beenull/crowdsec
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

use expr func

Browse source
This commit is contained in:
Sebastien Blot 2023-12-04 21:00:09 +01:00
parent b01901b04e
commit ac451ccaf3
No known key found for this signature in database
GPG key ID: DFC2902F40449F6A
7 changed files with 503 additions and 253 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

382
pkg/exprhelpers/expr_lib.go
View file

@ -6,438 +6,438 @@ import (
"github.com/crowdsecurity/crowdsec/pkg/cticlient" "github.com/crowdsecurity/crowdsec/pkg/cticlient"
) )
type exprCustomFunc struct { type ExprCustomFunc struct {
name string Name string
function func(params ...any) (any, error) Function func(params ...any) (any, error)
signature []interface{} Signature []interface{}
} }
var exprFuncs = []exprCustomFunc{ var exprFuncs = []ExprCustomFunc{
{ {
name: "CrowdsecCTI", Name: "CrowdsecCTI",
function: CrowdsecCTI, Function: CrowdsecCTI,
signature: []interface{}{ Signature: []interface{}{
new(func(string) (*cticlient.SmokeItem, error)), new(func(string) (*cticlient.SmokeItem, error)),
}, },
}, },
{ {
name: "Flatten", Name: "Flatten",
function: Flatten, Function: Flatten,
signature: []interface{}{}, Signature: []interface{}{},
}, },
{ {
name: "Distinct", Name: "Distinct",
function: Distinct, Function: Distinct,
signature: []interface{}{}, Signature: []interface{}{},
}, },
{ {
name: "FlattenDistinct", Name: "FlattenDistinct",
function: FlattenDistinct, Function: FlattenDistinct,
signature: []interface{}{}, Signature: []interface{}{},
}, },
{ {
name: "Distance", Name: "Distance",
function: Distance, Function: Distance,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string, string, string) (float64, error)), new(func(string, string, string, string) (float64, error)),
}, },
}, },
{ {
name: "GetFromStash", Name: "GetFromStash",
function: GetFromStash, Function: GetFromStash,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string) (string, error)), new(func(string, string) (string, error)),
}, },
}, },
{ {
name: "Atof", Name: "Atof",
function: Atof, Function: Atof,
signature: []interface{}{ Signature: []interface{}{
new(func(string) float64), new(func(string) float64),
}, },
}, },
{ {
name: "JsonExtract", Name: "JsonExtract",
function: JsonExtract, Function: JsonExtract,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string) string), new(func(string, string) string),
}, },
}, },
{ {
name: "JsonExtractUnescape", Name: "JsonExtractUnescape",
function: JsonExtractUnescape, Function: JsonExtractUnescape,
signature: []interface{}{ Signature: []interface{}{
new(func(string, ...string) string), new(func(string, ...string) string),
}, },
}, },
{ {
name: "JsonExtractLib", Name: "JsonExtractLib",
function: JsonExtractLib, Function: JsonExtractLib,
signature: []interface{}{ Signature: []interface{}{
new(func(string, ...string) string), new(func(string, ...string) string),
}, },
}, },
{ {
name: "JsonExtractSlice", Name: "JsonExtractSlice",
function: JsonExtractSlice, Function: JsonExtractSlice,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string) []interface{}), new(func(string, string) []interface{}),
}, },
}, },
{ {
name: "JsonExtractObject", Name: "JsonExtractObject",
function: JsonExtractObject, Function: JsonExtractObject,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string) map[string]interface{}), new(func(string, string) map[string]interface{}),
}, },
}, },
{ {
name: "ToJsonString", Name: "ToJsonString",
function: ToJson, Function: ToJson,
signature: []interface{}{ Signature: []interface{}{
new(func(interface{}) string), new(func(interface{}) string),
}, },
}, },
{ {
name: "File", Name: "File",
function: File, Function: File,
signature: []interface{}{ Signature: []interface{}{
new(func(string) []string), new(func(string) []string),
}, },
}, },
{ {
name: "RegexpInFile", Name: "RegexpInFile",
function: RegexpInFile, Function: RegexpInFile,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string) bool), new(func(string, string) bool),
}, },
}, },
{ {
name: "Upper", Name: "Upper",
function: Upper, Function: Upper,
signature: []interface{}{ Signature: []interface{}{
new(func(string) string), new(func(string) string),
}, },
}, },
{ {
name: "Lower", Name: "Lower",
function: Lower, Function: Lower,
signature: []interface{}{ Signature: []interface{}{
new(func(string) string), new(func(string) string),
}, },
}, },
{ {
name: "IpInRange", Name: "IpInRange",
function: IpInRange, Function: IpInRange,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string) bool), new(func(string, string) bool),
}, },
}, },
{ {
name: "TimeNow", Name: "TimeNow",
