EdgeNode/internal/waf/injectionutils/utils_xss.go

// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .

package injectionutils

/*
#cgo CFLAGS: -I./libinjection/src

#include <libinjection.h>
#include <stdlib.h>
*/
import "C"
import (
	"net/url"
	"strings"
	"unsafe"
)

// DetectXSS detect XSS in string
func DetectXSS(input string) bool {
	if len(input) == 0 {
		return false
	}

	if detectXSSOne(input) {
		return true
	}

	// 兼容 /PATH?URI
	if (input[0] == '/' || strings.HasPrefix(input, "http://") || strings.HasPrefix(input, "https://")) && len(input) < 4096 {
		var argsIndex = strings.Index(input, "?")
		if argsIndex > 0 {
			var args = input[argsIndex+1:]
			unescapeArgs, err := url.QueryUnescape(args)
			if err == nil && args != unescapeArgs {
				return detectXSSOne(args) || detectXSSOne(unescapeArgs)
			} else {
				return detectXSSOne(args)
			}
		}
	}

	return false
}

func detectXSSOne(input string) bool {
	if len(input) == 0 {
		return false
	}

	var cInput = C.CString(input)
	defer C.free(unsafe.Pointer(cInput))

	return C.libinjection_xss(cInput, C.size_t(len(input))) == 1
}
WAF增加“包含SQL注入”操作符 2023-12-07 20:25:35 +08:00			`// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .`

			`package injectionutils`

			`/*`
			`#cgo CFLAGS: -I./libinjection/src`

			`#include <libinjection.h>`
			`#include <stdlib.h>`
			`*/`
			`import "C"`
			`import (`
			`"net/url"`
			`"strings"`
			`"unsafe"`
			`)`

WAF增加“包含XSS注入”操作符 2023-12-08 10:15:18 +08:00			`// DetectXSS detect XSS in string`
			`func DetectXSS(input string) bool {`
WAF增加“包含SQL注入”操作符 2023-12-07 20:25:35 +08:00			`if len(input) == 0 {`
			`return false`
			`}`

WAF增加“包含XSS注入”操作符 2023-12-08 10:15:18 +08:00			`if detectXSSOne(input) {`
WAF增加“包含SQL注入”操作符 2023-12-07 20:25:35 +08:00			`return true`
			`}`

			`// 兼容 /PATH?URI`
WAF增加“包含XSS注入”操作符 2023-12-08 10:15:18 +08:00			`if (input[0] == '/' \|\| strings.HasPrefix(input, "http://") \|\| strings.HasPrefix(input, "https://")) && len(input) < 4096 {`
WAF增加“包含SQL注入”操作符 2023-12-07 20:25:35 +08:00			`var argsIndex = strings.Index(input, "?")`
			`if argsIndex > 0 {`
			`var args = input[argsIndex+1:]`
			`unescapeArgs, err := url.QueryUnescape(args)`
			`if err == nil && args != unescapeArgs {`
WAF增加“包含XSS注入”操作符 2023-12-08 10:15:18 +08:00			`return detectXSSOne(args) \|\| detectXSSOne(unescapeArgs)`
WAF增加“包含SQL注入”操作符 2023-12-07 20:25:35 +08:00			`} else {`
WAF增加“包含XSS注入”操作符 2023-12-08 10:15:18 +08:00			`return detectXSSOne(args)`
WAF增加“包含SQL注入”操作符 2023-12-07 20:25:35 +08:00			`}`
			`}`
			`}`

			`return false`
			`}`

WAF增加“包含XSS注入”操作符 2023-12-08 10:15:18 +08:00			`func detectXSSOne(input string) bool {`
WAF增加“包含SQL注入”操作符 2023-12-07 20:25:35 +08:00			`if len(input) == 0 {`
			`return false`
			`}`

			`var cInput = C.CString(input)`
			`defer C.free(unsafe.Pointer(cInput))`

WAF增加“包含XSS注入”操作符 2023-12-08 10:15:18 +08:00			`return C.libinjection_xss(cInput, C.size_t(len(input))) == 1`
WAF增加“包含SQL注入”操作符 2023-12-07 20:25:35 +08:00			`}`