From c0909a2cd032dd419bc587a5f440af20fc8a947e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=88=98=E7=A5=A5=E8=B6=85?= Date: Mon, 12 Jun 2023 18:07:07 +0800 Subject: [PATCH] =?UTF-8?q?=E9=83=A8=E5=88=86WAF=E5=8A=A8=E4=BD=9C?= =?UTF-8?q?=E8=BE=93=E5=87=BA=E5=86=85=E5=AE=B9=E6=97=B6=E5=A2=9E=E5=8A=A0?= =?UTF-8?q?=E8=87=AA=E5=AE=9A=E4=B9=89=E6=8A=A5=E5=A4=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- internal/waf/action_captcha.go | 1 + internal/waf/action_get_302.go | 1 + internal/waf/action_js_cookie.go | 10 +++++++--- internal/waf/action_post_307.go | 1 + internal/waf/captcha_validator.go | 8 ++++++++ internal/waf/get302_validator.go | 4 ++++ 6 files changed, 22 insertions(+), 3 deletions(-) diff --git a/internal/waf/action_captcha.go b/internal/waf/action_captcha.go index 623e59d..cc19334 100644 --- a/internal/waf/action_captcha.go +++ b/internal/waf/action_captcha.go @@ -134,6 +134,7 @@ func (this *CaptchaAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, req // 占用一次失败次数 CaptchaIncreaseFails(req, this, waf.Id, group.Id, set.Id, CaptchaPageCodeInit) + req.ProcessResponseHeaders(writer.Header(), http.StatusTemporaryRedirect) http.Redirect(writer, req.WAFRaw(), CaptchaPath+"?info="+url.QueryEscape(info), http.StatusTemporaryRedirect) return false, false diff --git a/internal/waf/action_get_302.go b/internal/waf/action_get_302.go index 1fa4eb1..bf4139f 100644 --- a/internal/waf/action_get_302.go +++ b/internal/waf/action_get_302.go @@ -67,6 +67,7 @@ func (this *Get302Action) Perform(waf *WAF, group *RuleGroup, set *RuleSet, requ return true, false } + request.ProcessResponseHeaders(writer.Header(), http.StatusFound) http.Redirect(writer, request.WAFRaw(), Get302Path+"?info="+url.QueryEscape(info), http.StatusFound) flusher, ok := writer.(http.Flusher) diff --git a/internal/waf/action_js_cookie.go b/internal/waf/action_js_cookie.go index caf94f3..4c7c8ea 100644 --- a/internal/waf/action_js_cookie.go +++ b/internal/waf/action_js_cookie.go @@ -75,14 +75,15 @@ func (this *JSCookieAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, re } } + req.ProcessResponseHeaders(writer.Header(), http.StatusOK) + writer.Header().Set("Content-Type", "text/html; charset=utf-8") writer.Header().Set("Cache-Control", "no-cache") var timestamp = types.String(time.Now().Unix()) var cookieValue = timestamp + "@" + types.String(set.Id) + "@" + fmt.Sprintf("%x", md5.Sum([]byte(timestamp+"@"+types.String(set.Id)+"@"+nodeConfig.NodeId))) - - _, _ = writer.Write([]byte(` + var respHTML = ` @@ -94,7 +95,10 @@ window.location.reload(); -`)) +` + writer.Header().Set("Content-Length", types.String(len(respHTML))) + writer.WriteHeader(http.StatusOK) + _, _ = writer.Write([]byte(respHTML)) // 记录失败次数 this.increaseFails(req, waf.Id, group.Id, set.Id) diff --git a/internal/waf/action_post_307.go b/internal/waf/action_post_307.go index 8562f38..d2b238b 100644 --- a/internal/waf/action_post_307.go +++ b/internal/waf/action_post_307.go @@ -92,6 +92,7 @@ func (this *Post307Action) Perform(waf *WAF, group *RuleGroup, set *RuleSet, req Value: info, }) + request.ProcessResponseHeaders(writer.Header(), http.StatusTemporaryRedirect) http.Redirect(writer, request.WAFRaw(), request.WAFRaw().URL.String(), http.StatusTemporaryRedirect) flusher, ok := writer.