|
|
|
|
|
2022-05-21 11:17:53 +08:00
|
|
|
|
UIIsOn bool `yaml:"uiIsOn" json:"uiIsOn"` // 是否使用自定义UI
|
|
|
|
|
|
UITitle string `yaml:"uiTitle" json:"uiTitle"` // 消息标题
|
|
|
|
|
|
UIPrompt string `yaml:"uiPrompt" json:"uiPrompt"` // 消息提示
|
|
|
|
|
|
UIButtonTitle string `yaml:"uiButtonTitle" json:"uiButtonTitle"` // 按钮标题
|
|
|
|
|
|
UIShowRequestId bool `yaml:"uiShowRequestId" json:"uiShowRequestId"` // 是否显示请求ID
|
|
|
|
|
|
UICss string `yaml:"uiCss" json:"uiCss"` // CSS样式
|
|
|
|
|
|
UIFooter string `yaml:"uiFooter" json:"uiFooter"` // 页脚
|
|
|
|
|
|
UIBody string `yaml:"uiBody" json:"uiBody"` // 内容轮廓
|
|
|
|
|
|
|
2023-11-15 15:10:25 +08:00
|
|
|
|
OneClickUIIsOn bool `yaml:"oneClickUIIsOn" json:"oneClickUIIsOn"` // 是否使用自定义UI
|
|
|
|
|
|
OneClickUITitle string `yaml:"oneClickUITitle" json:"oneClickUITitle"` // 消息标题
|
|
|
|
|
|
OneClickUIPrompt string `yaml:"oneClickUIPrompt" json:"oneClickUIPrompt"` // 消息提示
|
|
|
|
|
|
OneClickUIShowRequestId bool `yaml:"oneClickUIShowRequestId" json:"oneClickUIShowRequestId"` // 是否显示请求ID
|
|
|
|
|
|
OneClickUICss string `yaml:"oneClickUICss" json:"oneClickUICss"` // CSS样式
|
|
|
|
|
|
OneClickUIFooter string `yaml:"oneClickUIFooter" json:"oneClickUIFooter"` // 页脚
|
|
|
|
|
|
OneClickUIBody string `yaml:"oneClickUIBody" json:"oneClickUIBody"` // 内容轮廓
|
|
|
|
|
|
|
|
|
|
|
|
SlideUIIsOn bool `yaml:"sliceUIIsOn" json:"sliceUIIsOn"` // 是否使用自定义UI
|
|
|
|
|
|
SlideUITitle string `yaml:"slideUITitle" json:"slideUITitle"` // 消息标题
|
|
|
|
|
|
SlideUIPrompt string `yaml:"slideUIPrompt" json:"slideUIPrompt"` // 消息提示
|
|
|
|
|
|
SlideUIShowRequestId bool `yaml:"SlideUIShowRequestId" json:"SlideUIShowRequestId"` // 是否显示请求ID
|
|
|
|
|
|
SlideUICss string `yaml:"slideUICss" json:"slideUICss"` // CSS样式
|
|
|
|
|
|
SlideUIFooter string `yaml:"slideUIFooter" json:"slideUIFooter"` // 页脚
|
|
|
|
|
|
SlideUIBody string `yaml:"slideUIBody" json:"slideUIBody"` // 内容轮廓
|
|
|
|
|
|
|
2023-11-29 17:00:06 +08:00
|
|
|
|
GeeTestConfig *firewallconfigs.GeeTestConfig `yaml:"geeTestConfig" json:"geeTestConfig"` // 极验设置 MUST be struct
|
|
|
|
|
|
|
2022-05-21 11:17:53 +08:00
|
|
|
|
Lang string `yaml:"lang" json:"lang"` // 语言,zh-CN, en-US ...
