github_mirrors/attachment
3
0
Fork 1
mirror of https://github.com/openappsec/attachment.git synced 2025-06-28 16:41:03 +03:00
Code Issues Packages Projects Releases Wiki Activity

add waf tag changes to openappsec (#35)

Browse Source 
Co-authored-by: wiaamm <wiaamm@checkpoint.com>
This commit is contained in:
Daniel-Eisenberg 2025-06-11 11:35:13 +03:00 committed by GitHub
parent 22852d8428
commit 8f459a139b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 78 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
attachments/nginx/ngx_module/ngx_cp_hook_threads.c
View File

@ -223,7 +223,8 @@ ngx_http_cp_req_header_handler_thread(void *_ctx)
&(request->headers_in.headers.part), &(request->headers_in.headers.part),
REQUEST_HEADER, REQUEST_HEADER,
session_data_p->session_id, session_data_p->session_id,
&num_messages_sent &num_messages_sent,
&ctx->waf_tag
); );
if (send_header_result != NGX_OK) { if (send_header_result != NGX_OK) {
write_dbg( write_dbg(
@ -412,7 +413,8 @@ ngx_http_cp_res_header_filter_thread(void *_ctx)
&request->headers_out.headers.part, &request->headers_out.headers.part,
RESPONSE_HEADER, RESPONSE_HEADER,
session_data_p->session_id, session_data_p->session_id,
&num_messages_sent &num_messages_sent,
&ctx->waf_tag
); );
if (send_header_result != NGX_OK) { if (send_header_result != NGX_OK) {
write_dbg( write_dbg(

1
attachments/nginx/ngx_module/ngx_cp_hook_threads.h
View File

@ -44,6 +44,7 @@ struct ngx_http_cp_event_thread_ctx_t
int should_return_next_filter; int should_return_next_filter;
ngx_http_cp_modification_list *modifications; ///< Context's modification. ngx_http_cp_modification_list *modifications; ///< Context's modification.
ngx_str_t waf_tag; ///< WAF tag value for the location block.
}; };
/// ///

9
attachments/nginx/ngx_module/ngx_cp_hooks.c
View File

@ -407,9 +407,11 @@ ngx_http_cp_req_header_handler(ngx_http_request_t *request)
ngx_http_cp_session_data *session_data_p; ngx_http_cp_session_data *session_data_p;
ngx_int_t handle_static_resource_result; ngx_int_t handle_static_resource_result;
ngx_http_cp_verdict_e sessions_per_minute_verdict; ngx_http_cp_verdict_e sessions_per_minute_verdict;
ngx_cp_attachment_conf_t *conf;
struct ngx_http_cp_event_thread_ctx_t ctx; struct ngx_http_cp_event_thread_ctx_t ctx;
struct timespec hook_time_begin; struct timespec hook_time_begin;
int res; int res;
static int is_failure_state_initialized = 0; static int is_failure_state_initialized = 0;
static int is_metric_data_initialized = 0; static int is_metric_data_initialized = 0;
@ -439,6 +441,12 @@ ngx_http_cp_req_header_handler(ngx_http_request_t *request)
return NGX_DECLINED; return NGX_DECLINED;
} }
conf = ngx_http_get_module_loc_conf(request, ngx_http_cp_attachment_module);
if (conf == NULL) {
write_dbg(DBG_LEVEL_WARNING, "Failed to get module configuration");
return NGX_DECLINED;
}
session_data_p = init_cp_session_data(request); session_data_p = init_cp_session_data(request);
if (session_data_p == NULL) return NGX_DECLINED; if (session_data_p == NULL) return NGX_DECLINED;
@ -446,6 +454,7 @@ ngx_http_cp_req_header_handler(ngx_http_request_t *request)
write_dbg(DBG_LEVEL_DEBUG, "Request header filter handling session ID: %d", session_data_p->session_id); write_dbg(DBG_LEVEL_DEBUG, "Request header filter handling session ID: %d", session_data_p->session_id);
init_thread_ctx(&ctx, request, session_data_p, NULL); init_thread_ctx(&ctx, request, session_data_p, NULL);
ctx.waf_tag = conf->waf_tag;
sessions_per_minute_verdict = enforce_sessions_rate(); sessions_per_minute_verdict = enforce_sessions_rate();
if (sessions_per_minute_verdict != TRAFFIC_VERDICT_INSPECT) { if (sessions_per_minute_verdict != TRAFFIC_VERDICT_INSPECT) {

