package appsec import ( "fmt" "os" "regexp" "" "" "" "" "" log "" "" ) type Hook struct { Filter string `yaml:"filter"` FilterExpr *vm.Program `yaml:"-"` OnSuccess string `yaml:"on_success"` Apply []string `yaml:"apply"` ApplyExpr []*vm.Program `yaml:"-"` } const ( hookOnLoad = iota hookPreEval hookPostEval hookOnMatch ) func (h *Hook) Build(hookStage int) error { ctx := map[string]interface{}{} switch hookStage { case hookOnLoad: ctx = GetOnLoadEnv(&AppsecRuntimeConfig{}) case hookPreEval: ctx = GetPreEvalEnv(&AppsecRuntimeConfig{}, &ParsedRequest{}) case hookPostEval: ctx = GetPostEvalEnv(&AppsecRuntimeConfig{}, &ParsedRequest{}) case hookOnMatch: ctx = GetOnMatchEnv(&AppsecRuntimeConfig{}, &ParsedRequest{}, types.Event{}) } opts := exprhelpers.GetExprOptions(ctx) if h.Filter != "" { program, err := expr.Compile(h.Filter, opts...) //FIXME: opts if err != nil { return fmt.Errorf("unable to compile filter %s : %w", h.Filter, err) } h.FilterExpr = program } for _, apply := range h.Apply { program, err := expr.Compile(apply, opts...) if err != nil { return fmt.Errorf("unable to compile apply %s : %w", apply, err) } h.ApplyExpr = append(h.ApplyExpr, program) } return nil } type AppsecTempResponse struct { InBandInterrupt bool OutOfBandInterrupt bool Action string //allow, deny, captcha, log HTTPResponseCode int SendEvent bool //do we send an internal event on rule match SendAlert bool //do we send an alert on rule match } type AppsecSubEngineOpts struct { DisableBodyInspection bool `yaml:"disable_body_inspection"` RequestBodyInMemoryLimit *int `yaml:"request_body_in_memory_limit"` } // runtime version of AppsecConfig type AppsecRuntimeConfig struct { Name string OutOfBandRules []AppsecCollection InBandRules []AppsecCollection DefaultRemediation string RemediationByTag map[string]string //Also used for ByName, as the name (for modsec rules) is a tag crowdsec-NAME RemediationById map[int]string CompiledOnLoad []Hook CompiledPreEval []Hook CompiledPostEval []Hook CompiledOnMatch []Hook CompiledVariablesTracking []*regexp.Regexp Config *AppsecConfig //CorazaLogger debuglog.Logger //those are ephemeral, created/destroyed with every req OutOfBandTx ExtendedTransaction //is it a good idea ? InBandTx ExtendedTransaction //is it a good idea ? Response AppsecTempResponse //should we store matched rules here ? Logger *log.Entry //Set by on_load to ignore some rules on loading DisabledInBandRuleIds []int DisabledInBandRulesTags []string //Also used for ByName, as the name (for modsec rules) is a tag crowdsec-NAME DisabledOutOfBandRuleIds []int DisabledOutOfBandRulesTags []string //Also used for ByName, as the name (for modsec rules) is a tag crowdsec-NAME } type AppsecConfig struct { Name string `yaml:"name"` OutOfBandRules []string `yaml:"outofband_rules"` InBandRules []string `yaml:"inband_rules"` DefaultRemediation string `yaml:"default_remediation"` DefaultPassAction string `yaml:"default_pass_action"` BlockedHTTPCode int `yaml:"blocked_http_code"` PassedHTTPCode int `yaml:"passed_http_code"` OnLoad []Hook `yaml:"on_load"` PreEval []Hook `yaml:"pre_eval"` PostEval []Hook `yaml:"post_eval"` OnMatch []Hook `yaml:"on_match"` VariablesTracking []string `yaml:"variables_tracking"` InbandOptions AppsecSubEngineOpts `yaml:"inband_options"` OutOfBandOptions AppsecSubEngineOpts `yaml:"outofband_options"` LogLevel *log.Level `yaml:"log_level"` Logger *log.Entry `yaml:"-"` } func (w *AppsecRuntimeConfig) ClearResponse() { log.Debugf("#-> %p", w) w.Response = AppsecTempResponse{} log.Debugf("-> %p", w.Config) w.Response.Action = w.Config.DefaultPassAction w.Response.HTTPResponseCode = w.Config.PassedHTTPCode w.Response.SendEvent = true w.Response.SendAlert = true } func (wc *AppsecConfig) LoadByPath(file string) error { wc.Logger.Debugf("loading config %s", file) yamlFile, err := os.ReadFile(file) if err != nil { return fmt.Errorf("unable to read file %s : %s", file, err) } err = yaml.UnmarshalStrict(yamlFile, wc) if err != nil { return fmt.Errorf("unable to parse yaml file %s : %s", file, err) } if wc.Name == "" { return fmt.Errorf("name cannot be empty") } if wc.LogLevel == nil { lvl := wc.Logger.Logger.GetLevel() wc.LogLevel = &lvl } wc.Logger = wc.Logger.Dup().WithField("name", wc.Name) wc.Logger.Logger.SetLevel(*wc.LogLevel) if wc.DefaultRemediation == "" { return fmt.Errorf("default_remediation cannot be empty") } switch wc.DefaultRemediation { case "ban", "captcha", "log": //those are the officially supported remediation(s) default: wc.Logger.Warningf("default '%s' remediation of %s is none of [ban,captcha,log] ensure bouncer compatbility!", wc.DefaultRemediation, file) } if wc.BlockedHTTPCode == 0 { wc.BlockedHTTPCode = 403 } if wc.PassedHTTPCode == 0 { wc.PassedHTTPCode = 200 } if wc.DefaultPassAction == "" { wc.DefaultPassAction = "allow" } return nil } func (wc *AppsecConfig) Load(configName string) error { appsecConfigs := hub.GetItemMap(cwhub.APPSEC_CONFIGS) for _, hubAppsecConfigItem := range appsecConfigs { if !hubAppsecConfigItem.State.Installed { continue } if hubAppsecConfigItem.Name != configName { continue } wc.Logger.Infof("loading %s", hubAppsecConfigItem.State.LocalPath) err := wc.LoadByPath(hubAppsecConfigItem.State.LocalPath) if err != nil { return fmt.Errorf("unable to load appsec-config %s : %s", hubAppsecConfigItem.State.LocalPath, err) } return nil } return fmt.Errorf("no appsec-config found for %s", configName) } func (wc *AppsecConfig) GetDataDir() string { return hub.GetDataDir() } func (wc *AppsecConfig) Build() (*AppsecRuntimeConfig, error) { ret := &AppsecRuntimeConfig{Logger: wc.Logger.WithField("component", "appsec_runtime_config")} ret.Name = wc.Name ret.Config = wc ret.DefaultRemediation = wc.DefaultRemediation wc.Logger.Tracef("Loading config %+v", wc) //load rules for _, rule := range wc.OutOfBandRules { wc.Logger.Infof("loading outofband rule %s", rule) collections, err := LoadCollection(rule, wc.Logger.WithField("component", "appsec_collection_loader")) if err != nil { return nil, fmt.Errorf("unable to load outofband rule %s : %s", rule, err) } ret.OutOfBandRules = append(ret.OutOfBandRules, collections...) } wc.Logger.Infof("Loaded %d outofband rules", len(ret.OutOfBandRules)) for _, rule := range wc.InBandRules { wc.Logger.Infof("loading inband rule %s", rule) collections, err := LoadCollection(rule, wc.Logger.WithField("component", "appsec_collection_loader")) if err != nil { return nil, fmt.Errorf("unable to load inband rule %s : %s", rule, err) } ret.InBandRules = append(ret.InBandRules, collections...) } wc.Logger.Infof("Loaded %d inband rules", len(ret.InBandRules)) //load hooks for _, hook := range wc.OnLoad { err := hook.Build(hookOnLoad) if err != nil { return nil, fmt.Errorf("unable to build on_load hook : %s", err) } ret.CompiledOnLoad = append(ret.CompiledOnLoad, hook) } for _, hook := range wc.PreEval { err := hook.Build(hookPreEval) if err != nil { return nil, fmt.Errorf("unable to build pre_eval hook : %s", err) } ret.CompiledPreEval = append(ret.CompiledPreEval, hook) } for _, hook := range wc.PostEval { err := hook.Build(hookPostEval) if err != nil { return nil, fmt.Errorf("unable to build post_eval hook : %s", err) } ret.CompiledPostEval = append(ret.CompiledPostEval, hook) } for _, hook := range wc.OnMatch { err := hook.Build(hookOnMatch) if err != nil { return nil, fmt.Errorf("unable to build on_match hook : %s", err) } ret.CompiledOnMatch = append(ret.CompiledOnMatch, hook) } //variable tracking for _, variable := range wc.VariablesTracking { compiledVariableRule, err := regexp.Compile(variable) if err != nil { return nil, fmt.Errorf("cannot compile variable regexp %s: %w", variable, err) } ret.CompiledVariablesTracking = append(ret.CompiledVariablesTracking, compiledVariableRule) } return ret, nil } func (w *AppsecRuntimeConfig) ProcessOnLoadRules() error { for _, rule := range w.CompiledOnLoad { if rule.FilterExpr != nil { output, err := exprhelpers.Run(rule.FilterExpr, GetOnLoadEnv(w), w.Logger, w.Logger.Level >= log.DebugLevel) if err != nil { return fmt.Errorf("unable to run appsec on_load filter %s : %w", rule.Filter, err) } switch t := output.