优化WAF

* 信息加密使用struct代替map，以缩短加密后内容长度 * 拦截动作、人机识别动作增加是否尝试全局封禁选项 * JSCookie识别动作增加默认设置选项 * 人机识别中传入info参数异常时，尝试跳转到来源地址，避免直接提示invalid request
2025-12-30 09:56:36 +08:00 · 2024-04-07 14:31:22 +08:00
parent 3f012b6021
commit b772085ef2
18 changed files with 441 additions and 129 deletions
--- a/internal/waf/get302_validator.go
+++ b/internal/waf/get302_validator.go
@@ -24,36 +24,68 @@ func (this *Get302Validator) Run(request requests.Request, writer http.ResponseW
 	if len(info) == 0 {
 		request.ProcessResponseHeaders(writer.Header(), http.StatusBadRequest)
 		writer.WriteHeader(http.StatusBadRequest)
-		_, _ = writer.Write([]byte("invalid request"))
-		return
-	}
-	m, err := utils.SimpleDecryptMap(info)
-	if err != nil {
-		request.ProcessResponseHeaders(writer.Header(), http.StatusBadRequest)
-		writer.WriteHeader(http.StatusBadRequest)
-		_, _ = writer.Write([]byte("invalid request"))
+		_, _ = writer.Write([]byte("invalid request (002)"))
+		return
+	}
+
+	var timestamp int64
+	var life int64
+	var setId int64
+	var policyId int64
+	var groupId int64
+	var scope string
+	var url string
+
+	var infoArg = &InfoArg{}
+	decodeErr := infoArg.Decode(info)
+	var success bool
+	if decodeErr == nil && infoArg.IsValid() {
+		success = true
+
+		timestamp = infoArg.Timestamp
+		life = int64(infoArg.Life)
+		setId = infoArg.SetId
+		policyId = infoArg.PolicyId
+		groupId = infoArg.GroupId
+		scope = infoArg.Scope
+		url = infoArg.URL
+	} else {
+		// 兼容老版本
+		m, decodeMapErr := utils.SimpleDecryptMap(info)
+		if decodeMapErr == nil {
+			success = true
+
+			timestamp = m.GetInt64("timestamp")
+			life = m.GetInt64("life")
+			setId = m.GetInt64("setId")
+			policyId = m.GetInt64("policyId")
+			groupId = m.GetInt64("groupId")
+			scope = m.GetString("scope")
+			url = m.GetString("url")
+		}
+	}
+
+	if !success {
+		request.ProcessResponseHeaders(writer.Header(), http.StatusBadRequest)
+		writer.WriteHeader(http.StatusBadRequest)
+		_, _ = writer.Write([]byte("invalid request (003)"))
 		return
 	}

-	var timestamp = m.GetInt64("timestamp")
 	if time.Now().Unix()-timestamp > 5 { // 超过5秒认为失效
 		request.ProcessResponseHeaders(writer.Header(), http.StatusBadRequest)
 		writer.WriteHeader(http.StatusBadRequest)
-		_, _ = writer.Write([]byte("invalid request"))
+		_, _ = writer.Write([]byte("invalid request (004)"))
 		return
 	}

 	// 加入白名单
-	var life = m.GetInt64("life")
 	if life <= 0 {
 		life = 600 // 默认10分钟
 	}
-	var setId = types.String(m.GetInt64("setId"))
-	SharedIPWhiteList.RecordIP("set:"+setId, m.GetString("scope"), request.WAFServerId(), request.WAFRemoteIP(), time.Now().Unix()+life, m.GetInt64("policyId"), false, m.GetInt64("groupId"), m.GetInt64("setId"), "")
+	SharedIPWhiteList.RecordIP("set:"+types.String(setId), scope, request.WAFServerId(), request.WAFRemoteIP(), time.Now().Unix()+life, policyId, false, groupId, setId, "")

 	// 返回原始URL
-	var url = m.GetString("url")
-
 	request.ProcessResponseHeaders(writer.Header(), http.StatusFound)
 	http.Redirect(writer, request.WAFRaw(), url, http.StatusFound)
 }