linting
This commit is contained in:
Sebastien Blot
parent
2a920124fe
commit
393a8b8ef5
|
|
@ -305,7 +305,7 @@ func (w *WaapSource) IsAuth(apiKey string) bool {
|
||||||
Timeout: 200 * time.Millisecond,
|
Timeout: 200 * time.Millisecond,
|
||||||
}
|
}
|
||||||
|
|
||||||
req, err := http.NewRequest("HEAD", w.lapiURL, nil)
|
req, err := http.NewRequest(http.MethodHead, w.lapiURL, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Errorf("Error creating request: %s", err)
|
log.Errorf("Error creating request: %s", err)
|
||||||
return false
|
return false
|
||||||
|
|
|
||||||
|
|
@ -581,14 +581,17 @@ func (t *HubTestItem) RunWithNucleiTemplate() error {
|
||||||
|
|
||||||
//wait for the waap port to be available
|
//wait for the waap port to be available
|
||||||
if _, err := IsAlive(DefaultWaapHost); err != nil {
|
if _, err := IsAlive(DefaultWaapHost); err != nil {
|
||||||
return fmt.Errorf("Waap is down: %s", err)
|
return fmt.Errorf("waap is down: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// check if the target is available
|
// check if the target is available
|
||||||
nucleiTargetParsedURL, err := url.Parse(DefaultNucleiTarget)
|
nucleiTargetParsedURL, err := url.Parse(DefaultNucleiTarget)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("unable to parse target '%s': %s", DefaultNucleiTarget, err)
|
||||||
|
}
|
||||||
nucleiTargetHost := nucleiTargetParsedURL.Host
|
nucleiTargetHost := nucleiTargetParsedURL.Host
|
||||||
if _, err := IsAlive(nucleiTargetHost); err != nil {
|
if _, err := IsAlive(nucleiTargetHost); err != nil {
|
||||||
return fmt.Errorf("Target is down: %s", err)
|
return fmt.Errorf("target is down: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
nucleiConfig := NucleiConfig{
|
nucleiConfig := NucleiConfig{
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,7 @@ import (
|
||||||
|
|
||||||
/*
|
/*
|
||||||
1. If user triggered a rule that is for a CVE, that has high confidence and that is blocking, ban
|
1. If user triggered a rule that is for a CVE, that has high confidence and that is blocking, ban
|
||||||
2. If user triggered 3 distinct rules with medium confidence accross 3 different requests, ban
|
2. If user triggered 3 distinct rules with medium confidence across 3 different requests, ban
|
||||||
|
|
||||||
|
|
||||||
any(evt.Waf.ByTag("CVE"), {.confidence == "high" && .action == "block"})
|
any(evt.Waf.ByTag("CVE"), {.confidence == "high" && .action == "block"})
|
||||||
|
|
|
||||||
|
|
@ -112,10 +112,7 @@ func (e *crzLogEvent) Stringer(key string, val fmt.Stringer) dbg.Event {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (e crzLogEvent) IsEnabled() bool {
|
func (e crzLogEvent) IsEnabled() bool {
|
||||||
if e.muted {
|
return !e.muted
|
||||||
return false
|
|
||||||
}
|
|
||||||
return true
|
|
||||||
}
|
}
|
||||||
|
|
||||||
type crzLogger struct {
|
type crzLogger struct {
|
||||||
|
|
|
||||||
|
|
@ -281,22 +281,22 @@ func NewParsedRequestFromRequest(r *http.Request) (ParsedRequest, error) {
|
||||||
// the real source of the request is set in 'x-client-ip'
|
// the real source of the request is set in 'x-client-ip'
|
||||||
clientIP := r.Header.Get(IPHeaderName)
|
clientIP := r.Header.Get(IPHeaderName)
|
||||||
if clientIP == "" {
|
if clientIP == "" {
|
||||||
return ParsedRequest{}, fmt.Errorf("Missing '%s' header", IPHeaderName)
|
return ParsedRequest{}, fmt.Errorf("missing '%s' header", IPHeaderName)
|
||||||
}
|
}
|
||||||
// the real target Host of the request is set in 'x-client-host'
|
// the real target Host of the request is set in 'x-client-host'
|
||||||
clientHost := r.Header.Get(HostHeaderName)
|
clientHost := r.Header.Get(HostHeaderName)
|
||||||
if clientHost == "" {
|
if clientHost == "" {
|
||||||
return ParsedRequest{}, fmt.Errorf("Missing '%s' header", HostHeaderName)
|
return ParsedRequest{}, fmt.Errorf("missing '%s' header", HostHeaderName)
|
||||||
}
|
}
|
||||||
// the real URI of the request is set in 'x-client-uri'
|
// the real URI of the request is set in 'x-client-uri'
|
||||||
clientURI := r.Header.Get(URIHeaderName)
|
clientURI := r.Header.Get(URIHeaderName)
|
||||||
if clientURI == "" {
|
if clientURI == "" {
|
||||||
return ParsedRequest{}, fmt.Errorf("Missing '%s' header", URIHeaderName)
|
return ParsedRequest{}, fmt.Errorf("missing '%s' header", URIHeaderName)
|
||||||
}
|
}
|
||||||
// the real VERB of the request is set in 'x-client-uri'
|
// the real VERB of the request is set in 'x-client-uri'
|
||||||
clientMethod := r.Header.Get(VerbHeaderName)
|
clientMethod := r.Header.Get(VerbHeaderName)
|
||||||
if clientMethod == "" {
|
if clientMethod == "" {
|
||||||
return ParsedRequest{}, fmt.Errorf("Missing '%s' header", VerbHeaderName)
