Waf tag (#317)

* add waf-tag to openappsec * fix waf tag to openappsec --------- Co-authored-by: wiaamm <wiaamm@checkpoint.com>
2025-06-28 16:41:02 +03:00 · 2025-06-11 11:34:48 +03:00 · 2025-06-11 11:34:48 +03:00 · 782dfeada6
commit 782dfeada6
parent bc1eac9d39
8 changed files with 71 additions and 3 deletions
--- a/components/attachment-intakers/nginx_attachment/nginx_parser.cc
+++ b/components/attachment-intakers/nginx_attachment/nginx_parser.cc
@ -28,6 +28,7 @@ USE_DEBUG_FLAG(D_NGINX_ATTACHMENT_PARSER);
 Buffer NginxParser::tenant_header_key = Buffer();
 static const Buffer proxy_ip_header_key("X-Forwarded-For", 15, Buffer::MemoryType::STATIC);
 static const Buffer waf_tag_key("x-waf-tag", 9, Buffer::MemoryType::STATIC);
 static const Buffer source_ip("sourceip", 8, Buffer::MemoryType::STATIC);
 bool is_keep_alive_ctx = getenv("SAAS_KEEP_ALIVE_HDR_NAME") != nullptr;
@ -231,17 +232,20 @@ NginxParser::parseRequestHeaders(const Buffer &data, const unordered_set<string>
            static_cast<string>(header.getKey()) + ": " + static_cast<string>(header.getValue()) + "\r\n"
        );
-        if (NginxParser::tenant_header_key == header.getKey()) {
+        const auto &header_key = header.getKey();
        if (NginxParser::tenant_header_key == header_key) {
            dbgDebug(D_NGINX_ATTACHMENT_PARSER)
                << "Identified active tenant header. Key: "
-                << dumpHex(header.getKey())
+                << dumpHex(header_key)
                << ", Value: "
                << dumpHex(header.getValue());
            auto active_tenant_and_profile = getActivetenantAndProfile(header.getValue());
            opaque.setSessionTenantAndProfile(active_tenant_and_profile[0], active_tenant_and_profile[1]);
-        } else if (proxy_ip_header_key == header.getKey()) {
+        } else if (proxy_ip_header_key == header_key) {
            source_identifiers.setXFFValuesToOpaqueCtx(header, UsersAllIdentifiersConfig::ExtractType::PROXYIP);
        } else if (waf_tag_key == header_key) {
            source_identifiers.setWafTagValuesToOpaqueCtx(header);
        }
    }
--- a/components/attachment-intakers/nginx_attachment/user_identifiers_config.cc
+++ b/components/attachment-intakers/nginx_attachment/user_identifiers_config.cc
@ -366,6 +366,24 @@ UsersAllIdentifiersConfig::setCustomHeaderToOpaqueCtx(const HttpHeader &header)
    return;
 }
 void
 UsersAllIdentifiersConfig::setWafTagValuesToOpaqueCtx(const HttpHeader &header) const
 {
    auto i_transaction_table = Singleton::Consume<I_TableSpecific<SessionID>>::by<NginxAttachment>();
    if (!i_transaction_table || !i_transaction_table->hasState<NginxAttachmentOpaque>()) {
        dbgDebug(D_NGINX_ATTACHMENT_PARSER) << "Can't get the transaction table";
        return;
    }
    NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
    opaque.setSavedData(HttpTransactionData::waf_tag_ctx, static_cast<string>(header.getValue()));
    dbgDebug(D_NGINX_ATTACHMENT_PARSER)
        << "Added waf tag to context: "
        <<  static_cast<string>(header.getValue());
    return;
 }
 Maybe<string>
 UsersAllIdentifiersConfig::parseCookieElement(
    const string::const_iterator &start,
--- a/components/include/generic_rulebase/evaluators/http_transaction_data_eval.h
+++ b/components/include/generic_rulebase/evaluators/http_transaction_data_eval.h
@ -45,6 +45,19 @@ private:
    std::string host;
 };
 class EqualWafTag : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
