WAF规则模板中XSS注入检测规则使用“包含XSS注入”操作符替代以往的正则表达式

2025-11-04 07:40:56 +08:00 · 2023-12-09 17:00:21 +08:00
parent ae357d869c
commit df7174c892
2 changed files with 49 additions and 46 deletions
--- a/internal/waf/action_page.go
+++ b/internal/waf/action_page.go
@@ -36,6 +36,10 @@ func (this *PageAction) WillChange() bool {

 // Perform the action
 func (this *PageAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, request requests.Request, writer http.ResponseWriter) (continueRequest bool, goNextSet bool) {
+	if writer == nil {
+		return
+	}
+
 	request.ProcessResponseHeaders(writer.Header(), this.Status)
 	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
 	writer.WriteHeader(this.Status)
--- a/internal/waf/template_test.go
+++ b/internal/waf/template_test.go
@@ -28,15 +28,13 @@ func Test_Template(t *testing.T) {
 		t.Fatal(err)
 	}

-	testTemplate1001(a, t, wafInstance)
-	testTemplate1002(a, t, wafInstance)
-	testTemplate1003(a, t, wafInstance)
+	testTemplate1010(a, t, wafInstance)
 	testTemplate2001(a, t, wafInstance)
 	testTemplate3001(a, t, wafInstance)
 	testTemplate4001(a, t, wafInstance)
 	testTemplate5001(a, t, wafInstance)
 	testTemplate6001(a, t, wafInstance)
-	testTemplate7001(a, t, wafInstance)
+	testTemplate7010(a, t, wafInstance)
 	testTemplate20001(a, t, wafInstance)
 }

@@ -86,49 +84,50 @@ func BenchmarkTemplate(b *testing.B) {
 	}
 }

-func testTemplate1001(a *assert.Assertion, t *testing.T, template *waf.WAF) {
-	req, err := http.NewRequest(http.MethodGet, "http://example.com/index.php?id=onmousedown%3D123", nil)
-	if err != nil {
-		t.Fatal(err)
+func testTemplate1010(a *assert.Assertion, t *testing.T, template *waf.WAF) {
+	for _, id := range []string{
+		"<script",
+		"<script src=\"123.js\">",
+		"<script>alert(123)</script>",
+		"<link",
+		"<link>",
+		"1 onfocus='alert(document.cookie)'",
+	} {
+		req, err := http.NewRequest(http.MethodGet, "https://example.com/index.php?id="+id, nil)
+		if err != nil {
+			t.Fatal(err)
+		}
+		req.Header.Set("User-Agent", testUserAgent)
+		_, _, _, result, err := template.MatchRequest(requests.NewTestRequest(req), nil, firewallconfigs.ServerCaptchaTypeNone)
+		if err != nil {
+			t.Fatal(err)
+		}
+		a.IsNotNil(result)
+		if result != nil {
+			a.IsTrue(result.Code == "1010")
+		} else {
+			t.Log("break at:", id)
+		}
 	}
-	req.Header.Set("User-Agent", testUserAgent)
-	_, _, _, result, err := template.MatchRequest(requests.NewTestRequest(req), nil, firewallconfigs.ServerCaptchaTypeNone)
-	if err != nil {
-		t.Fatal(err)
-	}
-	a.IsNotNil(result)
-	if result != nil {
-		a.IsTrue(result.Code == "1001")
-	}
-}

-func testTemplate1002(a *assert.Assertion, t *testing.T, template *waf.WAF) {
-	req, err := http.NewRequest(http.MethodGet, "http://example.com/index.php?id=eval%28", nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	_, _, _, result, err := template.MatchRequest(requests.NewTestRequest(req), nil, firewallconfigs.ServerCaptchaTypeNone)
-	if err != nil {
-		t.Fatal(err)
-	}
-	a.IsNotNil(result)
-	if result != nil {
-		a.IsTrue(result.Code == "1002")
-	}
-}
-
-func testTemplate1003(a *assert.Assertion, t *testing.T, template *waf.WAF) {
-	req, err := http.NewRequest(http.MethodGet, "http://example.com/index.php?id=<script src=\"123.js\">", nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	_, _, _, result, err := template.MatchRequest(requests.NewTestRequest(req), nil, firewallconfigs.ServerCaptchaTypeNone)
-	if err != nil {
-		t.Fatal(err)
-	}
-	a.IsNotNil(result)
-	if result != nil {
-		a.IsTrue(result.Code == "1003")
+	for _, id := range []string{
+		"123",
+		"abc",
+		"<html></html>",
+	} {
+		req, err := http.NewRequest(http.MethodGet, "https://example.com/index.php?id="+url.QueryEscape(id), nil)
+		if err != nil {
+			t.Fatal(err)
+		}
+		req.Header.Set("User-Agent", testUserAgent)
+		_, _, _, result, err := template.MatchRequest(requests.NewTestRequest(req), nil, firewallconfigs.ServerCaptchaTypeNone)
+		if err != nil {
+			t.Fatal(err)
+		}
+		a.IsNil(result)
+		if result != nil {
+			a.IsTrue(result.Code == "1010")
+		}
 	}
 }

@@ -290,7 +289,7 @@ func testTemplate6001(a *assert.Assertion, t *testing.T, template *waf.WAF) {
 	}
 }

-func testTemplate7001(a *assert.Assertion, t *testing.T, template *waf.WAF) {
+func testTemplate7010(a *assert.Assertion, t *testing.T, template *waf.WAF) {
 	for _, id := range []string{
 		" union all select id from credits",
 		"' or 1=1",