WAF SQL注入和XSS检测增加缓存/优化部分WAF相关测试用例

2026-04-08 14:45:20 +08:00 · 2023-12-09 11:46:50 +08:00
parent 86ab242f68
commit 5a7247b8be
12 changed files with 325 additions and 567 deletions
--- a/internal/waf/injectionutils/utils_sqli.go
+++ b/internal/waf/injectionutils/utils_sqli.go
@@ -10,11 +10,43 @@ package injectionutils
 */
 import "C"
 import (
+	"github.com/TeaOSLab/EdgeNode/internal/utils/fasttime"
+	"github.com/TeaOSLab/EdgeNode/internal/waf/utils"
+	"github.com/cespare/xxhash/v2"
 	"net/url"
+	"strconv"
 	"strings"
 	"unsafe"
 )

+// DetectSQLInjectionCache detect sql injection in string with cache
+func DetectSQLInjectionCache(input string, cacheLife utils.CacheLife) bool {
+	var l = len(input)
+
+	if l == 0 {
+		return false
+	}
+
+	if cacheLife <= 0 || l < 128 || l > utils.MaxCacheDataSize {
+		return DetectSQLInjection(input)
+	}
+
+	var hash = xxhash.Sum64String(input)
+	var key = "WAF@SQLI@" + strconv.FormatUint(hash, 10)
+	var item = utils.SharedCache.Read(key)
+	if item != nil {
+		return item.Value == 1
+	}
+
+	var result = DetectSQLInjection(input)
+	if result {
+		utils.SharedCache.Write(key, 1, fasttime.Now().Unix()+cacheLife)
+	} else {
+		utils.SharedCache.Write(key, 0, fasttime.Now().Unix()+cacheLife)
+	}
+	return result
+}
+
 // DetectSQLInjection detect sql injection in string
 func DetectSQLInjection(input string) bool {
 	if len(input) == 0 {
@@ -26,7 +58,7 @@ func DetectSQLInjection(input string) bool {
 	}

 	// 兼容 /PATH?URI
-	if (input[0] == '/' || strings.HasPrefix(input, "http://") || strings.HasPrefix(input, "https://")) && len(input) < 4096 {
+	if (input[0] == '/' || strings.HasPrefix(input, "http://") || strings.HasPrefix(input, "https://")) && len(input) < 1024 {
 		var argsIndex = strings.Index(input, "?")
 		if argsIndex > 0 {
 			var args = input[argsIndex+1:]
--- a/internal/waf/injectionutils/utils_sqli_test.go
+++ b/internal/waf/injectionutils/utils_sqli_test.go
@@ -4,8 +4,12 @@ package injectionutils_test

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/injectionutils"
+	"github.com/TeaOSLab/EdgeNode/internal/waf/utils"
 	"github.com/iwind/TeaGo/assert"
+	"github.com/iwind/TeaGo/rands"
+	"github.com/iwind/TeaGo/types"
 	"runtime"
+	"strings"
 	"testing"
 )

@@ -23,6 +27,7 @@ func TestDetectSQLInjection(t *testing.T) {
 	a.IsTrue(injectionutils.DetectSQLInjection("/sql/injection?id=123 or 1=1"))
 	a.IsTrue(injectionutils.DetectSQLInjection("/sql/injection?id=123%20or%201=1"))
 	a.IsTrue(injectionutils.DetectSQLInjection("https://example.com/sql/injection?id=123%20or%201=1"))
+	a.IsTrue(injectionutils.DetectSQLInjection("https://example.com/' or 1=1"))
 }

 func BenchmarkDetectSQLInjection(b *testing.B) {
@@ -45,6 +50,71 @@ func BenchmarkDetectSQLInjection_URL(b *testing.B) {
 	})
 }