function: TimeNow, Function: TimeNow,
signature: []interface{}{ Signature: []interface{}{
new(func() string), new(func() string),
}, },
}, },
{ {
name: "ParseUri", Name: "ParseUri",
function: ParseUri, Function: ParseUri,
signature: []interface{}{ Signature: []interface{}{
new(func(string) map[string][]string), new(func(string) map[string][]string),
}, },
}, },
{ {
name: "PathUnescape", Name: "PathUnescape",
function: PathUnescape, Function: PathUnescape,
signature: []interface{}{ Signature: []interface{}{
new(func(string) string), new(func(string) string),
}, },
}, },
{ {
name: "QueryUnescape", Name: "QueryUnescape",
function: QueryUnescape, Function: QueryUnescape,
signature: []interface{}{ Signature: []interface{}{
new(func(string) string), new(func(string) string),
}, },
}, },
{ {
name: "PathEscape", Name: "PathEscape",
function: PathEscape, Function: PathEscape,
signature: []interface{}{ Signature: []interface{}{
new(func(string) string), new(func(string) string),
}, },
}, },
{ {
name: "QueryEscape", Name: "QueryEscape",
function: QueryEscape, Function: QueryEscape,
signature: []interface{}{ Signature: []interface{}{
new(func(string) string), new(func(string) string),
}, },
}, },
{ {
name: "XMLGetAttributeValue", Name: "XMLGetAttributeValue",
function: XMLGetAttributeValue, Function: XMLGetAttributeValue,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string, string) string), new(func(string, string, string) string),
}, },
}, },
{ {
name: "XMLGetNodeValue", Name: "XMLGetNodeValue",
function: XMLGetNodeValue, Function: XMLGetNodeValue,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string) string), new(func(string, string) string),
}, },
}, },
{ {
name: "IpToRange", Name: "IpToRange",
function: IpToRange, Function: IpToRange,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string) string), new(func(string, string) string),
}, },
}, },
{ {
name: "IsIPV6", Name: "IsIPV6",
function: IsIPV6, Function: IsIPV6,
signature: []interface{}{ Signature: []interface{}{
new(func(string) bool), new(func(string) bool),
}, },
}, },
{ {
name: "IsIPV4", Name: "IsIPV4",
function: IsIPV4, Function: IsIPV4,
signature: []interface{}{ Signature: []interface{}{
new(func(string) bool), new(func(string) bool),
}, },
}, },
{ {
name: "IsIP", Name: "IsIP",
function: IsIP, Function: IsIP,
signature: []interface{}{ Signature: []interface{}{
new(func(string) bool), new(func(string) bool),
}, },
}, },
{ {
name: "LookupHost", Name: "LookupHost",
function: LookupHost, Function: LookupHost,
signature: []interface{}{ Signature: []interface{}{
new(func(string) []string), new(func(string) []string),
}, },
}, },
{ {
name: "GetDecisionsCount", Name: "GetDecisionsCount",
function: GetDecisionsCount, Function: GetDecisionsCount,
signature: []interface{}{ Signature: []interface{}{
new(func(string) int), new(func(string) int),
}, },
}, },
{ {
name: "GetDecisionsSinceCount", Name: "GetDecisionsSinceCount",
function: GetDecisionsSinceCount, Function: GetDecisionsSinceCount,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string) int), new(func(string, string) int),
}, },
}, },
{ {
name: "Sprintf", Name: "Sprintf",
function: Sprintf, Function: Sprintf,
signature: []interface{}{ Signature: []interface{}{
new(func(string, ...interface{}) string), new(func(string, ...interface{}) string),
}, },
}, },
{ {
name: "ParseUnix", Name: "ParseUnix",
function: ParseUnix, Function: ParseUnix,
signature: []interface{}{ Signature: []interface{}{
new(func(string) string), new(func(string) string),
}, },
}, },
{ {
name: "SetInStash", //FIXME: signature will probably blow everything up Name: "SetInStash", //FIXME: signature will probably blow everything up
function: SetInStash, Function: SetInStash,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string, string, *time.Duration) error), new(func(string, string, string, *time.Duration) error),
}, },
}, },
{ {
name: "Fields", Name: "Fields",
function: Fields, Function: Fields,
signature: []interface{}{ Signature: []interface{}{
new(func(string) []string), new(func(string) []string),
}, },
}, },
{ {
name: "Index", Name: "Index",
function: Index, Function: Index,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string) int), new(func(string, string) int),
}, },
}, },
{ {
name: "IndexAny", Name: "IndexAny",
function: IndexAny, Function: IndexAny,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string) int), new(func(string, string) int),
}, },
}, },
{ {
name: "Join", Name: "Join",
function: Join, Function: Join,
signature: []interface{}{ Signature: []interface{}{
new(func([]string, string) string), new(func([]string, string) string),
}, },
}, },
{ {
