TRKJ/EdgeNode
2
0
Fork 0
mirror of https://github.com/TeaOSLab/EdgeNode.git synced 2025-11-08 03:00:27 +08:00
Code Issues Packages Projects Releases Wiki Activity

优化XSS检测的模式

Browse Source
This commit is contained in:
GoEdgeLab
2024-01-16 19:56:04 +08:00
parent dac89cd3a8
commit f5d4568695
3 changed files with 44 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
internal/waf/injectionutils/libinjection/src/libinjection_xss.c
View File

@@ -15,7 +15,7 @@ typedef enum attribute {
} attribute_t; } attribute_t;
static attribute_t is_black_attr(const char* s, size_t len); static attribute_t is_black_attr(const char* s, size_t len, int strictMode);
static int is_black_tag(const char* s, size_t len, int strictMode); static int is_black_tag(const char* s, size_t len, int strictMode);
static int is_black_url(const char* s, size_t len); static int is_black_url(const char* s, size_t len);
static int cstrcasecmp_with_null(const char *a, const char *b, size_t n); static int cstrcasecmp_with_null(const char *a, const char *b, size_t n);
@@ -451,7 +451,7 @@ static stringtype_t BLACKATTREVENT[] = {
* data: * data:
* javascript: * javascript:
*/ */
static stringtype_t BLACKATTR[] = { static stringtype_t STRICT_BLACKATTR[] = {
{ "ACTION", TYPE_ATTR_URL } /* form */ { "ACTION", TYPE_ATTR_URL } /* form */
, { "ATTRIBUTENAME", TYPE_ATTR_INDIRECT } /* SVG allow indirection of attribute names */ , { "ATTRIBUTENAME", TYPE_ATTR_INDIRECT } /* SVG allow indirection of attribute names */
, { "BY", TYPE_ATTR_URL } /* SVG */ , { "BY", TYPE_ATTR_URL } /* SVG */
@@ -475,6 +475,31 @@ static stringtype_t BLACKATTR[] = {
, { NULL, TYPE_NONE } , { NULL, TYPE_NONE }
}; };
static stringtype_t BLACKATTR[] = {
{ "ACTION", TYPE_ATTR_URL } /* form */
, { "ATTRIBUTENAME", TYPE_ATTR_INDIRECT } /* SVG allow indirection of attribute names */
, { "BY", TYPE_ATTR_URL } /* SVG */
, { "BACKGROUND", TYPE_ATTR_URL } /* IE6, O11 */
, { "DATAFORMATAS", TYPE_BLACK } /* IE */
, { "DATASRC", TYPE_BLACK } /* IE */
, { "DYNSRC", TYPE_ATTR_URL } /* Obsolete img attribute */
, { "FILTER", TYPE_STYLE } /* Opera, SVG inline style */
, { "FORMACTION", TYPE_ATTR_URL } /* HTML 5 */
, { "FOLDER", TYPE_ATTR_URL } /* Only on A tags, IE-only */
, { "FROM", TYPE_ATTR_URL } /* SVG */
, { "HANDLER", TYPE_ATTR_URL } /* SVG Tiny, Opera */
, { "HREF", TYPE_ATTR_URL }
, { "LOWSRC", TYPE_ATTR_URL } /* Obsolete img attribute */
, { "POSTER", TYPE_ATTR_URL } /* Opera 10,11 */
, { "SRC", TYPE_ATTR_URL }
, { "TO", TYPE_ATTR_URL } /* SVG */
, { "VALUES", TYPE_ATTR_URL } /* SVG */
, { "XLINK:HREF", TYPE_ATTR_URL }
, { NULL, TYPE_NONE }
};
/* xmlns */ /* xmlns */
/* `xml-stylesheet` > <eval>, <if expr=> */ /* `xml-stylesheet` > <eval>, <if expr=> */
@@ -674,7 +699,7 @@ static int is_black_tag(const char* s, size_t len, int strictMode)
return 0; return 0;
} }
static attribute_t is_black_attr(const char* s, size_t len) static attribute_t is_black_attr(const char* s, size_t len, int strictMode)
{ {
stringtype_t* black; stringtype_t* black;
@@ -706,7 +731,11 @@ static attribute_t is_black_attr(const char* s, size_t len)
//} //}
} }
if (strictMode == 1) {
black = STRICT_BLACKATTR;
} else {
black = BLACKATTR; black = BLACKATTR;
}
while (black->name != NULL) { while (black->name != NULL) {
if (cstrcasecmp_with_null(black->name, s, len) == 0) { if (cstrcasecmp_with_null(black->name, s, len) == 0) {
/* printf("Got banned attribute name %s\n", black->name); */ /* printf("Got banned attribute name %s\n", black->name); */
@@ -779,7 +808,7 @@ int libinjection_is_xss(const char* s, size_t len, int flags, int strictMode)
return 1; return 1;
} }
} else if (h5.token_type == ATTR_NAME) { } else if (h5.token_type == ATTR_NAME) {
attr = is_black_attr(h5.token_start, h5.token_len); attr = is_black_attr(h5.token_start, h5.token_len, strictMode);
} else if (h5.token_type == ATTR_VALUE) { } else if (h5.token_type == ATTR_VALUE) {
/* /*
* IE6,7,8 parsing works a bit differently so * IE6,7,8 parsing works a bit differently so
@@ -810,7 +839,7 @@ int libinjection_is_xss(const char* s, size_t len, int flags, int strictMode)
return 1; return 1;
case TYPE_ATTR_INDIRECT: case TYPE_ATTR_INDIRECT:
/* an attribute name is specified in a _value_ */ /* an attribute name is specified in a _value_ */
if (is_black_attr(h5.token_start, h5.token_len)) { if (is_black_attr(h5.token_start, h5.token_len, strictMode)) {
return 1; return 1;
} }
break; break;

