Fix Remove{in,out}bandby{name,tag}

2023-12-04 15:02:32 +01:00 · 2023-12-04 15:02:32 +01:00 · cb030beaca
commit cb030beaca
parent 6fb965bb3f
5 changed files with 48 additions and 18 deletions
--- a/go.mod
+++ b/go.mod
@ -90,7 +90,7 @@ require (
 )

 require (
-	github.com/crowdsecurity/coraza/v3 v3.0.0-20231204125126-35deffad7734
+	github.com/crowdsecurity/coraza/v3 v3.0.0-20231204135508-23eef9bf7f39
 	golang.org/x/text v0.14.0
 	gopkg.in/yaml.v3 v3.0.1
 	gotest.tools/v3 v3.5.0
--- a/go.sum
+++ b/go.sum
@ -102,6 +102,10 @@ github.com/crowdsecurity/coraza/v3 v3.0.0-20231114091225-b0f8bc435a75 h1:Kp1sY2P
 github.com/crowdsecurity/coraza/v3 v3.0.0-20231114091225-b0f8bc435a75/go.mod h1:jNww1Y9SujXQc89zDR+XOb70bkC7mZ6ep7iKhUBBsiI=
 github.com/crowdsecurity/coraza/v3 v3.0.0-20231204125126-35deffad7734 h1:THMSMkBW/DLG5NvMAr/Mdg/eQOrEnMJ9Y+UdFG4yV8k=
 github.com/crowdsecurity/coraza/v3 v3.0.0-20231204125126-35deffad7734/go.mod h1:jNww1Y9SujXQc89zDR+XOb70bkC7mZ6ep7iKhUBBsiI=
+github.com/crowdsecurity/coraza/v3 v3.0.0-20231204135226-6c45fc2dedf9 h1:vFJiYtKOW5DwGQ9gxQi8+XDNc+YvuXXsJyWXXuiOn+M=
+github.com/crowdsecurity/coraza/v3 v3.0.0-20231204135226-6c45fc2dedf9/go.mod h1:jNww1Y9SujXQc89zDR+XOb70bkC7mZ6ep7iKhUBBsiI=
+github.com/crowdsecurity/coraza/v3 v3.0.0-20231204135508-23eef9bf7f39 h1:vY0KZvoS4Xl9IfGucBA4l1CV1auRPPJtjZSTz/Rl6iQ=
+github.com/crowdsecurity/coraza/v3 v3.0.0-20231204135508-23eef9bf7f39/go.mod h1:jNww1Y9SujXQc89zDR+XOb70bkC7mZ6ep7iKhUBBsiI=
 github.com/crowdsecurity/dlog v0.0.0-20170105205344-4fb5f8204f26 h1:r97WNVC30Uen+7WnLs4xDScS/Ex988+id2k6mDf8psU=
 github.com/crowdsecurity/dlog v0.0.0-20170105205344-4fb5f8204f26/go.mod h1:zpv7r+7KXwgVUZnUNjyP22zc/D7LKjyoY02weH2RBbk=
 github.com/crowdsecurity/go-cs-lib v0.0.5 h1:eVLW+BRj3ZYn0xt5/xmgzfbbB8EBo32gM4+WpQQk2e8=
--- a/pkg/acquisition/modules/waap/waap_runner.go
+++ b/pkg/acquisition/modules/waap/waap_runner.go
@ -70,6 +70,30 @@ func (r *WaapRunner) Init(datadir string) error {
 	}
 	r.WaapOutbandEngine, err = coraza.NewWAF(outbandCfg)

+	if r.WaapRuntime.DisabledInBandRulesTags != nil {
+		for _, tag := range r.WaapRuntime.DisabledInBandRulesTags {
+			r.WaapInbandEngine.GetRuleGroup().DeleteByTag(tag)
+		}
+	}
+
+	if r.WaapRuntime.DisabledOutOfBandRulesTags != nil {
+		for _, tag := range r.WaapRuntime.DisabledOutOfBandRulesTags {
+			r.WaapOutbandEngine.GetRuleGroup().DeleteByTag(tag)
+		}
+	}
+
+	if r.WaapRuntime.DisabledInBandRuleIds != nil {
+		for _, id := range r.WaapRuntime.DisabledInBandRuleIds {
+			r.WaapInbandEngine.GetRuleGroup().DeleteByID(id)
+		}
+	}
+
+	if r.WaapRuntime.DisabledOutOfBandRuleIds != nil {
+		for _, id := range r.WaapRuntime.DisabledOutOfBandRuleIds {
+			r.WaapOutbandEngine.GetRuleGroup().DeleteByID(id)
+		}
+	}
+
 	if err != nil {
 		return fmt.Errorf("unable to initialize outband engine : %w", err)
 	}
--- a/pkg/waf/waap.go
+++ b/pkg/waf/waap.go
@ -103,11 +103,11 @@ type WaapRuntimeConfig struct {
 	Logger *log.Entry

 	//Set by on_load to ignore some rules on loading
-	disabledInBandRuleIds   []int
-	disabledInBandRulesTags []string //Also used for ByName, as the name (for modsec rules) is a tag crowdsec-NAME
+	DisabledInBandRuleIds   []int
+	DisabledInBandRulesTags []string //Also used for ByName, as the name (for modsec rules) is a tag crowdsec-NAME

