mirror of
https://github.com/openappsec/openappsec.git
synced 2025-09-29 19:24:26 +03:00
June 27th update
This commit is contained in:
Ned Wright
@@ -273,55 +273,58 @@ DeepParser::onKv(const char *k, size_t k_len, const char *v, size_t v_len, int f
|
||||
// Detect and decode potential base64 chunks in the value before further processing
|
||||
|
||||
bool base64ParamFound = false;
|
||||
dbgTrace(D_WAAP_DEEP_PARSER) << " ===Processing potential base64===";
|
||||
std::string decoded_val, decoded_key;
|
||||
Waap::Util::BinaryFileType base64BinaryFileType = Waap::Util::BinaryFileType::FILE_TYPE_NONE;
|
||||
base64_variants base64_status = Waap::Util::b64Test(cur_val, decoded_key, decoded_val, base64BinaryFileType);
|
||||
if (m_depth == 1 && flags == BUFFERED_RECEIVER_F_MIDDLE && m_key.depth() == 1 && m_key.first() != "#base64"){
|
||||
dbgTrace(D_WAAP_DEEP_PARSER) << " === will not check base64 since prev data block was not b64-encoded ===";
|
||||
} else {
|
||||
dbgTrace(D_WAAP_DEEP_PARSER) << " ===Processing potential base64===";
|
||||
std::string decoded_val, decoded_key;
|
||||
base64_variants base64_status = Waap::Util::b64Test(cur_val, decoded_key, decoded_val, base64BinaryFileType);
|
||||
|
||||
dbgTrace(D_WAAP_DEEP_PARSER)
|
||||
<< " status = "
|
||||
<< base64_status
|
||||
<< " key = "
|
||||
<< decoded_key
|
||||
<< " value = "
|
||||
<< decoded_val;
|
||||
dbgTrace(D_WAAP_DEEP_PARSER)
|
||||
<< " status = "
|
||||
<< base64_status
|
||||
<< " key = "
|
||||
<< decoded_key
|
||||
<< " value = "
|
||||
<< decoded_val;
|
||||
|
||||
switch (base64_status) {
|
||||
case SINGLE_B64_CHUNK_CONVERT:
|
||||
cur_val = decoded_val;
|
||||
base64ParamFound = true;
|
||||
break;
|
||||
case KEY_VALUE_B64_PAIR:
|
||||
// going deep with new pair in case value is not empty
|
||||
if (decoded_val.size() > 0) {
|
||||
switch (base64_status) {
|
||||
case SINGLE_B64_CHUNK_CONVERT:
|
||||
cur_val = decoded_val;
|
||||
base64ParamFound = true;
|
||||
rc = onKv(
|
||||
decoded_key.c_str(),
|
||||
decoded_key.size(),
|
||||
cur_val.data(),
|
||||
cur_val.size(),
|
||||
flags,
|
||||
parser_depth
|
||||
break;
|
||||
case KEY_VALUE_B64_PAIR:
|
||||
// going deep with new pair in case value is not empty
|
||||
if (decoded_val.size() > 0) {
|
||||
cur_val = decoded_val;
|
||||
base64ParamFound = true;
|
||||
rc = onKv(
|
||||
decoded_key.c_str(),
|
||||
decoded_key.size(),
|
||||
cur_val.data(),
|
||||
cur_val.size(),
|
||||
flags,
|
||||
parser_depth
|
||||
);
|
||||
|
||||
dbgTrace(D_WAAP_DEEP_PARSER) << " rc = " << rc;
|
||||
if (rc != CONTINUE_PARSING) {
|
||||
return rc;
|
||||
dbgTrace(D_WAAP_DEEP_PARSER) << " rc = " << rc;
|
||||
if (rc != CONTINUE_PARSING) {
|
||||
return rc;
|
||||
}
|
||||
}
|
||||
}
|
||||
break;
|
||||
case CONTINUE_AS_IS:
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
break;
|
||||
case CONTINUE_AS_IS:
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
if (base64ParamFound) {
|
||||
dbgTrace(D_WAAP_DEEP_PARSER) << "DeepParser::onKv(): pushing #base64 prefix to the key.";
|
||||
m_key.push("#base64", 7, false);
|
||||
if (base64ParamFound) {
|
||||
dbgTrace(D_WAAP_DEEP_PARSER) << "DeepParser::onKv(): pushing #base64 prefix to the key.";
|
||||
m_key.push("#base64", 7, false);
|
||||
}
|
||||
}
|
||||
|
||||
// cur_val is later passed through some filters (such as urldecode) before JSON, XML or HTML is detected/decoded
