WAF策略增加“最多检查内容尺寸“选项

2025-11-10 20:50:25 +08:00 · 2023-08-02 17:00:16 +08:00
parent f60a2845f3
commit dd66e1d322
8 changed files with 18 additions and 21 deletions
--- a/internal/nodes/http_request_waf.go
+++ b/internal/nodes/http_request_waf.go
@@ -441,6 +441,14 @@ func (this *HTTPRequest) WAFFingerprint() []byte {
 	return nil
 }

+func (this *HTTPRequest) WAFMaxRequestSize() int64 {
+	var maxRequestSize = firewallconfigs.DefaultMaxRequestBodySize
+	if this.ReqServer.HTTPFirewallPolicy != nil && this.ReqServer.HTTPFirewallPolicy.MaxRequestBodySize > 0 {
+		maxRequestSize = this.ReqServer.HTTPFirewallPolicy.MaxRequestBodySize
+	}
+	return maxRequestSize
+}
+
 // DisableAccessLog 在当前请求中不使用访问日志
 func (this *HTTPRequest) DisableAccessLog() {
 	this.disableLog = true
--- a/internal/waf/checkpoints/request_all.go
+++ b/internal/waf/checkpoints/request_all.go
@@ -2,7 +2,6 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
-	"github.com/TeaOSLab/EdgeNode/internal/waf/utils"
 	"github.com/iwind/TeaGo/maps"
 )

@@ -12,7 +11,7 @@ type RequestAllCheckpoint struct {
 }

 func (this *RequestAllCheckpoint) RequestValue(req requests.Request, param string, options maps.Map, ruleId int64) (value interface{}, hasRequestBody bool, sysErr error, userErr error) {
-	valueBytes := []byte{}
+	var valueBytes = []byte{}
 	if len(req.WAFRaw().RequestURI) > 0 {
 		valueBytes = append(valueBytes, req.WAFRaw().RequestURI...)
 	} else if req.WAFRaw().URL != nil {
@@ -30,7 +29,7 @@ func (this *RequestAllCheckpoint) RequestValue(req requests.Request, param strin
 		var bodyData = req.WAFGetCacheBody()
 		hasRequestBody = true
 		if len(bodyData) == 0 {
-			data, err := req.WAFReadBody(utils.MaxBodySize) // read body
+			data, err := req.WAFReadBody(req.WAFMaxRequestSize()) // read body
 			if err != nil {
 				return "", hasRequestBody, err, nil
 			}
--- a/internal/waf/checkpoints/request_body.go
+++ b/internal/waf/checkpoints/request_body.go
@@ -2,7 +2,6 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
-	"github.com/TeaOSLab/EdgeNode/internal/waf/utils"
 	"github.com/iwind/TeaGo/maps"
 )

@@ -25,7 +24,7 @@ func (this *RequestBodyCheckpoint) RequestValue(req requests.Request, param stri
 	var bodyData = req.WAFGetCacheBody()
 	hasRequestBody = true
 	if len(bodyData) == 0 {
-		data, err := req.WAFReadBody(utils.MaxBodySize) // read body
+		data, err := req.WAFReadBody(req.WAFMaxRequestSize()) // read body
 		if err != nil {
 			return "", hasRequestBody, err, nil
 		}
--- a/internal/waf/checkpoints/request_form_arg.go
+++ b/internal/waf/checkpoints/request_form_arg.go
@@ -2,7 +2,6 @@ package checkpoints

 import (
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
-	"github.com/TeaOSLab/EdgeNode/internal/waf/utils"
 	"github.com/iwind/TeaGo/maps"
 	"net/url"
 )
@@ -27,7 +26,7 @@ func (this *RequestFormArgCheckpoint) RequestValue(req requests.Request, param s

 	var bodyData = req.WAFGetCacheBody()
 	if len(bodyData) == 0 {
-		data, err := req.WAFReadBody(utils.MaxBodySize) // read body
+		data, err := req.WAFReadBody(req.WAFMaxRequestSize()) // read body
 		if err != nil {
 			return "", hasRequestBody, err, nil
 		}
--- a/internal/waf/checkpoints/request_json_arg.go
+++ b/internal/waf/checkpoints/request_json_arg.go
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"github.com/TeaOSLab/EdgeNode/internal/utils"
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
-	wafutils "github.com/TeaOSLab/EdgeNode/internal/waf/utils"
 	"github.com/iwind/TeaGo/maps"
 	"strings"
 )
@@ -18,7 +17,7 @@ func (this *RequestJSONArgCheckpoint) RequestValue(req requests.Request, param s
 	var bodyData = req.WAFGetCacheBody()
 	hasRequestBody = true
 	if len(bodyData) == 0 {
-		data, err := req.WAFReadBody(wafutils.MaxBodySize) // read body
+		data, err := req.WAFReadBody(req.WAFMaxRequestSize()) // read body
 		if err != nil {
 			return "", hasRequestBody, err, nil
 		}
--- a/internal/waf/checkpoints/request_upload.go
+++ b/internal/waf/checkpoints/request_upload.go
@@ -3,7 +3,6 @@ package checkpoints
 import (
 	"bytes"
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
-	"github.com/TeaOSLab/EdgeNode/internal/waf/utils"
 	"github.com/iwind/TeaGo/lists"
 	"github.com/iwind/TeaGo/maps"
 	"io"
@@ -40,7 +39,7 @@ func (this *RequestUploadCheckpoint) RequestValue(req requests.Request, param st
 	if req.WAFRaw().MultipartForm == nil {
 		var bodyData = req.WAFGetCacheBody()
 		if len(bodyData) == 0 {
-			data, err := req.WAFReadBody(utils.MaxBodySize)
+			data, err := req.WAFReadBody(req.WAFMaxRequestSize())
 			if err != nil {
 				sysErr = err
 				return
@@ -53,7 +52,7 @@ func (this *RequestUploadCheckpoint) RequestValue(req requests.Request, param st
 		oldBody := req.WAFRaw().Body
 		req.WAFRaw().Body = io.NopCloser(bytes.NewBuffer(bodyData))

-		err := req.WAFRaw().ParseMultipartForm(utils.MaxBodySize)
+		err := req.WAFRaw().ParseMultipartForm(req.WAFMaxRequestSize())

 		// 还原
 		req.WAFRaw().Body = oldBody
--- a/internal/waf/requests/request.go
+++ b/internal/waf/requests/request.go
@@ -35,6 +35,9 @@ type Request interface {
 	// WAFFingerprint 读取连接指纹
 	WAFFingerprint() []byte

+	// WAFMaxRequestSize 可以检查的最大内容尺寸
+	WAFMaxRequestSize() int64
+
 	// Format 格式化变量
 	Format(string) string

--- a/internal/waf/utils/consts.go
+++ b/internal/waf/utils/consts.go
@@ -1,9 +0,0 @@
-// Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
-
-package utils
-
-import "github.com/TeaOSLab/EdgeNode/internal/utils/sizes"
-
-const (
-	MaxBodySize = 2 * sizes.M
-)