TRKJ/EdgeNode
2
0
Fork 0
mirror of https://github.com/TeaOSLab/EdgeNode.git synced 2025-11-04 07:40:56 +08:00
Code Issues Packages Projects Releases Wiki Activity

优化WAF XSS检测,减少对图片内容的误判

Browse Source
This commit is contained in:
刘祥超
2023-12-10 19:40:29 +08:00
parent 16e7cd800c
commit 525ce1f923
3 changed files with 18 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
internal/waf/injectionutils/libinjection/src/libinjection_xss.c
View File

@@ -667,10 +667,11 @@ static attribute_t is_black_attr(const char* s, size_t len)
/* XMLNS can be used to create arbitrary tags */ /* XMLNS can be used to create arbitrary tags */
if (cstrcasecmp_with_null("XMLNS", s, 5) == 0 || cstrcasecmp_with_null("XLINK", s, 5) == 0) { // goedge: commented for photo uploading
//if (cstrcasecmp_with_null("XMLNS", s, 5) == 0 || cstrcasecmp_with_null("XLINK", s, 5) == 0) {
/* printf("Got XMLNS and XLINK tags\n"); */ /* printf("Got XMLNS and XLINK tags\n"); */
return TYPE_BLACK; // return TYPE_BLACK;
} //}
} }
black = BLACKATTR; black = BLACKATTR;
@@ -789,9 +790,10 @@ int libinjection_is_xss(const char* s, size_t len, int flags)
attr = TYPE_NONE; attr = TYPE_NONE;
} else if (h5.token_type == TAG_COMMENT) { } else if (h5.token_type == TAG_COMMENT) {
/* IE uses a "`" as a tag ending char */ /* IE uses a "`" as a tag ending char */
if (memchr(h5.token_start, '`', h5.token_len) != NULL) { // goedge: commented for photo uploading
/**if (memchr(h5.token_start, '`', h5.token_len) != NULL) {
return 1; return 1;
} }**/
/* IE conditional comment */ /* IE conditional comment */
if (h5.token_len > 3) { if (h5.token_len > 3) {

4
internal/waf/injectionutils/libinjection_xss.c
View File

@@ -1,4 +1,6 @@
#define LIBINJECTION_VERSION "3.9.1" #define LIBINJECTION_VERSION "3.9.1"
#include "libinjection/src/libinjection_xss.c" #include "libinjection/src/libinjection_xss.c"
#include "libinjection/src/libinjection_html5.c" #include "libinjection/src/libinjection_html5.c"
#define GOEDGE_VERSION "23" // last version is for GoEdge change

8
internal/waf/injectionutils/utils_xss_test.go
View File

@@ -24,6 +24,14 @@ func TestDetectXSS(t *testing.T) {
a.IsTrue(injectionutils.DetectXSS("<iframe scrolling='no'>")) a.IsTrue(injectionutils.DetectXSS("<iframe scrolling='no'>"))
a.IsFalse(injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span></body></html>")) a.IsFalse(injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span></body></html>"))
a.IsTrue(injectionutils.DetectXSS("name=s&description=%3Cscript+src%3D%22a.js%22%3Edddd%3C%2Fscript%3E")) a.IsTrue(injectionutils.DetectXSS("name=s&description=%3Cscript+src%3D%22a.js%22%3Edddd%3C%2Fscript%3E"))
a.IsFalse(injectionutils.DetectXSS(`<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 6.0.0">
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
<rdf:Description rdf:about=""
xmlns:tiff="http://ns.adobe.com/tiff/1.0/">
<tiff:Orientation>1</tiff:Orientation>
</rdf:Description>
</rdf:RDF>
</x:xmpmeta>`)) // included in some photo files
} }
func BenchmarkDetectXSS_MISS(b *testing.B) { func BenchmarkDetectXSS_MISS(b *testing.B) {