2
internal/waf/injectionutils/libinjection_xss.c
View File

@@ -3,4 +3,4 @@
#include "libinjection/src/libinjection_xss.c" #include "libinjection/src/libinjection_xss.c"
#include "libinjection/src/libinjection_html5.c" #include "libinjection/src/libinjection_html5.c"
#define GOEDGE_VERSION "24" // last version is for GoEdge change #define GOEDGE_VERSION "25" // last version is for GoEdge change

14
internal/waf/injectionutils/utils_xss_test.go
View File

@@ -32,16 +32,18 @@ func TestDetectXSS(t *testing.T) {
</rdf:Description> </rdf:Description>
</rdf:RDF> </rdf:RDF>
</x:xmpmeta>`, true)) // included in some photo files </x:xmpmeta>`, true)) // included in some photo files
a.IsFalse(injectionutils.DetectXSS(`<xml> a.IsFalse(injectionutils.DetectXSS(`<xml></xml>`, false))
</xml>`, true))
} }
func TestDetectXSS_Strict(t *testing.T) { func TestDetectXSS_Strict(t *testing.T) {
var a = assert.NewAssertion(t) var a = assert.NewAssertion(t)
a.IsFalse(injectionutils.DetectXSS(`<xml> a.IsFalse(injectionutils.DetectXSS(`<xml></xml>`, false))
a.IsTrue(injectionutils.DetectXSS(`<xml></xml>`, true))
</xml>`, false)) a.IsFalse(injectionutils.DetectXSS(`<img src=\"\"/>`, false))
a.IsFalse(injectionutils.DetectXSS(`<img src=\"test.jpg\"/>`, true))
a.IsFalse(injectionutils.DetectXSS(`<a href="aaaa"></a>`, true))
a.IsFalse(injectionutils.DetectXSS(`<span style="color: red"></span>`, false))
a.IsTrue(injectionutils.DetectXSS(`<span style="color: red"></span>`, true))
} }
func BenchmarkDetectXSS_MISS(b *testing.B) { func BenchmarkDetectXSS_MISS(b *testing.B) {