(type) { case bool: if !t { log.Debugf("filter didnt match") continue } default: log.Errorf("Filter must return a boolean, can't filter") continue } } for _, applyExpr := range rule.ApplyExpr { _, err := exprhelpers.Run(applyExpr, GetOnLoadEnv(w), w.Logger, w.Logger.Level >= log.DebugLevel) if err != nil { log.Errorf("unable to apply appsec on_load expr: %s", err) continue } } } return nil } func (w *AppsecRuntimeConfig) ProcessOnMatchRules(request *ParsedRequest, evt types.Event) error { for _, rule := range w.CompiledOnMatch { if rule.FilterExpr != nil { output, err := exprhelpers.Run(rule.FilterExpr, GetOnMatchEnv(w, request, evt), w.Logger, w.Logger.Level >= log.DebugLevel) if err != nil { return fmt.Errorf("unable to run appsec on_match filter %s : %w", rule.Filter, err) } switch t := output.(type) { case bool: if !t { log.Debugf("filter didnt match") continue } default: log.Errorf("Filter must return a boolean, can't filter") continue } } for _, applyExpr := range rule.ApplyExpr { _, err := exprhelpers.Run(applyExpr, GetOnMatchEnv(w, request, evt), w.Logger, w.Logger.Level >= log.DebugLevel) if err != nil { log.Errorf("unable to apply appsec on_match expr: %s", err) continue } } } return nil } func (w *AppsecRuntimeConfig) ProcessPreEvalRules(request *ParsedRequest) error { for _, rule := range w.CompiledPreEval { if rule.FilterExpr != nil { output, err := exprhelpers.Run(rule.FilterExpr, GetPreEvalEnv(w, request), w.Logger, w.Logger.Level >= log.DebugLevel) if err != nil { return fmt.Errorf("unable to run appsec pre_eval filter %s : %w", rule.Filter, err) } switch t := output.(type) { case bool: if !t { log.Debugf("filter didnt match") continue } default: log.Errorf("Filter must return a boolean, can't filter") continue } } // here means there is no filter or the filter matched for _, applyExpr := range rule.ApplyExpr { _, err := exprhelpers.Run(applyExpr, GetPreEvalEnv(w, request), w.Logger, w.Logger.Level >= log.DebugLevel) if err != nil { log.Errorf("unable to apply appsec pre_eval expr: %s", err) continue } } } return nil } func (w *AppsecRuntimeConfig) ProcessPostEvalRules(request *ParsedRequest) error { for _, rule := range w.CompiledPostEval { if rule.FilterExpr != nil { output, err := exprhelpers.Run(rule.FilterExpr, GetPostEvalEnv(w, request), w.Logger, w.Logger.Level >= log.DebugLevel) if err != nil { return fmt.Errorf("unable to run appsec post_eval filter %s : %w", rule.Filter, err) } switch t := output.(type) { case bool: if !t { log.Debugf("filter didnt match") continue } default: log.Errorf("Filter must return a boolean, can't filter") continue } } // here means there is no filter or the filter matched for _, applyExpr := range rule.ApplyExpr { _, err := exprhelpers.Run(applyExpr, GetPostEvalEnv(w, request), w.Logger, w.Logger.Level >= log.DebugLevel) if err != nil { log.Errorf("unable to apply appsec post_eval expr: %s", err) continue } } } return nil } func (w *AppsecRuntimeConfig) RemoveInbandRuleByID(id int) error { w.Logger.Debugf("removing inband rule %d", id) return w.InBandTx.RemoveRuleByIDWithError(id) } func (w *AppsecRuntimeConfig) RemoveOutbandRuleByID(id int) error { w.Logger.Debugf("removing outband rule %d", id) return w.OutOfBandTx.RemoveRuleByIDWithError(id) } func (w *AppsecRuntimeConfig) RemoveInbandRuleByTag(tag string) error { w.Logger.Debugf("removing inband rule with tag %s", tag) return w.InBandTx.RemoveRuleByTagWithError(tag) } func (w *AppsecRuntimeConfig) RemoveOutbandRuleByTag(tag string) error { w.Logger.Debugf("removing outband rule with tag %s", tag) return w.OutOfBandTx.RemoveRuleByTagWithError(tag) } func (w *AppsecRuntimeConfig) RemoveInbandRuleByName(name string) error { tag := fmt.Sprintf("crowdsec-%s", name) w.Logger.Debugf("removing inband rule %s", tag) return w.InBandTx.RemoveRuleByTagWithError(tag) } func (w *AppsecRuntimeConfig) RemoveOutbandRuleByName(name string) error { tag := fmt.Sprintf("crowdsec-%s", name) w.Logger.Debugf("removing outband rule %s", tag) return w.OutOfBandTx.RemoveRuleByTagWithError(tag) } func (w *AppsecRuntimeConfig) CancelEvent() error { w.Logger.Debugf("canceling event") w.Response.SendEvent = false return nil } // Disable a rule at load time, meaning it