(http.Flusher) diff --git a/internal/waf/captcha_validator.go b/internal/waf/captcha_validator.go index 6534924..f90bd92 100644 --- a/internal/waf/captcha_validator.go +++ b/internal/waf/captcha_validator.go @@ -33,12 +33,15 @@ func (this *CaptchaValidator) Run(req requests.Request, writer http.ResponseWrit } m, err := utils.SimpleDecryptMap(info) if err != nil { + req.ProcessResponseHeaders(writer.Header(), http.StatusBadRequest) + writer.WriteHeader(http.StatusBadRequest) _, _ = writer.Write([]byte("invalid request")) return } var timestamp = m.GetInt64("timestamp") if timestamp < time.Now().Unix()-600 { // 10分钟之后信息过期 + req.ProcessResponseHeaders(writer.Header(), http.StatusTemporaryRedirect) http.Redirect(writer, req.WAFRaw(), m.GetString("url"), http.StatusTemporaryRedirect) return } @@ -51,16 +54,19 @@ func (this *CaptchaValidator) Run(req requests.Request, writer http.ResponseWrit var waf = SharedWAFManager.FindWAF(policyId) if waf == nil { + req.ProcessResponseHeaders(writer.Header(), http.StatusTemporaryRedirect) http.Redirect(writer, req.WAFRaw(), originURL, http.StatusTemporaryRedirect) return } var actionConfig = waf.FindAction(actionId) if actionConfig == nil { + req.ProcessResponseHeaders(writer.Header(), http.StatusTemporaryRedirect) http.Redirect(writer, req.WAFRaw(), originURL, http.StatusTemporaryRedirect) return } captchaActionConfig, ok := actionConfig.(*CaptchaAction) if !ok { + req.ProcessResponseHeaders(writer.Header(), http.StatusTemporaryRedirect) http.Redirect(writer, req.WAFRaw(), originURL, http.StatusTemporaryRedirect) return } @@ -232,6 +238,7 @@ func (this *CaptchaValidator) validate(actionConfig *CaptchaAction, policyId int // 加入到白名单 SharedIPWhiteList.RecordIP("set:"+strconv.FormatInt(setId, 10), actionConfig.Scope, req.WAFServerId(), req.WAFRemoteIP(), time.Now().Unix()+int64(life), policyId, false, groupId, setId, "") + req.ProcessResponseHeaders(writer.Header(), http.StatusSeeOther) http.Redirect(writer, req.WAFRaw(), originURL, http.StatusSeeOther) return false @@ -241,6 +248,7 @@ func (this *CaptchaValidator) validate(actionConfig *CaptchaAction, policyId int return false } + req.ProcessResponseHeaders(writer.Header(), http.StatusSeeOther) http.Redirect(writer, req.WAFRaw(), req.WAFRaw().URL.String(), http.StatusSeeOther) } } diff --git a/internal/waf/get302_validator.go b/internal/waf/get302_validator.go index 0bfc053..5afcd19 100644 --- a/internal/waf/get302_validator.go +++ b/internal/waf/get302_validator.go @@ -29,6 +29,8 @@ func (this *Get302Validator) Run(request requests.Request, writer http.ResponseW } m, err := utils.SimpleDecryptMap(info) if err != nil { + request.ProcessResponseHeaders(writer.Header(), http.StatusBadRequest) + writer.WriteHeader(http.StatusBadRequest) _, _ = writer.Write([]byte("invalid request")) return } @@ -51,5 +53,7 @@ func (this *Get302Validator) Run(request requests.Request, writer http.ResponseW // 返回原始URL var url = m.GetString("url") + + request.ProcessResponseHeaders(writer.Header(), http.StatusFound) http.Redirect(writer, request.WAFRaw(), url, http.StatusFound) }