2021-07-18 15:51:49 +08:00
|
|
|
package waf
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
|
|
|
|
|
"github.com/TeaOSLab/EdgeNode/internal/utils"
|
|
|
|
|
"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
|
2021-11-16 16:11:05 +08:00
|
|
|
"github.com/iwind/TeaGo/types"
|
2023-03-06 16:10:58 +08:00
|
|
|
"io"
|
2021-07-18 15:51:49 +08:00
|
|
|
"net/http"
|
|
|
|
|
"time"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type Post307Action struct {
|
2021-10-18 20:08:43 +08:00
|
|
|
Life int32 `yaml:"life" json:"life"`
|
|
|
|
|
Scope string `yaml:"scope" json:"scope"`
|
2021-07-18 15:51:49 +08:00
|
|
|
|
|
|
|
|
BaseAction
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (this *Post307Action) Init(waf *WAF) error {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (this *Post307Action) Code() string {
|
|
|
|
|
return ActionPost307
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (this *Post307Action) IsAttack() bool {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (this *Post307Action) WillChange() bool {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
2024-01-20 20:54:41 +08:00
|
|
|
func (this *Post307Action) Perform(waf *WAF, group *RuleGroup, set *RuleSet, request requests.Request, writer http.ResponseWriter) PerformResult {
|
2024-04-07 14:31:22 +08:00
|
|
|
const cookieName = "WAF_VALIDATOR_ID"
|
2021-07-18 15:51:49 +08:00
|
|
|
|
|
|
|
|
// 仅限于POST
|
|
|
|
|
if request.WAFRaw().Method != http.MethodPost {
|
2024-01-20 20:54:41 +08:00
|
|
|
return PerformResult{
|
|
|
|
|
ContinueRequest: true,
|
|
|
|
|
}
|
2021-07-18 15:51:49 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// 是否已经在白名单中
|
2021-11-16 16:11:05 +08:00
|
|
|
if SharedIPWhiteList.Contains("set:"+types.String(set.Id), this.Scope, request.WAFServerId(), request.WAFRemoteIP()) {
|
2024-01-20 20:54:41 +08:00
|
|
|
return PerformResult{
|
|
|
|
|
ContinueRequest: true,
|
|
|
|
|
}
|
2021-07-18 15:51:49 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// 判断是否有Cookie
|
2024-04-07 14:31:22 +08:00
|
|
|
cookie, cookieErr := request.WAFRaw().Cookie(cookieName)
|
|
|
|
|
if cookieErr == nil && cookie != nil {
|
|
|
|
|
var remoteIP string
|
|
|
|
|
var life int64
|
|
|
|
|
var setId int64
|
|
|
|
|
var policyId int64
|
|
|
|
|
var groupId int64
|
|
|
|
|
var timestamp int64
|
|
|
|
|
|
|
|
|
|
var infoArg = &InfoArg{}
|
|
|
|
|
var success bool
|
|
|
|
|
decodeErr := infoArg.Decode(cookie.Value)
|
|
|
|
|
if decodeErr == nil && infoArg.IsValid() {
|
|
|
|
|
success = true
|
|
|
|
|
|
|
|
|
|
remoteIP = infoArg.RemoteIP
|
|
|
|
|
life = int64(infoArg.Life)
|
|
|
|
|
setId = infoArg.SetId
|
|
|
|
|
policyId = infoArg.PolicyId
|
|
|
|
|
groupId = infoArg.GroupId
|
|
|
|
|
timestamp = infoArg.Timestamp
|
|
|
|
|
} else {
|
|
|
|
|
// 兼容老版本
|
|
|
|
|
m, decodeMapErr := utils.SimpleDecryptMap(cookie.Value)
|
|
|
|
|
