This commit is contained in:
bui 2023-09-13 18:03:03 +02:00
parent 7081666199
commit 6a47b9e97d
4 changed files with 24 additions and 28 deletions

View file

@ -267,29 +267,7 @@ func (w *WaapSource) waapHandler(rw http.ResponseWriter, r *http.Request) {
w.InChan <- parsedRequest
response := <-parsedRequest.ResponseChannel
// //@tko this parts needs to be redone
// if message.Err != nil {
// log.Errorf("Error while processing InBAND: %s", err)
// rw.WriteHeader(http.StatusInternalServerError)
// return
// }
// //here we must rely on WaapRuntimeConfig to know what to do
// if message.Interruption != nil {
// rw.WriteHeader(http.StatusForbidden)
// action := message.Interruption.Action
// if action == "deny" { // bouncers understand "ban" and not "deny"
// action = "ban"
// }
// body, err := json.Marshal(BodyResponse{Action: action})
// if err != nil {
// log.Errorf("unable to build response: %s", err)
// } else {
// rw.Write(body)
// }
// return
// }
log.Infof("resp %+v", response)
rw.WriteHeader(response.HTTPResponseCode)
body, err := json.Marshal(BodyResponse{Action: response.Action})

View file

@ -43,6 +43,7 @@ func (r *WaapRunner) Run(t *tomb.Tomb) error {
r.logger.Errorf("unable to process PreEval rules: %s", err)
continue
}
log.Infof("now response is -> %s", r.WaapRuntime.Response.Action)
//inband WAAP rules
err = r.WaapRuntime.ProcessInBandRules(request)
elapsed := time.Since(startParsing)

View file

@ -26,7 +26,7 @@ func (t *ExtendedTransaction) RemoveRuleByIDWithError(id int) error {
}
// simply used to ease the compilation & runtime of the hooks
func GetHookEnv(w WaapRuntimeConfig, request ParsedRequest) map[string]interface{} {
func GetHookEnv(w *WaapRuntimeConfig, request ParsedRequest) map[string]interface{} {
return map[string]interface{}{
"inband_rules": w.InBandRules,
"outband_rules": w.OutOfBandRules,

View file

@ -32,7 +32,7 @@ func (h *Hook) Build() error {
h.FilterExpr = program
}
for _, apply := range h.Apply {
program, err := expr.Compile(apply, GetExprWAFOptions(GetHookEnv(WaapRuntimeConfig{}, ParsedRequest{}))...)
program, err := expr.Compile(apply, GetExprWAFOptions(GetHookEnv(&WaapRuntimeConfig{}, ParsedRequest{}))...)
if err != nil {
return fmt.Errorf("unable to compile apply %s : %w", apply, err)
}
@ -220,7 +220,7 @@ func (w *WaapRuntimeConfig) ProcessOnMatchRules(request ParsedRequest) error {
func (w *WaapRuntimeConfig) ProcessPreEvalRules(request ParsedRequest) error {
for _, rule := range w.CompiledPreEval {
if rule.FilterExpr != nil {
output, err := expr.Run(rule.FilterExpr, GetHookEnv(*w, request))
output, err := expr.Run(rule.FilterExpr, GetHookEnv(w, request))
if err != nil {
return fmt.Errorf("unable to run filter %s : %w", rule.Filter, err)
}
@ -237,7 +237,7 @@ func (w *WaapRuntimeConfig) ProcessPreEvalRules(request ParsedRequest) error {
}
// here means there is no filter or the filter matched
for _, applyExpr := range rule.ApplyExpr {
_, err := expr.Run(applyExpr, GetHookEnv(*w, request))
_, err := expr.Run(applyExpr, GetHookEnv(w, request))
if err != nil {
log.Errorf("unable to apply filter: %s", err)
continue
@ -275,7 +275,24 @@ func (w *WaapRuntimeConfig) RemoveOutbandRuleByID(id int) error {
}
func (w *WaapRuntimeConfig) SetAction(action string) error {
log.Infof("setting to %s", action)
switch action {
case "allow":
w.Response.Action = action
w.Response.HTTPResponseCode = w.Config.PassedHTTPCode
//how should we handle this ?
case "deny", "ban", "block":
w.Response.Action = "ban"
w.Response.HTTPResponseCode = w.Config.BlockedHTTPCode
case "log":
w.Response.Action = action
w.Response.HTTPResponseCode = w.Config.PassedHTTPCode
case "captcha":
w.Response.Action = action
w.Response.HTTPResponseCode = w.Config.BlockedHTTPCode
default:
return fmt.Errorf("unknown action %s", action)
}
return nil
}