name: "Split", Name: "Split",
function: Split, Function: Split,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string) []string), new(func(string, string) []string),
}, },
}, },
{ {
name: "SplitAfter", Name: "SplitAfter",
function: SplitAfter, Function: SplitAfter,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string) []string), new(func(string, string) []string),
}, },
}, },
{ {
name: "SplitAfterN", Name: "SplitAfterN",
function: SplitAfterN, Function: SplitAfterN,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string, int) []string), new(func(string, string, int) []string),
}, },
}, },
{ {
name: "SplitN", Name: "SplitN",
function: SplitN, Function: SplitN,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string, int) []string), new(func(string, string, int) []string),
}, },
}, },
{ {
name: "Replace", Name: "Replace",
function: Replace, Function: Replace,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string, string, int) string), new(func(string, string, string, int) string),
}, },
}, },
{ {
name: "ReplaceAll", Name: "ReplaceAll",
function: ReplaceAll, Function: ReplaceAll,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string, string) string), new(func(string, string, string) string),
}, },
}, },
{ {
name: "Trim", Name: "Trim",
function: Trim, Function: Trim,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string) string), new(func(string, string) string),
}, },
}, },
{ {
name: "TrimLeft", Name: "TrimLeft",
function: TrimLeft, Function: TrimLeft,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string) string), new(func(string, string) string),
}, },
}, },
{ {
name: "TrimRight", Name: "TrimRight",
function: TrimRight, Function: TrimRight,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string) string), new(func(string, string) string),
}, },
}, },
{ {
name: "TrimSpace", Name: "TrimSpace",
function: TrimSpace, Function: TrimSpace,
signature: []interface{}{ Signature: []interface{}{
new(func(string) string), new(func(string) string),
}, },
}, },
{ {
name: "TrimPrefix", Name: "TrimPrefix",
function: TrimPrefix, Function: TrimPrefix,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string) string), new(func(string, string) string),
}, },
}, },
{ {
name: "TrimSuffix", Name: "TrimSuffix",
function: TrimSuffix, Function: TrimSuffix,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string) string), new(func(string, string) string),
}, },
}, },
{ {
name: "Get", Name: "Get",
function: Get, Function: Get,
signature: []interface{}{ Signature: []interface{}{
new(func([]string, int) string), new(func([]string, int) string),
}, },
}, },
{ {
name: "ToString", Name: "ToString",
function: ToString, Function: ToString,
signature: []interface{}{ Signature: []interface{}{
new(func(interface{}) string), new(func(interface{}) string),
}, },
}, },
{ {
name: "Match", Name: "Match",
function: Match, Function: Match,
signature: []interface{}{ Signature: []interface{}{
new(func(string, string) bool), new(func(string, string) bool),
}, },
}, },
{ {
name: "KeyExists", Name: "KeyExists",
function: KeyExists, Function: KeyExists,
signature: []interface{}{ Signature: []interface{}{
new(func(string, map[string]any) bool), new(func(string, map[string]any) bool),
}, },
}, },
{ {
name: "LogInfo", Name: "LogInfo",
function: LogInfo, Function: LogInfo,
signature: []interface{}{ Signature: []interface{}{
new(func(string, ...interface{}) bool), new(func(string, ...interface{}) bool),
}, },
}, },
{ {
name: "B64Decode", Name: "B64Decode",
function: B64Decode, Function: B64Decode,
signature: []interface{}{ Signature: []interface{}{
new(func(string) string), new(func(string) string),
}, },
}, },
{ {
name: "UnmarshalJSON", Name: "UnmarshalJSON",
function: UnmarshalJSON, Function: UnmarshalJSON,
signature: []interface{}{ Signature: []interface{}{
new(func(string, map[string]interface{}, string) error), new(func(string, map[string]interface{}, string) error),
}, },
}, },
{ {
name: "ParseKV", Name: "ParseKV",
function: ParseKV, Function: ParseKV,
signature: []interface{}{ Signature: []interface{}{
new(func(string, map[string]interface{}, string) error), new(func(string, map[string]interface{}, string) error),
}, },
}, },
{ {
name: "Hostname", Name: "Hostname",
function: Hostname, Function: Hostname,
signature: []interface{}{ Signature: []interface{}{
new(func() (string, error)), new(func() (string, error)),
}, },
}, },
{ {
name: "FloatApproxEqual", Name: "FloatApproxEqual",
function: FloatApproxEqual, Function: FloatApproxEqual,
signature: []interface{}{ Signature: []interface{}{
new(func(float64, float64) bool), new(func(float64, float64) bool),
}, },
}, },