|
||||
std::string orig_val = cur_val;
|
||||
|
||||
@@ -472,19 +475,19 @@ DeepParser::onKv(const char *k, size_t k_len, const char *v, size_t v_len, int f
|
||||
if (rc != CONTINUE_PARSING) {
|
||||
return rc;
|
||||
}
|
||||
|
||||
if (Waap::Util::detectJSONasParameter(cur_val, decoded_key, decoded_val)) {
|
||||
std::string json_decoded_val, json_decoded_key;
|
||||
if (Waap::Util::detectJSONasParameter(cur_val, json_decoded_key, json_decoded_val)) {
|
||||
dbgTrace(D_WAAP_DEEP_PARSER)
|
||||
<< " detectJSONasParameter was true: key = "
|
||||
<< decoded_key
|
||||
<< json_decoded_key
|
||||
<< " value = "
|
||||
<< decoded_val;
|
||||
<< json_decoded_val;
|
||||
|
||||
rc = onKv(
|
||||
decoded_key.c_str(),
|
||||
decoded_key.size(),
|
||||
decoded_val.data(),
|
||||
decoded_val.size(),
|
||||
json_decoded_key.c_str(),
|
||||
json_decoded_key.size(),
|
||||
json_decoded_val.data(),
|
||||
json_decoded_val.size(),
|
||||
flags,
|
||||
parser_depth
|
||||
);
|
||||
|
||||
@@ -22,6 +22,7 @@
|
||||
#define BUFFERED_RECEIVER_F_LAST 0x02
|
||||
#define BUFFERED_RECEIVER_F_BOTH (BUFFERED_RECEIVER_F_FIRST | BUFFERED_RECEIVER_F_LAST)
|
||||
#define BUFFERED_RECEIVER_F_UNNAMED 0x04
|
||||
#define BUFFERED_RECEIVER_F_MIDDLE 0x00
|
||||
|
||||
#if (DISTRO_centos6)
|
||||
// pre c++11 compiler doesn' support the "final" keyword
|
||||
|
||||
@@ -727,7 +727,6 @@ void SerializeToLocalAndRemoteSyncBase::syncWorker()
|
||||
"sync notification for '" + m_assetId + "'",
|
||||
ReportIS::AudienceTeam::WAAP,
|
||||
syncNotification,
|
||||
false,
|
||||
MessageCategory::GENERIC,
|
||||
ReportIS::Tags::WAF,
|
||||
ReportIS::Notification::SYNC_LEARNING
|
||||
|
||||
@@ -39,12 +39,19 @@ public:
|
||||
m_op = to_lower_copy(m_op);
|
||||
m_isCidr = false;
|
||||
m_value = "";
|
||||
m_isValid = true;
|
||||
|
||||
if (m_op == "basic") {
|
||||
// If op == "BASIC" - read numeric value
|
||||
ar(cereal::make_nvp("tag", m_tag));
|
||||
m_tag = to_lower_copy(m_tag);
|
||||
|
||||
if (m_tag != "sourceip" && m_tag != "sourceidentifier" && m_tag != "url" && m_tag != "hostname" &&
|
||||
m_tag != "keyword" && m_tag != "paramname" && m_tag != "paramvalue" && m_tag != "paramlocation" &&
|
||||
m_tag != "responsebody" && m_tag != "headername" && m_tag != "headervalue" ) {
|
||||
m_isValid = false;
|
||||
dbgDebug(D_WAAP_OVERRIDE) << "Invalid override tag: " << m_tag;
|
||||
}
|
||||
// The name "value" here is misleading. The real meaning is "regex pattern string"
|
||||
ar(cereal::make_nvp("value", m_value));
|
||||
|
||||
@@ -73,12 +80,14 @@ public:
|
||||
m_operand2 = std::make_shared<Match>();
|
||||
ar(cereal::make_nvp("operand2", *m_operand2));
|
||||
m_isOverrideResponse = m_operand1->m_isOverrideResponse || m_operand2->m_isOverrideResponse;
|
||||
m_isValid = m_operand1->m_isValid && m_operand2->m_isValid;
|
||||
}
|
||||
else if (m_op == "not") {
|
||||
// If op is "NOT" get one operand
|
||||
m_operand1 = std::make_shared<Match>();
|
||||
ar(cereal::make_nvp("operand1", *m_operand1));
|
||||
m_isOverrideResponse = m_operand1->m_isOverrideResponse;
|
||||
m_isValid = m_operand1->m_isValid;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -120,6 +129,10 @@ public:
|
||||
return m_isOverrideResponse;
|
||||
}
|
||||
|
||||
bool isValidMatch() const{
|
||||
return m_isValid;
