WAF增加“包含XSS注入”操作符

internal/waf/injectionutils/libinjection_xss.c

@@ -0,0 +1,4 @@
+#define LIBINJECTION_VERSION "3.9.1"
+
+#include "libinjection/src/libinjection_xss.c"
+#include "libinjection/src/libinjection_html5.c"

internal/waf/injectionutils/utils_sqli.go

@@ -6,7 +6,6 @@ package injectionutils
 #cgo CFLAGS: -I./libinjection/src
 
 #include <libinjection.h>
-#include <libinjection_sqli.h>
 #include <stdlib.h>
 */
 import "C"
@@ -27,7 +26,7 @@ func DetectSQLInjection(input string) bool {
 	}
 
 	// 兼容 /PATH?URI
-	if input[0] == '/' || strings.HasPrefix(input, "http://") || strings.HasPrefix(input, "https://") {
+	if (input[0] == '/' || strings.HasPrefix(input, "http://") || strings.HasPrefix(input, "https://")) && len(input) < 4096 {
 		var argsIndex = strings.Index(input, "?")
 		if argsIndex > 0 {
 			var args = input[argsIndex+1:]

internal/waf/injectionutils/utils_xss.go

@@ -0,0 +1,54 @@
+// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package injectionutils
+
+/*
+#cgo CFLAGS: -I./libinjection/src
+
+#include <libinjection.h>
+#include <stdlib.h>
+*/
+import "C"
+import (
+	"net/url"
+	"strings"
+	"unsafe"
+)
+
+// DetectXSS detect XSS in string
+func DetectXSS(input string) bool {
+	if len(input) == 0 {
+		return false
+	}
+
+	if detectXSSOne(input) {
+		return true
+	}
+
+	// 兼容 /PATH?URI
+	if (input[0] == '/' || strings.HasPrefix(input, "http://") || strings.HasPrefix(input, "https://")) && len(input) < 4096 {
+		var argsIndex = strings.Index(input, "?")
+		if argsIndex > 0 {
+			var args = input[argsIndex+1:]
+			unescapeArgs, err := url.QueryUnescape(args)
+			if err == nil && args != unescapeArgs {
+				return detectXSSOne(args) || detectXSSOne(unescapeArgs)
+			} else {
+				return detectXSSOne(args)
+			}
+		}
+	}
+
+	return false
+}
+
+func detectXSSOne(input string) bool {
+	if len(input) == 0 {
+		return false
+	}
+
+	var cInput = C.CString(input)
+	defer C.free(unsafe.Pointer(cInput))
+
+	return C.libinjection_xss(cInput, C.size_t(len(input))) == 1
+}

internal/waf/injectionutils/utils_xss_test.go

@@ -0,0 +1,49 @@
+// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package injectionutils_test
+
+import (
+	"github.com/TeaOSLab/EdgeNode/internal/waf/injectionutils"
+	"github.com/iwind/TeaGo/assert"
+	"runtime"
+	"testing"
+)
+
+func TestDetectXSS(t *testing.T) {
+	var a = assert.NewAssertion(t)
+	a.IsFalse(injectionutils.DetectXSS(""))
+	a.IsFalse(injectionutils.DetectXSS("abc"))
+	a.IsTrue(injectionutils.DetectXSS("<script>"))
+	a.IsTrue(injectionutils.DetectXSS("<link>"))
+	a.IsFalse(injectionutils.DetectXSS("<html><span>"))
+	a.IsFalse(injectionutils.DetectXSS("&lt;script&gt;"))
+	a.IsTrue(injectionutils.DetectXSS("/path?onmousedown=a"))
+	a.IsTrue(injectionutils.DetectXSS("/path?onkeyup=a"))
+	a.IsTrue(injectionutils.DetectXSS("onkeyup=a"))
+	a.IsTrue(injectionutils.DetectXSS("<iframe scrolling='no'>"))
+	a.IsFalse(injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span></body></html>"))
+}
+
+func BenchmarkDetectXSS_MISS(b *testing.B) {
+	b.Log(injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span></body></html>"))
+
+	runtime.GOMAXPROCS(4)
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			_ = injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span></body></html>")
+		}
+	})
+}
+
+func BenchmarkDetectXSS_HIT(b *testing.B) {
+	b.Log(injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span><script src=\"\"></script></body></html>"))
+
+	runtime.GOMAXPROCS(4)
+
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			_ = injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span><script src=\"\"></script></body></html>")
+		}
+	})
+}