|
return ParsedRequest{}, fmt.Errorf("missing '%s' header", VerbHeaderName)
|
||||||
}
|
}
|
||||||
|
|
||||||
// delete those headers before coraza process the request
|
// delete those headers before coraza process the request
|
||||||
|
|
@ -310,18 +310,19 @@ func NewParsedRequestFromRequest(r *http.Request) (ParsedRequest, error) {
|
||||||
return ParsedRequest{}, fmt.Errorf("unable to parse url '%s': %s", clientURI, err)
|
return ParsedRequest{}, fmt.Errorf("unable to parse url '%s': %s", clientURI, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
RemoteAddrNormalized := ""
|
remoteAddrNormalized := ""
|
||||||
host, _, err := net.SplitHostPort(r.RemoteAddr)
|
host, _, err := net.SplitHostPort(r.RemoteAddr)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Errorf("Invalid waap remote IP source %v: %s", r.RemoteAddr, err.Error())
|
log.Errorf("Invalid waap remote IP source %v: %s", r.RemoteAddr, err.Error())
|
||||||
RemoteAddrNormalized = r.RemoteAddr
|
remoteAddrNormalized = r.RemoteAddr
|
||||||
} else {
|
} else {
|
||||||
ip := net.ParseIP(host)
|
ip := net.ParseIP(host)
|
||||||
if ip == nil {
|
if ip == nil {
|
||||||
log.Errorf("Invalid waap remote IP address source %v: %s", r.RemoteAddr, err.Error())
|
log.Errorf("Invalid waap remote IP address source %v: %s", r.RemoteAddr, err.Error())
|
||||||
RemoteAddrNormalized = r.RemoteAddr
|
remoteAddrNormalized = r.RemoteAddr
|
||||||
|
} else {
|
||||||
|
remoteAddrNormalized = ip.String()
|
||||||
}
|
}
|
||||||
RemoteAddrNormalized = ip.String()
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return ParsedRequest{
|
return ParsedRequest{
|
||||||
|
|
@ -339,6 +340,6 @@ func NewParsedRequestFromRequest(r *http.Request) (ParsedRequest, error) {
|
||||||
Args: parsedURL.Query(), //TODO: Check if there's not potential bypass as it excludes malformed args
|
Args: parsedURL.Query(), //TODO: Check if there's not potential bypass as it excludes malformed args
|
||||||
TransferEncoding: r.TransferEncoding,
|
TransferEncoding: r.TransferEncoding,
|
||||||
ResponseChannel: make(chan WaapTempResponse),
|
ResponseChannel: make(chan WaapTempResponse),
|
||||||
RemoteAddrNormalized: RemoteAddrNormalized,
|
RemoteAddrNormalized: remoteAddrNormalized,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -8,44 +8,4 @@ type exprCustomFunc struct {
|
||||||
signature []interface{}
|
signature []interface{}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
var exprFuncs = []exprCustomFunc{}
|
||||||
func GetOnLoadEnv(w *WaapRuntimeConfig) map[string]interface{} {
|
|
||||||
return map[string]interface{}{
|
|
||||||
"DisableInBandRuleByID": w.DisableInBandRuleByID,
|
|
||||||
"DisableOutBandRuleByID": w.DisableOutBandRuleByID,
|
|
||||||
"DisableInBandRuleByTag": w.DisableInBandRuleByTag,
|
|
||||||
"DisableOutBandRuleByTag": w.DisableOutBandRuleByTag,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
*/
|
|
||||||
|
|
||||||
/*var onLoadExprFuncs = []exprCustomFunc{
|
|
||||||
{
|
|
||||||
name: "DisableInBandRuleByID",
|
|
||||||
function: w.DisableInBandRuleByID,
|
|
||||||
signature: []interface{}{
|
|
||||||
new(func(int) error),
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}*/
|
|
||||||
|
|
||||||
var preEvalExprFuncs = []exprCustomFunc{}
|
|
||||||
|
|
||||||
var onMatchExprFuncs = []exprCustomFunc{}
|
|
||||||
|
|
||||||
var exprFuncs = []exprCustomFunc{
|
|
||||||
/*{
|
|
||||||
name: "SetRulesToInband",
|
|
||||||
function: SetRulesToInband,
|
|
||||||
signature: []interface{}{
|
|
||||||
new(func() error),
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "SetRulesToOutOfBand",
|
|
||||||
function: SetRulesToOutOfBand,
|
|
||||||
signature: []interface{}{
|
|
||||||
new(func() error),
|
|
||||||
},
|
|
||||||
},*/
|
|
||||||
}
|
|
||||||
|
|
|
||||||
|
|
@ -6,19 +6,6 @@ import (
|
||||||
"github.com/crowdsecurity/crowdsec/pkg/types"
|
"github.com/crowdsecurity/crowdsec/pkg/types"
|
||||||
)
|
)
|
||||||
|
|
||||||
var exprFunctionOptions []expr.Option
|
|
||||||
|
|
||||||
func initWafHelpers() {
|
|
||||||
exprFunctionOptions = []expr.Option{}
|
|
||||||
for _, function := range exprFuncs {
|
|
||||||
exprFunctionOptions = append(exprFunctionOptions,
|
|
||||||
expr.Function(function.name,
|
|
||||||
function.function,
|
|
||||||
function.signature...,
|
|
||||||
))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func GetExprWAFOptions(ctx map[string]interface{}) []expr.Option {
|
func GetExprWAFOptions(ctx map[string]interface{}) []expr.Option {
|
||||||
baseHelpers := exprhelpers.GetExprOptions(ctx)
|
baseHelpers := exprhelpers.GetExprOptions(ctx)
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue