TRKJ/EdgeNode
2
0
Fork 0
mirror of https://github.com/TeaOSLab/EdgeNode.git synced 2025-12-14 14:50:25 +08:00
Code Issues Packages Projects Releases Wiki Activity

WAF操作符增加“包含XSS注入-严格模式”

Browse Source
This commit is contained in:
刘祥超
2024-01-04 14:54:17 +08:00
parent 65435ab32d
commit c9811d78a9
8 changed files with 99 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
internal/waf/injectionutils/utils_xss.go
View File

@@ -19,7 +19,7 @@ import (
"unsafe"
)
func DetectXSSCache(input string, cacheLife utils.CacheLife) bool {
func DetectXSSCache(input string, isStrict bool, cacheLife utils.CacheLife) bool {
var l = len(input)
if l == 0 {
@@ -27,17 +27,20 @@ func DetectXSSCache(input string, cacheLife utils.CacheLife) bool {
}
if cacheLife <= 0 || l < 512 || l > utils.MaxCacheDataSize {
return DetectXSS(input)
return DetectXSS(input, isStrict)
}
var hash = xxhash.Sum64String(input)
var key = "WAF@XSS@" + strconv.FormatUint(hash, 10)
if isStrict {
key += "@1"
}
var item = utils.SharedCache.Read(key)
if item != nil {
return item.Value == 1
}
var result = DetectXSS(input)
var result = DetectXSS(input, isStrict)
if result {
utils.SharedCache.Write(key, 1, fasttime.Now().Unix()+cacheLife)
} else {
@@ -47,12 +50,12 @@ func DetectXSSCache(input string, cacheLife utils.CacheLife) bool {
}
// DetectXSS detect XSS in string
func DetectXSS(input string) bool {
func DetectXSS(input string, isStrict bool) bool {
if len(input) == 0 {
return false
}
if detectXSSOne(input) {
if detectXSSOne(input, isStrict) {
return true
}
@@ -63,22 +66,22 @@ func DetectXSS(input string) bool {
var args = input[argsIndex+1:]
unescapeArgs, err := url.QueryUnescape(args)
if err == nil && args != unescapeArgs {
return detectXSSOne(args) || detectXSSOne(unescapeArgs)
return detectXSSOne(args, isStrict) || detectXSSOne(unescapeArgs, isStrict)
} else {
return detectXSSOne(args)
return detectXSSOne(args, isStrict)
}
}
} else {
unescapedInput, err := url.QueryUnescape(input)
if err == nil && input != unescapedInput {
return detectXSSOne(unescapedInput)
return detectXSSOne(unescapedInput, isStrict)
}
}
return false
}
func detectXSSOne(input string) bool {
func detectXSSOne(input string, isStrict bool) bool {
if len(input) == 0 {
return false
}
@@ -86,5 +89,9 @@ func detectXSSOne(input string) bool {
var cInput = C.CString(input)
defer C.free(unsafe.Pointer(cInput))
return C.libinjection_xss(cInput, C.size_t(len(input))) == 1
var isStrictInt = 0
if isStrict {
isStrictInt = 1
}
return C.libinjection_xss(cInput, C.size_t(len(input)), C.int(isStrictInt)) == 1
}