TRKJ/EdgeNode
2
0
Fork 0
mirror of https://github.com/TeaOSLab/EdgeNode.git synced 2025-12-11 04:40:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

WAF优化captcha和js_cookie的失败计数器/增强js_cookie的安全性

Browse Source
This commit is contained in:
GoEdgeLab
2022-08-25 17:06:52 +08:00
parent 9c3fdbed59
commit b6432cb6a9
2 changed files with 11 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
internal/waf/action_js_cookie.go
View File

@@ -11,6 +11,7 @@ import (
"github.com/TeaOSLab/EdgeNode/internal/waf/requests" "github.com/TeaOSLab/EdgeNode/internal/waf/requests"
"github.com/iwind/TeaGo/types" "github.com/iwind/TeaGo/types"
"net/http" "net/http"
"strings"
"time" "time"
) )
@@ -63,9 +64,13 @@ func (this *JSCookieAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, re
if err == nil && cookie != nil { if err == nil && cookie != nil {
var cookieValue = cookie.Value var cookieValue = cookie.Value
if len(cookieValue) > 10 { if len(cookieValue) > 10 {
var timestamp = cookieValue[:10] var pieces = strings.Split(cookieValue, "@")
if types.Int64(timestamp) >= time.Now().Unix()-int64(life) && fmt.Sprintf("%x", md5.Sum([]byte(timestamp+"@"+nodeConfig.NodeId))) == cookieValue[10:] { if len(pieces) == 3 {
return true, false var timestamp = pieces[0]
var sum = pieces[2]
if types.Int64(timestamp) >= time.Now().Unix()-int64(life) && fmt.Sprintf("%x", md5.Sum([]byte(timestamp+"@"+types.String(set.Id)+"@"+nodeConfig.NodeId))) == sum {
return true, false
}
} }
} }
} }
@@ -75,7 +80,7 @@ func (this *JSCookieAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, re
var timestamp = types.String(time.Now().Unix()) var timestamp = types.String(time.Now().Unix())
var cookieValue = timestamp + fmt.Sprintf("%x", md5.Sum([]byte(timestamp+"@"+nodeConfig.NodeId))) var cookieValue = timestamp + "@" + types.String(set.Id) + "@" + fmt.Sprintf("%x", md5.Sum([]byte(timestamp+"@"+types.String(set.Id)+"@"+nodeConfig.NodeId)))
_, _ = writer.Write([]byte(`<!DOCTYPE html> _, _ = writer.Write([]byte(`<!DOCTYPE html>
<html> <html>
@@ -110,7 +115,7 @@ func (this *JSCookieAction) increaseFails(req requests.Request, policyId int64,
failBlockTimeout = 1800 // 默认1800s failBlockTimeout = 1800 // 默认1800s
} }
var key = "JS_COOKIE:FAILS:" + req.WAFRemoteIP() + ":" + types.String(req.WAFServerId()) var key = "JS_COOKIE:FAILS:" + req.WAFRemoteIP() + ":" + types.String(req.WAFServerId()) + ":" + req.WAFRaw().URL.String()
var countFails = ttlcache.SharedCache.IncreaseInt64(key, 1, time.Now().Unix()+300, true) var countFails = ttlcache.SharedCache.IncreaseInt64(key, 1, time.Now().Unix()+300, true)
if int(countFails) >= maxFails { if int(countFails) >= maxFails {

2
internal/waf/captcha_counter.go
View File

@@ -50,5 +50,5 @@ func CaptchaDeleteCacheKey(req requests.Request) {
// CaptchaCacheKey 获取Captcha缓存Key // CaptchaCacheKey 获取Captcha缓存Key
func CaptchaCacheKey(req requests.Request, pageCode CaptchaPageCode) string { func CaptchaCacheKey(req requests.Request, pageCode CaptchaPageCode) string {
return "CAPTCHA:FAILS:" + pageCode + ":" + req.WAFRemoteIP() + ":" + types.String(req.WAFServerId()) return "CAPTCHA:FAILS:" + pageCode + ":" + req.WAFRemoteIP() + ":" + types.String(req.WAFServerId()) + ":" + req.WAFRaw().URL.String()
} }