From 50c6c60abf63db3decfa95a138b10c0956e0f48b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=88=98=E7=A5=A5=E8=B6=85?= <iwind.liu@gmail.com>
Date: Thu, 7 Dec 2023 20:38:06 +0800
Subject: [PATCH] =?UTF-8?q?WAF=20SQL=E6=B3=A8=E5=85=A5=E6=A3=80=E6=B5=8B?=
 =?UTF-8?q?=E6=97=B6=E6=94=AF=E6=8C=81=20(http|https)://=20=E5=BC=80?=
 =?UTF-8?q?=E5=A4=B4=E7=9A=84URL?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 internal/waf/injectionutils/utils.go      | 2 +-
 internal/waf/injectionutils/utils_test.go | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/internal/waf/injectionutils/utils.go b/internal/waf/injectionutils/utils.go
index a1c5178..7b1f3e2 100644
--- a/internal/waf/injectionutils/utils.go
+++ b/internal/waf/injectionutils/utils.go
@@ -27,7 +27,7 @@ func DetectSQLInjection(input string) bool {
 	}
 
 	// 兼容 /PATH?URI
-	if input[0] == '/' {
+	if input[0] == '/' || strings.HasPrefix(input, "http://") || strings.HasPrefix(input, "https://") {
 		var argsIndex = strings.Index(input, "?")
 		if argsIndex > 0 {
 			var args = input[argsIndex+1:]
diff --git a/internal/waf/injectionutils/utils_test.go b/internal/waf/injectionutils/utils_test.go
index bffa728..aa67452 100644
--- a/internal/waf/injectionutils/utils_test.go
+++ b/internal/waf/injectionutils/utils_test.go
@@ -21,6 +21,7 @@ func TestDetectSQLInjection(t *testing.T) {
 	a.IsFalse(injectionutils.DetectSQLInjection("/hello?age=22"))
 	a.IsTrue(injectionutils.DetectSQLInjection("/sql/injection?id=123 or 1=1"))
 	a.IsTrue(injectionutils.DetectSQLInjection("/sql/injection?id=123%20or%201=1"))
+	a.IsTrue(injectionutils.DetectSQLInjection("https://example.com/sql/injection?id=123%20or%201=1"))
 }
 
 func BenchmarkDetectSQLInjection(b *testing.B) {