优化XSS检测的模式

2025-11-04 07:40:56 +08:00 · 2024-01-16 19:56:04 +08:00
parent 5eb247b999
commit 35e7ce1435
3 changed files with 44 additions and 13 deletions
--- a/internal/waf/injectionutils/libinjection/src/libinjection_xss.c
+++ b/internal/waf/injectionutils/libinjection/src/libinjection_xss.c
@@ -15,7 +15,7 @@ typedef enum attribute {
 } attribute_t;


-static attribute_t is_black_attr(const char* s, size_t len);
+static attribute_t is_black_attr(const char* s, size_t len, int strictMode);
 static int is_black_tag(const char* s, size_t len, int strictMode);
 static int is_black_url(const char* s, size_t len);
 static int cstrcasecmp_with_null(const char *a, const char *b, size_t n);
@@ -451,7 +451,7 @@ static stringtype_t BLACKATTREVENT[] = {
 * data:
 * javascript:
 */
-static stringtype_t BLACKATTR[] = {
+static stringtype_t STRICT_BLACKATTR[] = {
    { "ACTION", TYPE_ATTR_URL }     /* form */
    , { "ATTRIBUTENAME", TYPE_ATTR_INDIRECT } /* SVG allow indirection of attribute names */
    , { "BY", TYPE_ATTR_URL }         /* SVG */
@@ -475,6 +475,31 @@ static stringtype_t BLACKATTR[] = {
    , { NULL, TYPE_NONE }
 };

+static stringtype_t BLACKATTR[] = {
+    { "ACTION", TYPE_ATTR_URL }     /* form */
+    , { "ATTRIBUTENAME", TYPE_ATTR_INDIRECT } /* SVG allow indirection of attribute names */
+    , { "BY", TYPE_ATTR_URL }         /* SVG */
+    , { "BACKGROUND", TYPE_ATTR_URL } /* IE6, O11 */
+    , { "DATAFORMATAS", TYPE_BLACK }  /* IE */
+    , { "DATASRC", TYPE_BLACK }       /* IE */
+    , { "DYNSRC", TYPE_ATTR_URL }     /* Obsolete img attribute */
+    , { "FILTER", TYPE_STYLE }        /* Opera, SVG inline style */
+    , { "FORMACTION", TYPE_ATTR_URL } /* HTML 5 */
+    , { "FOLDER", TYPE_ATTR_URL }     /* Only on A tags, IE-only */
+    , { "FROM", TYPE_ATTR_URL }       /* SVG */
+    , { "HANDLER", TYPE_ATTR_URL }    /* SVG Tiny, Opera */
+    , { "HREF", TYPE_ATTR_URL }
+    , { "LOWSRC", TYPE_ATTR_URL }     /* Obsolete img attribute */
+    , { "POSTER", TYPE_ATTR_URL }     /* Opera 10,11 */
+    , { "SRC", TYPE_ATTR_URL }
+    , { "TO", TYPE_ATTR_URL }         /* SVG */
+    , { "VALUES", TYPE_ATTR_URL }     /* SVG */
+    , { "XLINK:HREF", TYPE_ATTR_URL }
+    , { NULL, TYPE_NONE }
+};
+
+
+
 /* xmlns */
 /* `xml-stylesheet` > <eval>, <if expr=> */

@@ -674,7 +699,7 @@ static int is_black_tag(const char* s, size_t len, int strictMode)
    return 0;
 }

-static attribute_t is_black_attr(const char* s, size_t len)
+static attribute_t is_black_attr(const char* s, size_t len, int strictMode)
 {
    stringtype_t* black;

@@ -706,7 +731,11 @@ static attribute_t is_black_attr(const char* s, size_t len)
        //}
    }

-    black = BLACKATTR;
+	if (strictMode == 1) {
+    	black = STRICT_BLACKATTR;
+    } else {
+    	black = BLACKATTR;
+    }
    while (black->name != NULL) {
        if (cstrcasecmp_with_null(black->name, s, len) == 0) {
            /*      printf("Got banned attribute name %s\n", black->name); */
@@ -779,7 +808,7 @@ int libinjection_is_xss(const char* s, size_t len, int flags, int strictMode)
                return 1;
            }
        } else if (h5.token_type == ATTR_NAME) {
-            attr = is_black_attr(h5.token_start, h5.token_len);
+            attr = is_black_attr(h5.token_start, h5.token_len, strictMode);
        } else if (h5.token_type == ATTR_VALUE) {
            /*
             * IE6,7,8 parsing works a bit differently so
@@ -810,7 +839,7 @@ int libinjection_is_xss(const char* s, size_t len, int flags, int strictMode)
                return 1;
            case TYPE_ATTR_INDIRECT:
                /* an attribute name is specified in a _value_ */
-                if (is_black_attr(h5.token_start, h5.token_len)) {
+                if (is_black_attr(h5.token_start, h5.token_len, strictMode)) {
                    return 1;
                }
                break;
--- a/internal/waf/injectionutils/libinjection_xss.c
+++ b/internal/waf/injectionutils/libinjection_xss.c
@@ -3,4 +3,4 @@
 #include "libinjection/src/libinjection_xss.c"
 #include "libinjection/src/libinjection_html5.c"

-#define GOEDGE_VERSION "24" // last version is for GoEdge change
+#define GOEDGE_VERSION "25" // last version is for GoEdge change
--- a/internal/waf/injectionutils/utils_xss_test.go
+++ b/internal/waf/injectionutils/utils_xss_test.go
@@ -32,16 +32,18 @@ func TestDetectXSS(t *testing.T) {
      </rdf:Description>
   </rdf:RDF>
 </x:xmpmeta>`, true)) // included in some photo files
-	a.IsFalse(injectionutils.DetectXSS(`<xml>
-  
-</xml>`, true))
+	a.IsFalse(injectionutils.DetectXSS(`<xml></xml>`, false))
 }

 func TestDetectXSS_Strict(t *testing.T) {
 	var a = assert.NewAssertion(t)
-	a.IsFalse(injectionutils.DetectXSS(`<xml>
-  
-</xml>`, false))
+	a.IsFalse(injectionutils.DetectXSS(`<xml></xml>`, false))
+	a.IsTrue(injectionutils.DetectXSS(`<xml></xml>`, true))
+	a.IsFalse(injectionutils.DetectXSS(`<img src=\"\"/>`, false))
+	a.IsFalse(injectionutils.DetectXSS(`<img src=\"test.jpg\"/>`, true))
+	a.IsFalse(injectionutils.DetectXSS(`<a href="aaaa"></a>`, true))
+	a.IsFalse(injectionutils.DetectXSS(`<span style="color: red"></span>`, false))
+	a.IsTrue(injectionutils.DetectXSS(`<span style="color: red"></span>`, true))
 }

 func BenchmarkDetectXSS_MISS(b *testing.B) {