will not run for any request func (w *AppsecRuntimeConfig) DisableInBandRuleByID(id int) error { w.DisabledInBandRuleIds = append(w.DisabledInBandRuleIds, id) return nil } // Disable a rule at load time, meaning it will not run for any request func (w *AppsecRuntimeConfig) DisableInBandRuleByName(name string) error { tagValue := fmt.Sprintf("crowdsec-%s", name) w.DisabledInBandRulesTags = append(w.DisabledInBandRulesTags, tagValue) return nil } // Disable a rule at load time, meaning it will not run for any request func (w *AppsecRuntimeConfig) DisableInBandRuleByTag(tag string) error { w.DisabledInBandRulesTags = append(w.DisabledInBandRulesTags, tag) return nil } // Disable a rule at load time, meaning it will not run for any request func (w *AppsecRuntimeConfig) DisableOutBandRuleByID(id int) error { w.DisabledOutOfBandRuleIds = append(w.DisabledOutOfBandRuleIds, id) return nil } // Disable a rule at load time, meaning it will not run for any request func (w *AppsecRuntimeConfig) DisableOutBandRuleByName(name string) error { tagValue := fmt.Sprintf("crowdsec-%s", name) w.DisabledOutOfBandRulesTags = append(w.DisabledOutOfBandRulesTags, tagValue) return nil } // Disable a rule at load time, meaning it will not run for any request func (w *AppsecRuntimeConfig) DisableOutBandRuleByTag(tag string) error { w.DisabledOutOfBandRulesTags = append(w.DisabledOutOfBandRulesTags, tag) return nil } func (w *AppsecRuntimeConfig) SendEvent() error { w.Logger.Debugf("sending event") w.Response.SendEvent = true return nil } func (w *AppsecRuntimeConfig) SendAlert() error { w.Logger.Debugf("sending alert") w.Response.SendAlert = true return nil } func (w *AppsecRuntimeConfig) CancelAlert() error { w.Logger.Debugf("canceling alert") w.Response.SendAlert = false return nil } func (w *AppsecRuntimeConfig) SetActionByTag(tag string, action string) error { if w.RemediationByTag == nil { w.RemediationByTag = make(map[string]string) } w.Logger.Debugf("setting action of %s to %s", tag, action) w.RemediationByTag[tag] = action return nil } func (w *AppsecRuntimeConfig) SetActionByID(id int, action string) error { if w.RemediationById == nil { w.RemediationById = make(map[int]string) } w.Logger.Debugf("setting action of %d to %s", id, action) w.RemediationById[id] = action return nil } func (w *AppsecRuntimeConfig) SetActionByName(name string, action string) error { if w.RemediationByTag == nil { w.RemediationByTag = make(map[string]string) } tag := fmt.Sprintf("crowdsec-%s", name) w.Logger.Debugf("setting action of %s to %s", tag, action) w.RemediationByTag[tag] = action return nil } func (w *AppsecRuntimeConfig) SetAction(action string) error { //log.Infof("setting to %s", action) w.Logger.Debugf("setting action to %s", action) switch action { case "allow": w.Response.Action = action w.Response.HTTPResponseCode = w.Config.PassedHTTPCode //@tko how should we handle this ? it seems bouncer only understand bans, but it might be misleading ? case "deny", "ban", "block": w.Response.Action = "ban" case "log": w.Response.Action = action w.Response.HTTPResponseCode = w.Config.PassedHTTPCode case "captcha": w.Response.Action = action default: return fmt.Errorf("unknown action %s", action) } return nil } func (w *AppsecRuntimeConfig) SetHTTPCode(code int) error { w.Logger.Debugf("setting http code to %d", code) w.Response.HTTPResponseCode = code return nil } type BodyResponse struct { Action string `json:"action"` HTTPStatus int `json:"http_status"` } func (w *AppsecRuntimeConfig) GenerateResponse(response AppsecTempResponse, logger *log.Entry) BodyResponse { resp := BodyResponse{} //if there is no interrupt, we should allow with default code if !response.InBandInterrupt { resp.Action = w.Config.DefaultPassAction resp.HTTPStatus = w.Config.PassedHTTPCode return resp } resp.Action = response.Action if resp.Action == "" { resp.Action = w.Config.DefaultRemediation } logger.Debugf("action is %s", resp.Action) resp.HTTPStatus = response.HTTPResponseCode if resp.HTTPStatus == 0 { resp.HTTPStatus = w.Config.BlockedHTTPCode } logger.Debugf("http status is %d", resp.HTTPStatus) return resp }