From c95bd7776af7c631845b06619f2e4582b2c41762 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=88=98=E7=A5=A5=E8=B6=85?= <iwind.liu@gmail.com>
Date: Wed, 1 Mar 2023 19:00:08 +0800
Subject: [PATCH] =?UTF-8?q?WAF=E6=8B=A6=E6=88=AA=E5=8A=A8=E4=BD=9C?=
 =?UTF-8?q?=E5=8F=AF=E4=BB=A5=E8=AE=BE=E7=BD=AE=E6=9C=80=E5=A4=A7=E5=B0=81?=
 =?UTF-8?q?=E7=A6=81=E6=97=B6=E9=97=B4=EF=BC=8C=E4=BB=8E=E8=80=8C=E5=AE=9E?=
 =?UTF-8?q?=E7=8E=B0=E5=B0=81=E7=A6=81=E6=97=B6=E9=97=B4=E9=9A=8F=E6=9C=BA?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 internal/waf/action_block.go | 9 +++++++++
 internal/waf/waf_manager.go  | 1 +
 2 files changed, 10 insertions(+)

diff --git a/internal/waf/action_block.go b/internal/waf/action_block.go
index 136f507..da74541 100644
--- a/internal/waf/action_block.go
+++ b/internal/waf/action_block.go
@@ -6,6 +6,7 @@ import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
 	"github.com/iwind/TeaGo/Tea"
 	"github.com/iwind/TeaGo/logs"
+	"github.com/iwind/TeaGo/rands"
 	"io"
 	"net/http"
 	"os"
@@ -25,6 +26,7 @@ type BlockAction struct {
 	Body       string `yaml:"body" json:"body"` // supports HTML
 	URL        string `yaml:"url" json:"url"`
 	Timeout    int32  `yaml:"timeout" json:"timeout"`
+	TimeoutMax int32  `yaml:"timeoutMax" json:"timeoutMax"`
 	Scope      string `yaml:"scope" json:"scope"`
 }
 
@@ -41,6 +43,7 @@ func (this *BlockAction) Init(waf *WAF) error {
 		}
 		if this.Timeout <= 0 {
 			this.Timeout = waf.DefaultBlockAction.Timeout
+			this.TimeoutMax = waf.DefaultBlockAction.TimeoutMax // 只有没有填写封锁时长的时候才会使用默认的封锁时长最大值
 		}
 	}
 	return nil
@@ -65,6 +68,12 @@ func (this *BlockAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, reque
 		timeout = 300 // 默认封锁300秒
 	}
 
+	// 随机时长
+	var timeoutMax = this.TimeoutMax
+	if timeoutMax > timeout {
+		timeout = timeout + int32(rands.Int64()%int64(timeoutMax-timeout+1))
+	}
+
 	SharedIPBlackList.RecordIP(IPTypeAll, this.Scope, request.WAFServerId(), request.WAFRemoteIP(), time.Now().Unix()+int64(timeout), waf.Id, waf.UseLocalFirewall, group.Id, set.Id, "")
 
 	if writer != nil {
diff --git a/internal/waf/waf_manager.go b/internal/waf/waf_manager.go
index 4652b11..a67d874 100644
--- a/internal/waf/waf_manager.go
+++ b/internal/waf/waf_manager.go
@@ -180,6 +180,7 @@ func (this *WAFManager) ConvertWAF(policy *firewallconfigs.HTTPFirewallPolicy) (
 			Body:       policy.BlockOptions.Body,
 			URL:        policy.BlockOptions.URL,
 			Timeout:    policy.BlockOptions.Timeout,
+			TimeoutMax: policy.BlockOptions.TimeoutMax,
 		}
 	}