6
pkg/exprhelpers/helpers.go
View file

@ -60,9 +60,9 @@ func GetExprOptions(ctx map[string]interface{}) []expr.Option {
exprFunctionOptions = []expr.Option{} exprFunctionOptions = []expr.Option{}
for _, function := range exprFuncs { for _, function := range exprFuncs {
exprFunctionOptions = append(exprFunctionOptions, exprFunctionOptions = append(exprFunctionOptions,
expr.Function(function.name, expr.Function(function.Name,
function.function, function.Function,
function.signature..., function.Signature...,
)) ))
} }
} }

4
pkg/waf/request.go
View file

@ -58,12 +58,12 @@ type ReqDumpFilter struct {
ArgsDrop bool ArgsDrop bool
} }
func (r *ParsedRequest) DumpRequest(params ...any) *ReqDumpFilter { func (r *ParsedRequest) DumpRequest(params ...any) (any, error) {
filter := ReqDumpFilter{} filter := ReqDumpFilter{}
filter.BodyDrop = true filter.BodyDrop = true
filter.HeadersNameFilters = []string{"cookie", "authorization"} filter.HeadersNameFilters = []string{"cookie", "authorization"}
filter.req = r filter.req = r
return &filter return &filter, nil
} }
// clear filters // clear filters

3
pkg/waf/request_test.go
View file

@ -161,7 +161,8 @@ func TestBodyDumper(t *testing.T) {
for idx, test := range tests { for idx, test := range tests {
t.Run(test.name, func(t *testing.T) { t.Run(test.name, func(t *testing.T) {
orig_dr := test.req.DumpRequest() tmp_dr, _ := test.req.DumpRequest()
orig_dr := tmp_dr.(*ReqDumpFilter)
result := test.filter(orig_dr).GetFilteredRequest() result := test.filter(orig_dr).GetFilteredRequest()
if len(result.Body) != len(test.expect.Body) { if len(result.Body) != len(test.expect.Body) {