|
2021-07-18 15:51:49 +08:00
|
|
|
|
AddToWhiteList bool `yaml:"addToWhiteList" json:"addToWhiteList"` // 是否加入到白名单
|
2021-10-18 20:08:43 +08:00
|
|
|
|
Scope string `yaml:"scope" json:"scope"`
|
2020-10-08 15:06:42 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2021-07-18 15:51:49 +08:00
|
|
|
|
func (this *CaptchaAction) Init(waf *WAF) error {
|
2022-05-21 11:17:53 +08:00
|
|
|
|
if waf.DefaultCaptchaAction != nil {
|
|
|
|
|
|
if this.Life <= 0 {
|
|
|
|
|
|
this.Life = waf.DefaultCaptchaAction.Life
|
|
|
|
|
|
}
|
|
|
|
|
|
if this.MaxFails <= 0 {
|
|
|
|
|
|
this.MaxFails = waf.DefaultCaptchaAction.MaxFails
|
|
|
|
|
|
}
|
|
|
|
|
|
if this.FailBlockTimeout <= 0 {
|
|
|
|
|
|
this.FailBlockTimeout = waf.DefaultCaptchaAction.FailBlockTimeout
|
|
|
|
|
|
}
|
|
|
|
|
|
this.FailBlockScopeAll = waf.DefaultCaptchaAction.FailBlockScopeAll
|
|
|
|
|
|
|
|
|
|
|
|
if this.CountLetters <= 0 {
|
|
|
|
|
|
this.CountLetters = waf.DefaultCaptchaAction.CountLetters
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
this.UIIsOn = waf.DefaultCaptchaAction.UIIsOn
|
|
|
|
|
|
if len(this.UITitle) == 0 {
|
|
|
|
|
|
this.UITitle = waf.DefaultCaptchaAction.UITitle
|
|
|
|
|
|
}
|
|
|
|
|
|
if len(this.UIPrompt) == 0 {
|
|
|
|
|
|
this.UIPrompt = waf.DefaultCaptchaAction.UIPrompt
|
|
|
|
|
|
}
|
|
|
|
|
|
if len(this.UIButtonTitle) == 0 {
|
|
|
|
|
|
this.UIButtonTitle = waf.DefaultCaptchaAction.UIButtonTitle
|
|
|
|
|
|
}
|
|
|
|
|
|
this.UIShowRequestId = waf.DefaultCaptchaAction.UIShowRequestId
|
|
|
|
|
|
if len(this.UICss) == 0 {
|
|
|
|
|
|
this.UICss = waf.DefaultCaptchaAction.UICss
|
|
|
|
|
|
}
|
|
|
|
|
|
if len(this.UIFooter) == 0 {
|
|
|
|
|
|
this.UIFooter = waf.DefaultCaptchaAction.UIFooter
|
|
|
|
|
|
}
|
|
|
|
|
|
if len(this.UIBody) == 0 {
|
|
|
|
|
|
this.UIBody = waf.DefaultCaptchaAction.UIBody
|
|
|
|
|
|
}
|
|
|
|
|
|
if len(this.Lang) == 0 {
|
|
|
|
|
|
this.Lang = waf.DefaultCaptchaAction.Lang
|
|
|
|
|
|
}
|
2023-11-15 15:10:25 +08:00
|
|
|
|
|
|
|
|
|
|
if len(this.CaptchaType) == 0 {
|
|
|
|
|
|
this.CaptchaType = waf.DefaultCaptchaAction.CaptchaType
|
|
|
|
|
|
}
|
2022-05-21 11:17:53 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2021-07-18 15:51:49 +08:00
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (this *CaptchaAction) Code() string {
|
|
|
|
|
|
return ActionCaptcha
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (this *CaptchaAction) IsAttack() bool {
|
|
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (this *CaptchaAction) WillChange() bool {
|
|
|
|
|
|
return true
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-01-20 20:54:41 +08:00
|
|
|
|
func (this *CaptchaAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, req requests.Request, writer http.ResponseWriter) PerformResult {
|
2021-07-18 15:51:49 +08:00
|
|
|
|
// 是否在白名单中
|
2023-11-16 08:44:07 +08:00
|
|
|
|
if SharedIPWhiteList.Contains(wafutils.ComposeIPType(set.Id, req), this.Scope, req.WAFServerId(), req.WAFRemoteIP()) {
|
2024-01-20 20:54:41 +08:00
|
|
|
|
return PerformResult{
|
|
|
|
|
|
ContinueRequest: true,
|
|
|
|
|
|
}
|
2021-07-18 15:51:49 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2024-04-11 16:14:14 +08:00
|
|
|
|