45
attachments/nginx/ngx_module/ngx_cp_io.c
View File

@ -1008,7 +1008,8 @@ ngx_http_cp_header_sender(
ngx_list_part_t *headers_list, ngx_list_part_t *headers_list,
ngx_http_chunk_type_e header_type, ngx_http_chunk_type_e header_type,
uint32_t cur_request_id, uint32_t cur_request_id,
ngx_uint_t *num_messages_sent ngx_uint_t *num_messages_sent,
ngx_str_t *waf_tag
) )
{ {
ngx_uint_t header_idx = 0; ngx_uint_t header_idx = 0;
@ -1024,6 +1025,7 @@ ngx_http_cp_header_sender(
const ngx_uint_t max_bulk_size = 10; const ngx_uint_t max_bulk_size = 10;
char *fragments[HEADER_DATA_COUNT * max_bulk_size + 4]; char *fragments[HEADER_DATA_COUNT * max_bulk_size + 4];
uint16_t fragments_sizes[HEADER_DATA_COUNT * max_bulk_size + 4]; uint16_t fragments_sizes[HEADER_DATA_COUNT * max_bulk_size + 4];
ngx_flag_t waf_tag_found = 0;
write_dbg( write_dbg(
DBG_LEVEL_TRACE, DBG_LEVEL_TRACE,
@ -1034,6 +1036,38 @@ ngx_http_cp_header_sender(
// Sets fragments identifier to the provided body type. // Sets fragments identifier to the provided body type.
set_fragments_identifiers(fragments, fragments_sizes, (uint16_t *)&header_type, &cur_request_id); set_fragments_identifiers(fragments, fragments_sizes, (uint16_t *)&header_type, &cur_request_id);
// If waf_tag is provided and valid, check for existing x-waf-tag headers
if (waf_tag != NULL && waf_tag->len > 0) {
for (headers_iter = headers_list; headers_iter; headers_iter = headers_iter->next) {
headers_to_inspect = headers_iter->elts;
for (header_idx = 0; header_idx < headers_iter->nelts; ++header_idx) {
header = headers_to_inspect + header_idx;
if (header->key.len == 9 && ngx_strncasecmp(header->key.data, (u_char *)"x-waf-tag", 9) == 0) {
// Found existing x-waf-tag header, override its value
// header->value = *waf_tag;
waf_tag_found = 1;
write_dbg(DBG_LEVEL_DEBUG, "Overriding existing x-waf-tag header with value: %.*s", waf_tag->len, waf_tag->data);
break;
}
}
if (waf_tag_found) break;
}
// If no existing x-waf-tag header found, add a new one
if (!waf_tag_found) {
ngx_table_elt_t waf_header;
waf_header.hash = 1;
ngx_str_set(&waf_header.key, "x-waf-tag");
waf_header.value = *waf_tag;
waf_header.lowcase_key = NULL; // Not needed for sending to agent
add_header_to_bulk(fragments, fragments_sizes, &waf_header, idx_in_bulk);
idx_in_bulk++;
part_count++;
write_dbg(DBG_LEVEL_DEBUG, "Adding new x-waf-tag header with value: %.*s", waf_tag->len, waf_tag->data);
}
}
for (headers_iter = headers_list; headers_iter ; headers_iter = headers_iter->next) { for (headers_iter = headers_list; headers_iter ; headers_iter = headers_iter->next) {
// Going over the header list. // Going over the header list.
for (header_idx = 0 ; header_idx < headers_iter->nelts ; ++header_idx) { for (header_idx = 0 ; header_idx < headers_iter->nelts ; ++header_idx) {
@ -1051,7 +1085,16 @@ ngx_http_cp_header_sender(
is_last_part = (headers_iter->next == NULL && header_idx + 1 == headers_iter->nelts) ? 1 : 0; is_last_part = (headers_iter->next == NULL && header_idx + 1 == headers_iter->nelts) ? 1 : 0;
// Create a header bulk to send. // Create a header bulk to send.
if (waf_tag_found && header->key.len == 9 && ngx_strncasecmp(header->key.data, (u_char *)"x-waf-tag", 9) == 0) {
ngx_table_elt_t waf_header;
waf_header.hash = 1;
ngx_str_set(&waf_header.key, "x-waf-tag");
waf_header.value = *waf_tag;
waf_header.lowcase_key = NULL;
add_header_to_bulk(fragments, fragments_sizes, &waf_header, idx_in_bulk);
} else {
add_header_to_bulk(fragments, fragments_sizes, header, idx_in_bulk); add_header_to_bulk(fragments, fragments_sizes, header, idx_in_bulk);
}
idx_in_bulk++; idx_in_bulk++;
part_count++; part_count++;