if decodeMapErr == nil {
|
|
|
|
|
success = true
|
|
|
|
|
|
|
|
|
|
remoteIP = m.GetString("remoteIP")
|
|
|
|
|
timestamp = m.GetInt64("timestamp")
|
|
|
|
|
life = m.GetInt64("life")
|
|
|
|
|
setId = m.GetInt64("setId")
|
|
|
|
|
groupId = m.GetInt64("groupId")
|
|
|
|
|
policyId = m.GetInt64("policyId")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if success && remoteIP == request.WAFRemoteIP() && time.Now().Unix() < timestamp+10 {
|
2021-07-18 15:51:49 +08:00
|
|
|
if life <= 0 {
|
|
|
|
|
life = 600 // 默认10分钟
|
|
|
|
|
}
|
2024-04-07 14:31:22 +08:00
|
|
|
SharedIPWhiteList.RecordIP("set:"+types.String(setId), this.Scope, request.WAFServerId(), request.WAFRemoteIP(), time.Now().Unix()+life, policyId, false, groupId, setId, "")
|
2024-01-20 20:54:41 +08:00
|
|
|
return PerformResult{
|
|
|
|
|
ContinueRequest: true,
|
|
|
|
|
}
|
2021-07-18 15:51:49 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-04-07 14:31:22 +08:00
|
|
|
var m = &InfoArg{
|
|
|
|
|
Timestamp: time.Now().Unix(),
|
|
|
|
|
Life: this.Life,
|
|
|
|
|
Scope: this.Scope,
|
|
|
|
|
PolicyId: waf.Id,
|
|
|
|
|
GroupId: group.Id,
|
|
|
|
|
SetId: set.Id,
|
|
|
|
|
RemoteIP: request.WAFRemoteIP(),
|
|
|
|
|
UseLocalFirewall: false,
|
2021-07-18 15:51:49 +08:00
|
|
|
}
|
2024-04-07 14:31:22 +08:00
|
|
|
info, err := utils.SimpleEncryptObject(m)
|
2021-07-18 15:51:49 +08:00
|
|
|
if err != nil {
|
2023-03-06 16:10:58 +08:00
|
|
|
remotelogs.Error("WAF_POST_307_ACTION", "encode info failed: "+err.Error())
|
2024-01-20 20:54:41 +08:00
|
|
|
return PerformResult{
|
|
|
|
|
ContinueRequest: true,
|
|
|
|
|
}
|
2021-07-18 15:51:49 +08:00
|
|
|
}
|
|
|
|
|
|
2023-03-06 16:10:58 +08:00
|
|
|
// 清空请求内容
|
|
|
|
|
var req = request.WAFRaw()
|
|
|
|
|
if req.ContentLength > 0 && req.Body != nil {
|
2024-04-15 12:20:31 +08:00
|
|
|
var buf = utils.BytePool16k.Get()
|
|
|
|
|
_, _ = io.CopyBuffer(io.Discard, req.Body, buf.Bytes)
|
|
|
|
|
utils.BytePool16k.Put(buf)
|
2023-03-06 16:27:06 +08:00
|
|
|
_ = req.Body.Close()
|
2023-03-06 16:10:58 +08:00
|
|
|
}
|
|
|
|
|
|
2021-07-18 15:51:49 +08:00
|
|
|
// 设置Cookie
|
|
|
|
|
http.SetCookie(writer, &http.Cookie{
|
|
|
|
|
Name: cookieName,
|
|
|
|
|
Path: "/",
|
|
|
|
|
MaxAge: 10,
|
|
|
|
|
Value: info,
|
|
|
|
|
})
|
|
|
|
|
|
2023-12-03 14:41:11 +08:00
|
|
|
request.DisableStat()
|
2023-06-12 18:07:07 +08:00
|
|
|
request.ProcessResponseHeaders(writer.Header(), http.StatusTemporaryRedirect)
|
2021-07-18 15:51:49 +08:00
|
|
|
http.Redirect(writer, request.WAFRaw(), request.WAFRaw().URL.String(), http.StatusTemporaryRedirect)
|
|
|
|
|
|
2023-03-06 16:10:58 +08:00
|
|
|
flusher, ok := writer.(http.Flusher)
|
|
|
|
|
if ok {
|
|
|
|
|
flusher.Flush()
|
2021-07-26 14:33:06 +08:00
|
|
|
}
|
2021-07-18 15:51:49 +08:00
|
|
|
|
2024-01-20 20:54:41 +08:00
|
|
|
return PerformResult{}
|
2021-07-18 15:51:49 +08:00
|
|
|
}
|