50
pkg/waf/waap.go
View file

@ -34,19 +34,26 @@ const (
func (h *Hook) Build(hookStage int) error { func (h *Hook) Build(hookStage int) error {
ctx := map[string]interface{}{} ctx := map[string]interface{}{}
opts := []expr.Option{}
switch hookStage { switch hookStage {
case hookOnLoad: case hookOnLoad:
ctx = GetOnLoadEnv(&WaapRuntimeConfig{}) opts = GetOnLoadEnv(ctx, &WaapRuntimeConfig{})
case hookPreEval: case hookPreEval:
ctx = GetPreEvalEnv(&WaapRuntimeConfig{}, &ParsedRequest{}) ctx["IsInBand"] = true
ctx["IsOutBand"] = true
opts = GetPreEvalEnv(ctx, &WaapRuntimeConfig{}, &ParsedRequest{})
case hookPostEval: case hookPostEval:
ctx = GetPostEvalEnv(&WaapRuntimeConfig{}, &ParsedRequest{}) ctx["IsInBand"] = true
ctx["IsOutBand"] = true
opts = GetPostEvalEnv(ctx, &WaapRuntimeConfig{}, &ParsedRequest{})
case hookOnMatch: case hookOnMatch:
ctx = GetOnMatchEnv(&WaapRuntimeConfig{}, &ParsedRequest{}, types.Event{}) ctx["evt"] = types.Event{}
ctx["IsInBand"] = true
ctx["IsOutBand"] = true
opts = GetOnMatchEnv(ctx, &WaapRuntimeConfig{}, &ParsedRequest{})
} }
opts := GetExprWAFOptions(ctx)
if h.Filter != "" { if h.Filter != "" {
program, err := expr.Compile(h.Filter, opts...) //FIXME: opts program, err := expr.Compile(h.Filter, opts...)
if err != nil { if err != nil {
return fmt.Errorf("unable to compile filter %s : %w", h.Filter, err) return fmt.Errorf("unable to compile filter %s : %w", h.Filter, err)
} }
@ -283,7 +290,7 @@ func (wc *WaapConfig) Build() (*WaapRuntimeConfig, error) {
func (w *WaapRuntimeConfig) ProcessOnLoadRules() error { func (w *WaapRuntimeConfig) ProcessOnLoadRules() error {
for _, rule := range w.CompiledOnLoad { for _, rule := range w.CompiledOnLoad {
if rule.FilterExpr != nil { if rule.FilterExpr != nil {
output, err := exprhelpers.Run(rule.FilterExpr, GetOnLoadEnv(w), w.Logger, w.Logger.Level >= log.DebugLevel) output, err := exprhelpers.Run(rule.FilterExpr, map[string]interface{}{}, w.Logger, w.Logger.Level >= log.DebugLevel)
if err != nil { if err != nil {
return fmt.Errorf("unable to run waap on_load filter %s : %w", rule.Filter, err) return fmt.Errorf("unable to run waap on_load filter %s : %w", rule.Filter, err)
} }
@ -299,7 +306,7 @@ func (w *WaapRuntimeConfig) ProcessOnLoadRules() error {
} }
} }
for _, applyExpr := range rule.ApplyExpr { for _, applyExpr := range rule.ApplyExpr {
_, err := exprhelpers.Run(applyExpr, GetOnLoadEnv(w), w.Logger, w.Logger.Level >= log.DebugLevel) _, err := exprhelpers.Run(applyExpr, map[string]interface{}{}, w.Logger, w.Logger.Level >= log.DebugLevel)
if err != nil { if err != nil {
log.Errorf("unable to apply waap on_load expr: %s", err) log.Errorf("unable to apply waap on_load expr: %s", err)
continue continue
@ -310,10 +317,14 @@ func (w *WaapRuntimeConfig) ProcessOnLoadRules() error {
} }
func (w *WaapRuntimeConfig) ProcessOnMatchRules(request *ParsedRequest, evt types.Event) error { func (w *WaapRuntimeConfig) ProcessOnMatchRules(request *ParsedRequest, evt types.Event) error {
ctx := map[string]interface{}{
"evt": evt,
"IsInBand": request.IsInBand,
"IsOutBand": request.IsOutBand,
}
for _, rule := range w.CompiledOnMatch { for _, rule := range w.CompiledOnMatch {
if rule.FilterExpr != nil { if rule.FilterExpr != nil {
output, err := exprhelpers.Run(rule.FilterExpr, GetOnMatchEnv(w, request, evt), w.Logger, w.Logger.Level >= log.DebugLevel) output, err := exprhelpers.Run(rule.FilterExpr, ctx, w.Logger, w.Logger.Level >= log.DebugLevel)
if err != nil { if err != nil {
return fmt.Errorf("unable to run waap on_match filter %s : %w", rule.Filter, err) return fmt.Errorf("unable to run waap on_match filter %s : %w", rule.Filter, err)
} }
@ -329,7 +340,7 @@ func (w *WaapRuntimeConfig) ProcessOnMatchRules(request *ParsedRequest, evt type
} }
} }
for _, applyExpr := range rule.ApplyExpr { for _, applyExpr := range rule.ApplyExpr {
_, err := exprhelpers.Run(applyExpr, GetOnMatchEnv(w, request, evt), w.Logger, w.Logger.Level >= log.DebugLevel) _, err := exprhelpers.Run(applyExpr, ctx, w.Logger, w.Logger.Level >= log.DebugLevel)