-	disabledOutOfBandRuleIds   []int
-	disabledOutOfBandRulesTags []string //Also used for ByName, as the name (for modsec rules) is a tag crowdsec-NAME
+	DisabledOutOfBandRuleIds   []int
+	DisabledOutOfBandRulesTags []string //Also used for ByName, as the name (for modsec rules) is a tag crowdsec-NAME
 }

 type WaapConfig struct {
@ -434,7 +434,7 @@ func (w *WaapRuntimeConfig) CancelEvent(params ...any) (any, error) {
 // func (w *WaapRuntimeConfig) DisableInBandRuleByID(id int) error {
 // Disable a rule at load time, meaning it will not run for any request
 func (w *WaapRuntimeConfig) DisableInBandRuleByID(params ...any) (any, error) {
-	w.disabledInBandRuleIds = append(w.disabledInBandRuleIds, params[0].(int))
+	w.DisabledInBandRuleIds = append(w.DisabledInBandRuleIds, params[0].(int))
 	return nil, nil
 }

@ -442,21 +442,21 @@ func (w *WaapRuntimeConfig) DisableInBandRuleByID(params ...any) (any, error) {
 // Disable a rule at load time, meaning it will not run for any request
 func (w *WaapRuntimeConfig) DisableInBandRuleByName(params ...any) (any, error) {
 	tagValue := fmt.Sprintf("crowdsec-%s", params[0].(string))
-	w.disabledInBandRulesTags = append(w.disabledInBandRulesTags, tagValue)
+	w.DisabledInBandRulesTags = append(w.DisabledInBandRulesTags, tagValue)
 	return nil, nil
 }

 // func (w *WaapRuntimeConfig) DisableInBandRuleByTag(tag string) error {
 // Disable a rule at load time, meaning it will not run for any request
 func (w *WaapRuntimeConfig) DisableInBandRuleByTag(params ...any) (any, error) {
-	w.disabledInBandRulesTags = append(w.disabledInBandRulesTags, params[0].(string))
+	w.DisabledInBandRulesTags = append(w.DisabledInBandRulesTags, params[0].(string))
 	return nil, nil
 }

 // func (w *WaapRuntimeConfig) DisableOutBandRuleByID(id int) error {
 // Disable a rule at load time, meaning it will not run for any request
 func (w *WaapRuntimeConfig) DisableOutBandRuleByID(params ...any) (any, error) {
-	w.disabledOutOfBandRuleIds = append(w.disabledOutOfBandRuleIds, params[0].(int))
+	w.DisabledOutOfBandRuleIds = append(w.DisabledOutOfBandRuleIds, params[0].(int))
 	return nil, nil
 }

@ -464,14 +464,14 @@ func (w *WaapRuntimeConfig) DisableOutBandRuleByID(params ...any) (any, error) {
 // Disable a rule at load time, meaning it will not run for any request
 func (w *WaapRuntimeConfig) DisableOutBandRuleByName(params ...any) (any, error) {
 	tagValue := fmt.Sprintf("crowdsec-%s", params[0].(string))
-	w.disabledOutOfBandRulesTags = append(w.disabledOutOfBandRulesTags, tagValue)
+	w.DisabledOutOfBandRulesTags = append(w.DisabledOutOfBandRulesTags, tagValue)
 	return nil, nil
 }

 // func (w *WaapRuntimeConfig) DisableOutBandRuleByTag(tag string) error {
 // Disable a rule at load time, meaning it will not run for any request
 func (w *WaapRuntimeConfig) DisableOutBandRuleByTag(params ...any) (any, error) {
-	w.disabledOutOfBandRulesTags = append(w.disabledOutOfBandRulesTags, params[0].(string))
+	w.DisabledOutOfBandRulesTags = append(w.DisabledOutOfBandRulesTags, params[0].(string))
 	return nil, nil
 }

--- a/pkg/waf/waf_helpers.go
+++ b/pkg/waf/waf_helpers.go
@ -22,13 +22,15 @@ func GetExprWAFOptions(ctx map[string]interface{}) []expr.Option {
 func GetOnLoadEnv(w *WaapRuntimeConfig) map[string]interface{} {
 	//FIXME: use expr.Function instead of this
 	return map[string]interface{}{
-		"RemoveInBandRuleByID":   w.DisableInBandRuleByID,
-		"RemoveOutBandRuleByID":  w.DisableOutBandRuleByID,
-		"RemoveInBandRuleByTag":  w.DisableInBandRuleByTag,
-		"RemoveOutBandRuleByTag": w.DisableOutBandRuleByTag,
-		"SetRemediationByTag":    w.SetActionByTag,
-		"SetRemediationByID":     w.SetActionByID,
-		"SetRemediationByName":   w.SetActionByName,
+		"RemoveInBandRuleByID":    w.DisableInBandRuleByID,
+		"RemoveOutBandRuleByID":   w.DisableOutBandRuleByID,
+		"RemoveInBandRuleByName":  w.DisableInBandRuleByName,
+		"RemoveInBandRuleByTag":   w.DisableInBandRuleByTag,
+		"RemoveOutBandRuleByTag":  w.DisableOutBandRuleByTag,
+		"RemoveOutBandRuleByName": w.DisableOutBandRuleByName,
+		"SetRemediationByTag":     w.SetActionByTag,
+		"SetRemediationByID":      w.SetActionByID,
+		"SetRemediationByName":    w.SetActionByName,
 	}
 }