实现WAF

2026-01-04 22:47:17 +08:00 · 2020-10-08 15:06:42 +08:00
parent 6d2f18387f
commit 04b9a65d4d
110 changed files with 8179 additions and 3 deletions
--- a/internal/waf/utils/utils.go
+++ b/internal/waf/utils/utils.go
@@ -0,0 +1,56 @@
+package utils
+
+import (
+	"fmt"
+	"github.com/TeaOSLab/EdgeNode/internal/grids"
+	"github.com/TeaOSLab/EdgeNode/internal/utils"
+	"github.com/dchest/siphash"
+	"regexp"
+	"strconv"
+)
+
+var grid = grids.NewGrid(32, grids.NewLimitCountOpt(1000_0000))
+
+// 正则表达式匹配字符串，并缓存结果
+func MatchStringCache(regex *regexp.Regexp, s string) bool {
+	// 如果长度超过4096，大概率是不能重用的
+	if len(s) > 4096 {
+		return regex.MatchString(s)
+	}
+
+	hash := siphash.Hash(0, 0, utils.UnsafeStringToBytes(s))
+	key := []byte(fmt.Sprintf("%p_", regex) + strconv.FormatUint(hash, 10))
+	item := grid.Read(key)
+	if item != nil {
+		return item.ValueInt64 == 1
+	}
+	b := regex.MatchString(s)
+	if b {
+		grid.WriteInt64(key, 1, 1800)
+	} else {
+		grid.WriteInt64(key, 0, 1800)
+	}
+	return b
+}
+
+// 正则表达式匹配字节slice，并缓存结果
+func MatchBytesCache(regex *regexp.Regexp, byteSlice []byte) bool {
+	// 如果长度超过4096，大概率是不能重用的
+	if len(byteSlice) > 4096 {
+		return regex.Match(byteSlice)
+	}
+
+	hash := siphash.Hash(0, 0, byteSlice)
+	key := []byte(fmt.Sprintf("%p_", regex) + strconv.FormatUint(hash, 10))
+	item := grid.Read(key)
+	if item != nil {
+		return item.ValueInt64 == 1
+	}
+	b := regex.Match(byteSlice)
+	if b {
+		grid.WriteInt64(key, 1, 1800)
+	} else {
+		grid.WriteInt64(key, 0, 1800)
+	}
+	return b
+}
--- a/internal/waf/utils/utils_test.go
+++ b/internal/waf/utils/utils_test.go
@@ -0,0 +1,57 @@
+package utils
+
+import (
+	"net/http"
+	"regexp"
+	"strconv"
+	"strings"
+	"testing"
+)
+
+func TestMatchStringCache(t *testing.T) {
+	regex := regexp.MustCompile(`\d+`)
+	t.Log(MatchStringCache(regex, "123"))
+	t.Log(MatchStringCache(regex, "123"))
+	t.Log(MatchStringCache(regex, "123"))
+}
+
+func TestMatchBytesCache(t *testing.T) {
+	regex := regexp.MustCompile(`\d+`)
+	t.Log(MatchBytesCache(regex, []byte("123")))
+	t.Log(MatchBytesCache(regex, []byte("123")))
+	t.Log(MatchBytesCache(regex, []byte("123")))
+}
+
+func TestMatchRemoteCache(t *testing.T) {
+	client := http.Client{}
+	for i := 0; i < 200_0000; i++ {
+		req, err := http.NewRequest(http.MethodGet, "http://192.168.2.30:8882/?arg="+strconv.Itoa(i), nil)
+		if err != nil {
+			t.Fatal(err)
+		}
+		req.Header.Set("User-Agent", "GoTest/"+strconv.Itoa(i))
+		resp, err := client.Do(req)
+		if err != nil {
+			t.Fatal(err)
+		}
+		_ = resp.Body.Close()
+	}
+}
+
+func BenchmarkMatchStringCache(b *testing.B) {
+	data := strings.Repeat("HELLO", 512)
+	regex := regexp.MustCompile(`(?iU)\b(eval|system|exec|execute|passthru|shell_exec|phpinfo)\b`)
+
+	for i := 0; i < b.N; i++ {
+		_ = MatchStringCache(regex, data)
+	}
+}
+
+func BenchmarkMatchStringCache_WithoutCache(b *testing.B) {
+	data := strings.Repeat("HELLO", 512)
+	regex := regexp.MustCompile(`(?iU)\b(eval|system|exec|execute|passthru|shell_exec|phpinfo)\b`)
+
+	for i := 0; i < b.N; i++ {
+		_ = regex.MatchString(data)
+	}
+}