if err != nil { if err != nil {
log.Errorf("unable to apply waap on_match expr: %s", err) log.Errorf("unable to apply waap on_match expr: %s", err)
continue continue
@ -340,9 +351,13 @@ func (w *WaapRuntimeConfig) ProcessOnMatchRules(request *ParsedRequest, evt type
} }
func (w *WaapRuntimeConfig) ProcessPreEvalRules(request *ParsedRequest) error { func (w *WaapRuntimeConfig) ProcessPreEvalRules(request *ParsedRequest) error {
ctx := map[string]interface{}{
"IsInBand": request.IsInBand,
"IsOutBand": request.IsOutBand,
}
for _, rule := range w.CompiledPreEval { for _, rule := range w.CompiledPreEval {
if rule.FilterExpr != nil { if rule.FilterExpr != nil {
output, err := exprhelpers.Run(rule.FilterExpr, GetPreEvalEnv(w, request), w.Logger, w.Logger.Level >= log.DebugLevel) output, err := exprhelpers.Run(rule.FilterExpr, GetPreEvalEnv(ctx, w, request), w.Logger, w.Logger.Level >= log.DebugLevel)
if err != nil { if err != nil {
return fmt.Errorf("unable to run waap pre_eval filter %s : %w", rule.Filter, err) return fmt.Errorf("unable to run waap pre_eval filter %s : %w", rule.Filter, err)
} }
@ -359,7 +374,7 @@ func (w *WaapRuntimeConfig) ProcessPreEvalRules(request *ParsedRequest) error {
} }
// here means there is no filter or the filter matched // here means there is no filter or the filter matched
for _, applyExpr := range rule.ApplyExpr { for _, applyExpr := range rule.ApplyExpr {
_, err := exprhelpers.Run(applyExpr, GetPreEvalEnv(w, request), w.Logger, w.Logger.Level >= log.DebugLevel) _, err := exprhelpers.Run(applyExpr, ctx, w.Logger, w.Logger.Level >= log.DebugLevel)
if err != nil { if err != nil {
log.Errorf("unable to apply waap pre_eval expr: %s", err) log.Errorf("unable to apply waap pre_eval expr: %s", err)
continue continue
@ -371,9 +386,13 @@ func (w *WaapRuntimeConfig) ProcessPreEvalRules(request *ParsedRequest) error {
} }
func (w *WaapRuntimeConfig) ProcessPostEvalRules(request *ParsedRequest) error { func (w *WaapRuntimeConfig) ProcessPostEvalRules(request *ParsedRequest) error {
ctx := map[string]interface{}{
"IsInBand": request.IsInBand,
"IsOutBand": request.IsOutBand,
}
for _, rule := range w.CompiledPostEval { for _, rule := range w.CompiledPostEval {
if rule.FilterExpr != nil { if rule.FilterExpr != nil {
output, err := exprhelpers.Run(rule.FilterExpr, GetPostEvalEnv(w, request), w.Logger, w.Logger.Level >= log.DebugLevel) output, err := exprhelpers.Run(rule.FilterExpr, ctx, w.Logger, w.Logger.Level >= log.DebugLevel)
if err != nil { if err != nil {
return fmt.Errorf("unable to run waap post_eval filter %s : %w", rule.Filter, err) return fmt.Errorf("unable to run waap post_eval filter %s : %w", rule.Filter, err)
} }
@ -390,7 +409,7 @@ func (w *WaapRuntimeConfig) ProcessPostEvalRules(request *ParsedRequest) error {
} }
// here means there is no filter or the filter matched // here means there is no filter or the filter matched
for _, applyExpr := range rule.ApplyExpr { for _, applyExpr := range rule.ApplyExpr {
_, err := exprhelpers.Run(applyExpr, GetPostEvalEnv(w, request), w.Logger, w.Logger.Level >= log.DebugLevel) _, err := exprhelpers.Run(applyExpr, ctx, w.Logger, w.Logger.Level >= log.DebugLevel)
if err != nil { if err != nil {
log.Errorf("unable to apply waap post_eval expr: %s", err) log.Errorf("unable to apply waap post_eval expr: %s", err)
continue continue
@ -551,6 +570,7 @@ func (w *WaapRuntimeConfig) SetActionByID(params ...any) (any, error) {
// func (w *WaapRuntimeConfig) SetActionByID(name string, action string) error { // func (w *WaapRuntimeConfig) SetActionByID(name string, action string) error {
func (w *WaapRuntimeConfig) SetActionByName(params ...any) (any, error) { func (w *WaapRuntimeConfig) SetActionByName(params ...any) (any, error) {
fmt.Printf("%v+\n", w)
if w.RemediationByTag == nil { if w.RemediationByTag == nil {
w.RemediationByTag = make(map[string]string) w.RemediationByTag = make(map[string]string)
} }