4
attachments/nginx/ngx_module/ngx_cp_io.h
View File

@ -138,6 +138,7 @@ ngx_http_cp_content_length_sender(
/// - #RESPONSE_HEADER /// - #RESPONSE_HEADER
/// @param[in] cur_request_id Request session's Id. /// @param[in] cur_request_id Request session's Id.
/// @param[in, out] num_messages_sent Number of messages sent will be saved onto this parameter. /// @param[in, out] num_messages_sent Number of messages sent will be saved onto this parameter.
/// @param[in, out] waf_tag WAF tag to be sent.
/// @returns ngx_int_t /// @returns ngx_int_t
/// - #NGX_OK /// - #NGX_OK
/// - #NGX_ERROR /// - #NGX_ERROR
@ -147,7 +148,8 @@ ngx_http_cp_header_sender(
ngx_list_part_t *headers, ngx_list_part_t *headers,
ngx_http_chunk_type_e header_type, ngx_http_chunk_type_e header_type,
uint32_t cur_request_id, uint32_t cur_request_id,
ngx_uint_t *num_messages_sent ngx_uint_t *num_messages_sent,
ngx_str_t *waf_tag
); );
/// ///

15
attachments/nginx/ngx_module/ngx_http_cp_attachment_module.c
View File

@ -26,11 +26,6 @@
#include "nginx_attachment_common.h" #include "nginx_attachment_common.h"
extern ngx_uint_t current_config_version; ///< NGINX configuration version. extern ngx_uint_t current_config_version; ///< NGINX configuration version.
typedef struct {
ngx_flag_t enable; ///< Flags if the configuration enabled.
ngx_int_t num_of_workers; ///< Number of workers.
ngx_uint_t current_loc_config_version; ///< NGINX configuration version.
} ngx_cp_attachment_conf_t;
/// ///
/// @brief Creates NGINX cp attachment configuration. /// @brief Creates NGINX cp attachment configuration.
@ -120,6 +115,14 @@ static ngx_command_t ngx_cp_attachment_commands[] = {
offsetof(ngx_cp_attachment_conf_t, num_of_workers), offsetof(ngx_cp_attachment_conf_t, num_of_workers),
NULL NULL
}, },
{
ngx_string("waf_tag"),
NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_cp_attachment_conf_t, waf_tag),
NULL
},
ngx_null_command ngx_null_command
}; };
@ -210,6 +213,7 @@ ngx_cp_attachment_create_conf(ngx_conf_t *conf)
module_conf->enable = NGX_CONF_UNSET; module_conf->enable = NGX_CONF_UNSET;
module_conf->num_of_workers = 0; module_conf->num_of_workers = 0;
module_conf->current_loc_config_version = current_config_version; module_conf->current_loc_config_version = current_config_version;
ngx_str_null(&module_conf->waf_tag);
write_dbg(DBG_LEVEL_TRACE, "Successfully created attachment module configuration"); write_dbg(DBG_LEVEL_TRACE, "Successfully created attachment module configuration");
return module_conf; return module_conf;
} }
@ -270,6 +274,7 @@ ngx_cp_attachment_merge_conf(ngx_conf_t *configure, void *curr, void *next)
ngx_conf_merge_value(conf->enable, prev->enable, NGX_CONF_UNSET); ngx_conf_merge_value(conf->enable, prev->enable, NGX_CONF_UNSET);
ngx_conf_merge_value(conf->num_of_workers, prev->num_of_workers, ngx_ncpu); ngx_conf_merge_value(conf->num_of_workers, prev->num_of_workers, ngx_ncpu);
ngx_conf_merge_str_value(conf->waf_tag, prev->waf_tag, "");
write_dbg(DBG_LEVEL_TRACE, "Successfully set attachment module configuration in nginx configuration chain"); write_dbg(DBG_LEVEL_TRACE, "Successfully set attachment module configuration in nginx configuration chain");
return NGX_CONF_OK; return NGX_CONF_OK;

7
attachments/nginx/ngx_module/ngx_http_cp_attachment_module.h
View File

@ -27,6 +27,13 @@ extern ngx_http_output_body_filter_pt ngx_http_next_response_body_filter; ///< N
extern ngx_module_t ngx_http_cp_attachment_module; ///< NGINX Module. extern ngx_module_t ngx_http_cp_attachment_module; ///< NGINX Module.
typedef struct {
ngx_flag_t enable; ///< Flags if the configuration enabled.
ngx_int_t num_of_workers; ///< Number of workers.
ngx_uint_t current_loc_config_version; ///< NGINX configuration version.
ngx_str_t waf_tag; ///< WAF tag value for the location block.
} ngx_cp_attachment_conf_t;
/// ///
/// @brief Returns if NGINX CP attachment is disabled. /// @brief Returns if NGINX CP attachment is disabled.
/// @param[in] request NGINX request. /// @param[in] request NGINX request.