|
||||
}
|
||||
|
||||
private:
|
||||
std::string m_op;
|
||||
std::shared_ptr<Match> m_operand1;
|
||||
@@ -130,6 +143,7 @@ private:
|
||||
Waap::Util::CIDRData m_cidr;
|
||||
bool m_isCidr;
|
||||
bool m_isOverrideResponse;
|
||||
bool m_isValid;
|
||||
};
|
||||
|
||||
class Behavior
|
||||
@@ -189,6 +203,9 @@ private:
|
||||
|
||||
class Rule {
|
||||
public:
|
||||
|
||||
Rule(): m_match(), m_isChangingRequestData(false), isValid(true){}
|
||||
|
||||
bool operator==(const Rule &other) const;
|
||||
|
||||
template <typename _A>
|
||||
@@ -202,6 +219,11 @@ public:
|
||||
m_id.clear();
|
||||
}
|
||||
ar(cereal::make_nvp("parsedMatch", m_match));
|
||||
if (!m_match.isValidMatch()) {
|
||||
dbgDebug(D_WAAP_OVERRIDE) << "An override rule was not load";
|
||||
isValid = false;
|
||||
}
|
||||
|
||||
ar(cereal::make_nvp("parsedBehavior", m_behaviors));
|
||||
|
||||
m_isChangingRequestData = false;
|
||||
@@ -242,6 +264,7 @@ public:
|
||||
dbgTrace(D_WAAP_OVERRIDE) << "Rule not matched";
|
||||
}
|
||||
|
||||
|
||||
bool isChangingRequestData() const {
|
||||
return m_isChangingRequestData;
|
||||
}
|
||||
@@ -253,11 +276,16 @@ public:
|
||||
return m_id;
|
||||
}
|
||||
|
||||
bool isValidRule() const {
|
||||
return isValid;
|
||||
}
|
||||
|
||||
private:
|
||||
Match m_match;
|
||||
bool m_isChangingRequestData;
|
||||
std::vector<Behavior> m_behaviors;
|
||||
std::string m_id;
|
||||
bool isValid;
|
||||
};
|
||||
|
||||
class Policy {
|
||||
@@ -270,6 +298,10 @@ public:
|
||||
|
||||
for (std::vector<Waap::Override::Rule>::const_iterator it = rules.begin(); it != rules.end(); ++it) {
|
||||
const Waap::Override::Rule& rule = *it;
|
||||
if (!rule.isValidRule()) {
|
||||
dbgWarning(D_WAAP_OVERRIDE) << "rule is not valid";
|
||||
continue;
|
||||
}
|
||||
if (rule.isChangingRequestData())
|
||||
{
|
||||
m_RequestOverrides.push_back(rule);
|
||||
|
||||
@@ -145,6 +145,6 @@ bool WaapOverrideFunctor::operator()(const std::string& tag, const boost::regex&
|
||||
}
|
||||
|
||||
// Unknown tag: should not occur
|
||||
dbgWarning(D_WAAP) << "Invalid override tag: " << tag;
|
||||
dbgDebug(D_WAAP) << "Invalid override tag: " << tag;
|
||||
return false;
|
||||
}
|
||||
|
||||
@@ -1516,6 +1516,7 @@ Waf2Transaction::decideAfterHeaders()
|
||||
return finalizeDecision(sitePolicy, shouldBlock);
|
||||
}
|
||||
|
||||
|
||||
// Note: the only user of the transactionResult structure filled by this method is waap_automation.
|
||||
// TODO: Consider removing this parameter (and provide access to this information by other means)
|
||||
int
|
||||
|
||||
@@ -567,12 +567,11 @@ Waap::Override::State Waf2Transaction::getOverrideState(IWaapConfig* sitePolicy)
|
||||
|
||||
extractEnvSourceIdentifier();
|
||||
|
||||
Waap::Override::State overrideStateResponse;
|
||||
if (overridePolicy) { // later we will run response overrides
|
||||
overrideStateResponse.applyOverride(*overridePolicy, WaapOverrideFunctor(*this), m_matchedOverrideIds, false);
|
||||
m_overrideState.applyOverride(*overridePolicy, WaapOverrideFunctor(*this), m_matchedOverrideIds, false);
|
||||
}
|
||||
m_isHeaderOverrideScanRequired = false;
|
||||
return overrideStateResponse;
|
||||
return m_overrideState;
|
||||
}
|
||||
|
||||
Waf2TransactionFlags &Waf2Transaction::getTransactionFlags()
|
||||
|
||||
Reference in New Issue
Block a user