 {
 public:
 EqualWafTag(const std::vector<std::string> &params);
    static std::string getName() { return "EqualWafTag"; }
    Maybe<bool, Context::Error> evalVariable() const override;
 private:
    std::string waf_tag;
 };
 class EqualListeningIP : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
 {
 public:
--- a/components/include/http_transaction_data.h
+++ b/components/include/http_transaction_data.h
@ -137,6 +137,7 @@ public:
    static const std::string source_identifier;
    static const std::string proxy_ip_ctx;
    static const std::string xff_vals_ctx;
    static const std::string waf_tag_ctx;
    static const CompressionType default_response_content_encoding;
--- a/components/include/user_identifiers_config.h
+++ b/components/include/user_identifiers_config.h
@ -30,6 +30,7 @@ public:
    void parseRequestHeaders(const HttpHeader &header) const;
    std::vector<std::string> getHeaderValuesFromConfig(const std::string &header_key) const;
    void setXFFValuesToOpaqueCtx(const HttpHeader &header, ExtractType type) const;
    void setWafTagValuesToOpaqueCtx(const HttpHeader &header) const;
 private:
    class UsersIdentifiersConfig
--- a/components/utils/generic_rulebase/evaluators/http_transaction_data_eval.cc
+++ b/components/utils/generic_rulebase/evaluators/http_transaction_data_eval.cc
@ -103,6 +103,35 @@ WildcardHost::evalVariable() const
    return lower_host_ctx == lower_host;
 }
 EqualWafTag::EqualWafTag(const vector<string> &params)
 {
    if (params.size() != 1) reportWrongNumberOfParams("EqualWafTag", params.size(), 1, 1);
    waf_tag = params[0];
 }
 Maybe<bool, Context::Error>
 EqualWafTag::evalVariable() const
 {
    I_Environment *env = Singleton::Consume<I_Environment>::by<EqualWafTag>();
    auto maybe_waf_tag_ctx = env->get<string>(HttpTransactionData::waf_tag_ctx);
    if (!maybe_waf_tag_ctx.ok())
    {
        dbgTrace(D_RULEBASE_CONFIG) << "didnt find waf tag in current context";
        return false;
    }
    auto waf_tag_ctx = maybe_waf_tag_ctx.unpack();
    dbgTrace(D_RULEBASE_CONFIG)
        << "trying to match waf tag context with its corresponding waf tag: "
        << waf_tag_ctx
        << ". Matcher waf tag: "
        << waf_tag;
    return waf_tag_ctx == waf_tag;
 }
 EqualListeningIP::EqualListeningIP(const vector<string> &params)
 {
    if (params.size() != 1) reportWrongNumberOfParams("EqualListeningIP", params.size(), 1, 1);
--- a/components/utils/generic_rulebase/generic_rulebase.cc
+++ b/components/utils/generic_rulebase/generic_rulebase.cc
@ -80,6 +80,7 @@ GenericRulebase::Impl::preload()
    addMatcher<IpProtocolMatcher>();
    addMatcher<UrlMatcher>();
    addMatcher<EqualHost>();
    addMatcher<EqualWafTag>();
    addMatcher<WildcardHost>();
    addMatcher<EqualListeningIP>();
    addMatcher<EqualListeningPort>();
--- a/components/utils/http_transaction_data/http_transaction_data.cc
+++ b/components/utils/http_transaction_data/http_transaction_data.cc
@ -53,6 +53,7 @@ const string HttpTransactionData::req_body           = "transaction_request_body
 const string HttpTransactionData::source_identifier  = "sourceIdentifiers";
 const string HttpTransactionData::proxy_ip_ctx       = "proxy_ip";
 const string HttpTransactionData::xff_vals_ctx       = "xff_vals";
 const string HttpTransactionData::waf_tag_ctx       = "waf_tag";
 const CompressionType HttpTransactionData::default_response_content_encoding = CompressionType::NO_COMPRESSION;