// 检查Cookie值
|
|
|
|
|
|
var fullCookieName = captchaCookiePrefix + "_" + types.String(set.Id)
|
|
|
|
|
|
cookie, err := req.WAFRaw().Cookie(fullCookieName)
|
|
|
|
|
|
if err == nil && cookie != nil && len(cookie.Value) > 0 {
|
|
|
|
|
|
var info = &AllowCookieInfo{}
|
|
|
|
|
|
err = info.Decode(cookie.Value)
|
|
|
|
|
|
if err == nil && set.Id == info.SetId && info.ExpiresAt > fasttime.Now().Unix() {
|
|
|
|
|
|
// 重新记录到白名单
|
|
|
|
|
|
SharedIPWhiteList.RecordIP(wafutils.ComposeIPType(set.Id, req), this.Scope, req.WAFServerId(), req.WAFRemoteIP(), info.ExpiresAt, waf.Id, false, group.Id, set.Id, "")
|
|
|
|
|
|
|
|
|
|
|
|
return PerformResult{
|
|
|
|
|
|
ContinueRequest: true,
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2022-05-21 20:02:35 +08:00
|
|
|
|
var refURL = req.WAFRaw().URL.String()
|
2021-07-18 15:51:49 +08:00
|
|
|
|
|
|
|
|
|
|
// 覆盖配置
|
|
|
|
|
|
if strings.HasPrefix(refURL, CaptchaPath) {
|
2024-04-07 14:31:22 +08:00
|
|
|
|
var info = req.WAFRaw().URL.Query().Get("info")
|
2021-07-18 15:51:49 +08:00
|
|
|
|
if len(info) > 0 {
|
2024-04-07 14:31:22 +08:00
|
|
|
|
var oldArg = &InfoArg{}
|
|
|
|
|
|
decodeErr := oldArg.Decode(info)
|
|
|
|
|
|
if decodeErr == nil && oldArg.IsValid() {
|
|
|
|
|
|
refURL = oldArg.URL
|
|
|
|
|
|
} else {
|
|
|
|
|
|
// 兼容老版本
|
|
|
|
|
|
m, err := utils.SimpleDecryptMap(info)
|
|
|
|
|
|
if err == nil && m != nil {
|
|
|
|
|
|
refURL = m.GetString("url")
|
|
|
|
|
|
}
|
2021-07-18 15:51:49 +08:00
|
|
|
|
}
|
2020-10-08 15:06:42 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-04-07 14:31:22 +08:00
|
|
|
|
var captchaConfig = &InfoArg{
|
|
|
|
|
|
ActionId: this.ActionId(),
|
|
|
|
|
|
Timestamp: time.Now().Unix(),
|
|
|
|
|
|
URL: refURL,
|
|
|
|
|
|
PolicyId: waf.Id,
|
|
|
|
|
|
GroupId: group.Id,
|
|
|
|
|
|
SetId: set.Id,
|
|
|
|
|
|
UseLocalFirewall: waf.UseLocalFirewall && (this.FailBlockScopeAll || this.Scope == firewallconfigs.AllowScopeGlobal),
|
2021-07-18 15:51:49 +08:00
|
|
|
|
}
|
2024-04-07 14:31:22 +08:00
|
|
|
|
info, err := utils.SimpleEncryptObject(captchaConfig)
|
2021-07-18 15:51:49 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
remotelogs.Error("WAF_CAPTCHA_ACTION", "encode captcha config failed: "+err.Error())
|
2024-01-20 20:54:41 +08:00
|
|
|
|
return PerformResult{
|
|
|
|
|
|
ContinueRequest: true,
|
|
|
|
|
|
}
|
2020-10-08 15:06:42 +08:00
|
|
|
|
}
|
2021-07-18 15:51:49 +08:00
|
|
|
|
|
2022-05-21 20:02:35 +08:00
|
|
|
|
// 占用一次失败次数
|
2024-04-07 14:31:22 +08:00
|
|
|
|
CaptchaIncreaseFails(req, this, waf.Id, group.Id, set.Id, CaptchaPageCodeInit, waf.UseLocalFirewall && (this.FailBlockScopeAll || this.Scope == firewallconfigs.FirewallScopeGlobal))
|
2022-05-21 20:02:35 +08:00
|
|
|
|
|
2023-12-03 14:41:11 +08:00
|
|
|
|
req.DisableStat()
|
2023-06-12 18:07:07 +08:00
|
|
|
|
req.ProcessResponseHeaders(writer.Header(), http.StatusTemporaryRedirect)
|
2024-04-07 14:31:22 +08:00
|
|
|
|
http.Redirect(writer, req.WAFRaw(), CaptchaPath+"?info="+url.QueryEscape(info)+"&from="+url.QueryEscape(refURL), http.StatusTemporaryRedirect)
|
2020-10-08 15:06:42 +08:00
|
|
|
|
|
2024-01-20 20:54:41 +08:00
|
|
|
|
return PerformResult{}
|
2020-10-08 15:06:42 +08:00
|
|
|
|
}
|