8
pkg/waf/waf_expr_lib.go
View file

@ -1,11 +1,3 @@
package waf package waf
//This is a copy paste from expr_lib.go, we probably want to only have one ? //This is a copy paste from expr_lib.go, we probably want to only have one ?
type exprCustomFunc struct {
name string
function func(params ...any) (any, error)
signature []interface{}
}
var exprFuncs = []exprCustomFunc{}

303
pkg/waf/waf_helpers.go
View file

@ -3,40 +3,183 @@ package waf
import ( import (
"github.com/antonmedv/expr" "github.com/antonmedv/expr"
"github.com/crowdsecurity/crowdsec/pkg/exprhelpers" "github.com/crowdsecurity/crowdsec/pkg/exprhelpers"
"github.com/crowdsecurity/crowdsec/pkg/types"
) )
func GetExprWAFOptions(ctx map[string]interface{}) []expr.Option { var exprOnLoadOptions = []expr.Option{}
var exprPreEvalOptions = []expr.Option{}
var exprPostEvalOptions = []expr.Option{}
var exprOnMatchOptions = []expr.Option{}
func GetOnLoadEnv(ctx map[string]interface{}, w *WaapRuntimeConfig) []expr.Option {
baseHelpers := exprhelpers.GetExprOptions(ctx) baseHelpers := exprhelpers.GetExprOptions(ctx)
onLoadHelpers := []exprhelpers.ExprCustomFunc{
for _, function := range exprFuncs { {
baseHelpers = append(baseHelpers, Name: "RemoveInBandRuleByID",
expr.Function(function.name, Function: w.DisableInBandRuleByID,
function.function, Signature: []interface{}{
function.signature..., new(func(int) error),
)) },
},
{
Name: "RemoveInBandRuleByTag",
Function: w.DisableInBandRuleByTag,
Signature: []interface{}{
new(func(string) error),
},
},
{
Name: "RemoveInBandRuleByName",
Function: w.DisableInBandRuleByName,
Signature: []interface{}{
new(func(string) error),
},
},
{
Name: "RemoveOutBandRuleByID",
Function: w.DisableOutBandRuleByID,
Signature: []interface{}{
new(func(int) error),
},
},
{
Name: "RemoveOutBandRuleByTag",
Function: w.DisableOutBandRuleByTag,
Signature: []interface{}{
new(func(string) error),
},
},
{
Name: "RemoveOutBandRuleByName",
Function: w.DisableOutBandRuleByName,
Signature: []interface{}{
new(func(string) error),
},
},
{
Name: "SetRemediationByTag",
Function: w.SetActionByTag,
Signature: []interface{}{
new(func(string, string) error),
},
},
{
Name: "SetRemediationByID",
Function: w.SetActionByID,
Signature: []interface{}{
new(func(int, string) error),
},
},
{
Name: "SetRemediationByName",
Function: w.SetActionByName,
Signature: []interface{}{
new(func(string, string) error),
},
},
} }
return baseHelpers
if len(exprOnLoadOptions) == 0 {
for _, function := range onLoadHelpers {
exprOnLoadOptions = append(exprOnLoadOptions,
expr.Function(
function.Name,
function.Function,
function.Signature...,
),
)
}
exprOnLoadOptions = append(exprOnLoadOptions, baseHelpers...)
}
return exprOnLoadOptions
} }
func GetOnLoadEnv(w *WaapRuntimeConfig) map[string]interface{} { func GetPreEvalEnv(ctx map[string]interface{}, w *WaapRuntimeConfig, request *ParsedRequest) []expr.Option {
//FIXME: use expr.Function instead of this
return map[string]interface{}{ baseHelpers := exprhelpers.GetExprOptions(ctx)
"RemoveInBandRuleByID": w.DisableInBandRuleByID, preEvalHelpers := []exprhelpers.ExprCustomFunc{
"RemoveInBandRuleByTag": w.DisableInBandRuleByTag, {
"RemoveInBandRuleByName": w.DisableInBandRuleByName, Name: "RemoveInBandRuleByID",
"RemoveOutBandRuleByID": w.DisableOutBandRuleByID, Function: w.RemoveInbandRuleByID,
"RemoveOutBandRuleByTag": w.DisableOutBandRuleByTag, Signature: []interface{}{
"RemoveOutBandRuleByName": w.DisableOutBandRuleByName, new(func(int) error),
"SetRemediationByTag": w.SetActionByTag, },
"SetRemediationByID": w.SetActionByID, },
"SetRemediationByName": w.SetActionByName, {
} Name: "RemoveInBandRuleByTag",
} Function: w.RemoveInbandRuleByTag,
Signature: []interface{}{
new(func(string) error),
},
},
{
Name: "RemoveInBandRuleByName",
Function: w.RemoveInbandRuleByName,
Signature: []interface{}{
new(func(string) error),
},
},
{
Name: "RemoveOutBandRuleByID",
Function: w.RemoveOutbandRuleByID,
Signature: []interface{}{
new(func(int) error),
},
},
{
Name: "RemoveOutBandRuleByTag",
Function: w.RemoveOutbandRuleByTag,
Signature: []interface{}{
new(func(string) error),
},
},
{
Name: "RemoveOutBandRuleByName",
Function: w.RemoveOutbandRuleByName,
Signature: []interface{}{
new(func(string) error),
},
},
{
Name: "SetRemediationByTag",
Function: w.SetActionByTag,