+func BenchmarkDetectSQLInjection_Normal_Small(b *testing.B) {
+	runtime.GOMAXPROCS(4)
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			_ = injectionutils.DetectSQLInjection("a/sql/injection?id=1234")
+		}
+	})
+}
+
+func BenchmarkDetectSQLInjection_URL_Normal_Small(b *testing.B) {
+	runtime.GOMAXPROCS(4)
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			_ = injectionutils.DetectSQLInjection("/sql/injection?id=" + types.String(rands.Int64()%10000))
+		}
+	})
+}
+
+func BenchmarkDetectSQLInjection_URL_Normal_Middle(b *testing.B) {
+	runtime.GOMAXPROCS(4)
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			_ = injectionutils.DetectSQLInjection("/search?q=libinjection+fingerprint&newwindow=1&sca_esv=589290862&sxsrf=AMwHvKnxuLoejn2XlNniffC12E_xc35M7Q%3A1702090118361&ei=htvzzebfFZfo1e8PvLGggAk&ved=0ahUKEwjTsYmnq4GDAxUWdPOHHbwkCJAQ4ddDCBA&uact=5&oq=libinjection+fingerprint&gs_lp=Egxnd3Mtd2l6LXNlcnAiGIxpYmluamVjdGlvbmBmaW5nKXJwcmludTIEEAAYHjIGVAAYCBgeSiEaUPkRWKFZcAJ4AZABAJgBHgGgAfoEqgwDMC40uAEGyAEA-AEBwgIKEAFYTxjWMuiwA-IDBBgAVteIBgGQBgI&sclient=gws-wiz-serp#ip=1")
+		}
+	})
+}
+
+func BenchmarkDetectSQLInjection_URL_Normal_Small_Cache(b *testing.B) {
+	runtime.GOMAXPROCS(4)
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			_ = injectionutils.DetectSQLInjectionCache("/sql/injection?id="+types.String(rands.Int64()%10000), utils.CacheMiddleLife)
+		}
+	})
+}
+
+func BenchmarkDetectSQLInjection_Normal_Large(b *testing.B) {
+	runtime.GOMAXPROCS(4)
+
+	var s = strings.Repeat("A", 512)
+	b.ResetTimer()
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			_ = injectionutils.DetectSQLInjection("a/sql/injection?id=" + types.String(rands.Int64()%10000) + "&s=" + s)
+		}
+	})
+}
+
+func BenchmarkDetectSQLInjection_Normal_Large_Cache(b *testing.B) {
+	runtime.GOMAXPROCS(4)
+
+	var s = strings.Repeat("A", 512)
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			_ = injectionutils.DetectSQLInjectionCache("a/sql/injection?id="+types.String(rands.Int64()%10000)+"&s="+s, utils.CacheMiddleLife)
+		}
+	})
+}
+
 func BenchmarkDetectSQLInjection_URL_Unescape(b *testing.B) {
 	runtime.GOMAXPROCS(4)

--- a/internal/waf/injectionutils/utils_xss.go
+++ b/internal/waf/injectionutils/utils_xss.go
@@ -10,11 +10,42 @@ package injectionutils
 */
 import "C"
 import (
+	"github.com/TeaOSLab/EdgeNode/internal/utils/fasttime"
+	"github.com/TeaOSLab/EdgeNode/internal/waf/utils"
+	"github.com/cespare/xxhash/v2"
 	"net/url"
+	"strconv"
 	"strings"
 	"unsafe"
 )

+func DetectXSSCache(input string, cacheLife utils.CacheLife) bool {
+	var l = len(input)
+
+	if l == 0 {
+		return false
+	}
+
+	if cacheLife <= 0 || l < 512 || l > utils.MaxCacheDataSize {
+		return DetectXSS(input)
+	}
+
+	var hash = xxhash.Sum64String(input)
+	var key = "WAF@XSS@" + strconv.FormatUint(hash, 10)
+	var item = utils.SharedCache.Read(key)
+	if item != nil {
+		return item.Value == 1
+	}
+
+	var result = DetectXSS(input)
+	if result {
+		utils.SharedCache.Write(key, 1, fasttime.Now().Unix()+cacheLife)
+	} else {
+		utils.SharedCache.Write(key, 0, fasttime.Now().Unix()+cacheLife)
+	}
+	return result
+}
+
 // DetectXSS detect XSS in string
 func DetectXSS(input string) bool {
 	if len(input) == 0 {
@@ -26,7 +57,7 @@ func DetectXSS(input string) bool {
 	}

 	// 兼容 /PATH?URI
-	if (input[0] == '/' || strings.HasPrefix(input, "http://") || strings.HasPrefix(input, "https://")) && len(input) < 4096 {
+	if (input[0] == '/' || strings.HasPrefix(input, "http://") || strings.HasPrefix(input, "https://")) && len(input) < 1024 {
 		var argsIndex = strings.Index(input, "?")
 		if argsIndex > 0 {
 			var args = input[argsIndex+1:]
--- a/internal/waf/injectionutils/utils_xss_test.go
+++ b/internal/waf/injectionutils/utils_xss_test.go
@@ -4,6 +4,7 @@ package injectionutils_test

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/injectionutils"
+	"github.com/TeaOSLab/EdgeNode/internal/waf/utils"
 	"github.com/iwind/TeaGo/assert"
 	"runtime"
 	"testing"
@@ -25,7 +26,10 @@ func TestDetectXSS(t *testing.T) {
 }

 func BenchmarkDetectXSS_MISS(b *testing.B) {
-	b.Log(injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span></body></html>"))
+	var result = injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span></body></html>")
+	if result {
+		b.Fatal("'result' should not be 'true'")
+	}

 	runtime.GOMAXPROCS(4)

@@ -36,8 +40,26 @@ func BenchmarkDetectXSS_MISS(b *testing.B) {
 	})
 }

+func BenchmarkDetectXSS_MISS_Cache(b *testing.B) {
+	var result = injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span></body></html>")
+	if result {
+		b.Fatal("'result' should not be 'true'")
+	}
+
+	runtime.GOMAXPROCS(4)
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			_ = injectionutils.DetectXSSCache("<html><body><span>RequestId: 1234567890</span></body></html>", utils.CacheMiddleLife)
+		}
+	})
+}
+
 func BenchmarkDetectXSS_HIT(b *testing.B) {
-	b.Log(injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span><script src=\"\"></script></body></html>"))
+	var result = injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span><script src=\"\"></script></body></html>")
+	if !result {
+		b.Fatal("'result' should not be 'false'")
+	}

 	runtime.GOMAXPROCS(4)