Aug 08 2025 dev (#336)

* sync code * sync code * sync code --------- Co-authored-by: Ned Wright <nedwright@proton.me>
2025-11-15 17:02:15 +03:00 · 2025-08-10 13:21:52 +03:00
parent dd19bf6158
commit 6bbc89712a
153 changed files with 4864 additions and 1018 deletions
--- a/components/security_apps/waap/waap_clib/DeepParser.cc
+++ b/components/security_apps/waap/waap_clib/DeepParser.cc
@@ -36,6 +36,7 @@
 #include "debug.h"
 #include "i_transaction.h"
 #include "agent_core_utilities.h"
+#include <boost/algorithm/string.hpp>

 USE_DEBUG_FLAG(D_WAAP_DEEP_PARSER);
 USE_DEBUG_FLAG(D_WAAP_ULIMITS);
@@ -93,6 +94,12 @@ DeepParser::depth() const
    return m_depth;
 }

+static bool err = false;
+static const SingleRegex temperature_value_re(
+    "^\\s*([0-9](?:\\.\\d+)?)\\s*$",
+    err,
+    "temperature_value");
+
 // Called when another key/value pair is ready
 int
 DeepParser::onKv(const char *k, size_t k_len, const char *v, size_t v_len, int flags, size_t parser_depth)
@@ -195,6 +202,14 @@ DeepParser::onKv(const char *k, size_t k_len, const char *v, size_t v_len, int f
    bool isBodyPayload = (m_key.first().size() == 4 && m_key.first() == "body");


+    if (isBodyPayload && v_len < 32 && k_len == 11 &&
+        boost::to_lower_copy(std::string(k, k_len)) == "temperature" &&
+        temperature_value_re.hasMatch(std::string(v, v_len))) {
+        m_pTransaction->setTemperatureDetected(true);
+        dbgTrace(D_WAAP_DEEP_PARSER) << "temperature detected, value: " << std::string(v, v_len);
+    }
+
+
    // If csrf/antibot cookie - send to Waf2Transaction for collection of cookie value.
    if (m_depth == 1 && isCookiePayload && (m_key.str() == "x-chkp-csrf-token" || m_key.str() == "__fn1522082288")) {
        std::string cur_val = std::string(v, v_len);
@@ -288,6 +303,11 @@ DeepParser::onKv(const char *k, size_t k_len, const char *v, size_t v_len, int f
            dbgTrace(D_WAAP_DEEP_PARSER) << "removing leading '/' from URL param value";
            base64_offset = 1;
        }
+        if (m_depth == 1 && (isUrlParamPayload || isRefererParamPayload) &&
+            k_len != 0  && (v_len == 0 || (v[0] == '=' && v_len == 1))) {
+            // if the value is empty or starts with '=' - replace it with key
+            cur_val = std::string(k, k_len);
+        }
        std::string decoded_val, decoded_key;
        base64_variants base64_status = Waap::Util::b64Test(
            cur_val,
@@ -477,6 +497,19 @@ DeepParser::onKv(const char *k, size_t k_len, const char *v, size_t v_len, int f
        }
    }

+    // If this is url_paran and key is match to nosql_key_evasion_detector_re and this is 1st and last buffer
+    // than add to beginning of cur_val "<key>=" where key is the key
+    if (flags == BUFFERED_RECEIVER_F_BOTH) {
+        std::string key = std::string(k, k_len);
+        if (Waap::Util::testNoSQLKeySuspect(key)) {
+            cur_val = key + "=" + cur_val;
+            dbgTrace(D_WAAP_DEEP_PARSER)
+                << "DeepParser::onKv(): found: key = "
+                << key
+                << " is a candidate for NoSQL key evasion - sending to updated string for scanning.";
+        }
+    }
+
    // If there's a parser in parsers stack, push the value to the top parser
    if (!m_parsersDeque.empty()
        && offset >= 0
@@ -1326,7 +1359,7 @@ DeepParser::createInternalParser(
        } else if (b64FileType != Waap::Util::BinaryFileType::FILE_TYPE_NONE) {
            dbgTrace(D_WAAP_DEEP_PARSER) << "Starting to parse a known binary file, base64 encoded";
            m_parsersDeque.push_back(
-                std::make_shared<BufferedParser<ParserBinaryFile>>(*this, parser_depth + 1, true, b64FileType)
+                std::make_shared<BufferedParser<ParserBinaryFile>>(*this, parser_depth + 1, false, b64FileType)
            );
            offset = 0;
        }