Signature: []interface{}{
new(func(string, string) error),
},
},
{
Name: "SetRemediationByID",
Function: w.SetActionByID,
Signature: []interface{}{
new(func(int, string) error),
},
},
{
Name: "SetRemediationByName",
Function: w.SetActionByName,
Signature: []interface{}{
new(func(string, string) error),
},
},
}
if len(exprPreEvalOptions) == 0 {
for _, function := range preEvalHelpers {
exprPreEvalOptions = append(exprPreEvalOptions,
expr.Function(
function.Name,
function.Function,
function.Signature...,
),
)
}
exprPreEvalOptions = append(exprPreEvalOptions, baseHelpers...)
}
return exprPreEvalOptions
func GetPreEvalEnv(w *WaapRuntimeConfig, request *ParsedRequest) map[string]interface{} {
//FIXME: use expr.Function instead of this //FIXME: use expr.Function instead of this
return map[string]interface{}{ /*return map[string]interface{}{
"IsInBand": request.IsInBand, "IsInBand": request.IsInBand,
"IsOutBand": request.IsOutBand, "IsOutBand": request.IsOutBand,
"RemoveInBandRuleByID": w.RemoveInbandRuleByID, "RemoveInBandRuleByID": w.RemoveInbandRuleByID,
@ -48,20 +191,114 @@ func GetPreEvalEnv(w *WaapRuntimeConfig, request *ParsedRequest) map[string]inte
"SetRemediationByTag": w.SetActionByTag, "SetRemediationByTag": w.SetActionByTag,
"SetRemediationByID": w.SetActionByID, "SetRemediationByID": w.SetActionByID,
"SetRemediationByName": w.SetActionByName, "SetRemediationByName": w.SetActionByName,
} }*/
} }
func GetPostEvalEnv(w *WaapRuntimeConfig, request *ParsedRequest) map[string]interface{} { func GetPostEvalEnv(ctx map[string]interface{}, w *WaapRuntimeConfig, request *ParsedRequest) []expr.Option {
//FIXME: use expr.Function instead of this baseHelpers := exprhelpers.GetExprOptions(ctx)
postEvalHelpers := []exprhelpers.ExprCustomFunc{
{
Name: "DumpRequest",
Function: request.DumpRequest,
Signature: []interface{}{
new(func() *ReqDumpFilter),
},
},
}
if len(exprPostEvalOptions) == 0 {
for _, function := range postEvalHelpers {
exprPostEvalOptions = append(exprPostEvalOptions,
expr.Function(
function.Name,
function.Function,
function.Signature...,
),
)
}
exprPostEvalOptions = append(exprPostEvalOptions, baseHelpers...)
}
return exprPostEvalOptions
/*//FIXME: use expr.Function instead of this
return map[string]interface{}{ return map[string]interface{}{
"IsInBand": request.IsInBand, "IsInBand": request.IsInBand,
"IsOutBand": request.IsOutBand, "IsOutBand": request.IsOutBand,
"DumpRequest": request.DumpRequest, "DumpRequest": request.DumpRequest,
} }*/
} }
func GetOnMatchEnv(w *WaapRuntimeConfig, request *ParsedRequest, evt types.Event) map[string]interface{} { func GetOnMatchEnv(ctx map[string]interface{}, w *WaapRuntimeConfig, request *ParsedRequest) []expr.Option {
//FIXME: use expr.Function instead of this baseHelpers := exprhelpers.GetExprOptions(ctx)
onMatchHelpers := []exprhelpers.ExprCustomFunc{
{
Name: "SetRemediation",
Function: w.SetAction,
Signature: []interface{}{
new(func(string) error),
},
},
{
Name: "SetReturnCode",
Function: w.SetHTTPCode,
Signature: []interface{}{
new(func(int) error),
},
},
{
Name: "CancelEvent",
Function: w.CancelEvent,
Signature: []interface{}{
new(func() error),
},
},
{
Name: "SendEvent",
Function: w.SendEvent,
Signature: []interface{}{
new(func() error),
},
},
{
Name: "CancelAlert",
Function: w.CancelAlert,
Signature: []interface{}{
new(func() error),
},
},
{
Name: "SendAlert",
Function: w.SendAlert,
Signature: []interface{}{
new(func() error),
},
},
{
Name: "DumpRequest",
Function: request.DumpRequest,
Signature: []interface{}{
new(func() *ReqDumpFilter),
},
},
}
if len(exprOnMatchOptions) == 0 {
for _, function := range onMatchHelpers {
exprOnMatchOptions = append(exprOnMatchOptions,
expr.Function(
function.Name,
function.Function,
function.Signature...,
),
)
}
exprOnMatchOptions = append(exprOnMatchOptions, baseHelpers...)
}
return exprOnMatchOptions
/*//FIXME: use expr.Function instead of this
return map[string]interface{}{ return map[string]interface{}{
"evt": evt, "evt": evt,
"req": request, "req": request,
@ -74,5 +311,5 @@ func GetOnMatchEnv(w *WaapRuntimeConfig, request *ParsedRequest, evt types.Event
"CancelAlert": w.CancelAlert, "CancelAlert": w.CancelAlert,
"SendAlert": w.SendAlert, "SendAlert": w.SendAlert,
"DumpRequest": request.DumpRequest, "DumpRequest": request.DumpRequest,
} }*/
} }