parent
ac451ccaf3
commit
e637e7bf8b
7 changed files with 253 additions and 503 deletions
|
@ -6,438 +6,438 @@ import (
|
|||
"github.com/crowdsecurity/crowdsec/pkg/cticlient"
|
||||
)
|
||||
|
||||
type ExprCustomFunc struct {
|
||||
Name string
|
||||
Function func(params ...any) (any, error)
|
||||
Signature []interface{}
|
||||
type exprCustomFunc struct {
|
||||
name string
|
||||
function func(params ...any) (any, error)
|
||||
signature []interface{}
|
||||
}
|
||||
|
||||
var exprFuncs = []ExprCustomFunc{
|
||||
var exprFuncs = []exprCustomFunc{
|
||||
{
|
||||
Name: "CrowdsecCTI",
|
||||
Function: CrowdsecCTI,
|
||||
Signature: []interface{}{
|
||||
name: "CrowdsecCTI",
|
||||
function: CrowdsecCTI,
|
||||
signature: []interface{}{
|
||||
new(func(string) (*cticlient.SmokeItem, error)),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "Flatten",
|
||||
Function: Flatten,
|
||||
Signature: []interface{}{},
|
||||
name: "Flatten",
|
||||
function: Flatten,
|
||||
signature: []interface{}{},
|
||||
},
|
||||
{
|
||||
Name: "Distinct",
|
||||
Function: Distinct,
|
||||
Signature: []interface{}{},
|
||||
name: "Distinct",
|
||||
function: Distinct,
|
||||
signature: []interface{}{},
|
||||
},
|
||||
{
|
||||
Name: "FlattenDistinct",
|
||||
Function: FlattenDistinct,
|
||||
Signature: []interface{}{},
|
||||
name: "FlattenDistinct",
|
||||
function: FlattenDistinct,
|
||||
signature: []interface{}{},
|
||||
},
|
||||
{
|
||||
Name: "Distance",
|
||||
Function: Distance,
|
||||
Signature: []interface{}{
|
||||
name: "Distance",
|
||||
function: Distance,
|
||||
signature: []interface{}{
|
||||
new(func(string, string, string, string) (float64, error)),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "GetFromStash",
|
||||
Function: GetFromStash,
|
||||
Signature: []interface{}{
|
||||
name: "GetFromStash",
|
||||
function: GetFromStash,
|
||||
signature: []interface{}{
|
||||
new(func(string, string) (string, error)),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "Atof",
|
||||
Function: Atof,
|
||||
Signature: []interface{}{
|
||||
name: "Atof",
|
||||
function: Atof,
|
||||
signature: []interface{}{
|
||||
new(func(string) float64),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "JsonExtract",
|
||||
Function: JsonExtract,
|
||||
Signature: []interface{}{
|
||||
name: "JsonExtract",
|
||||
function: JsonExtract,
|
||||
signature: []interface{}{
|
||||
new(func(string, string) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "JsonExtractUnescape",
|
||||
Function: JsonExtractUnescape,
|
||||
Signature: []interface{}{
|
||||
name: "JsonExtractUnescape",
|
||||
function: JsonExtractUnescape,
|
||||
signature: []interface{}{
|
||||
new(func(string, ...string) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "JsonExtractLib",
|
||||
Function: JsonExtractLib,
|
||||
Signature: []interface{}{
|
||||
name: "JsonExtractLib",
|
||||
function: JsonExtractLib,
|
||||
signature: []interface{}{
|
||||
new(func(string, ...string) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "JsonExtractSlice",
|
||||
Function: JsonExtractSlice,
|
||||
Signature: []interface{}{
|
||||
name: "JsonExtractSlice",
|
||||
function: JsonExtractSlice,
|
||||
signature: []interface{}{
|
||||
new(func(string, string) []interface{}),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "JsonExtractObject",
|
||||
Function: JsonExtractObject,
|
||||
Signature: []interface{}{
|
||||
name: "JsonExtractObject",
|
||||
function: JsonExtractObject,
|
||||
signature: []interface{}{
|
||||
new(func(string, string) map[string]interface{}),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "ToJsonString",
|
||||
Function: ToJson,
|
||||
Signature: []interface{}{
|
||||
name: "ToJsonString",
|
||||
function: ToJson,
|
||||
signature: []interface{}{
|
||||
new(func(interface{}) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "File",
|
||||
Function: File,
|
||||
Signature: []interface{}{
|
||||
name: "File",
|
||||
function: File,
|
||||
signature: []interface{}{
|
||||
new(func(string) []string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "RegexpInFile",
|
||||
Function: RegexpInFile,
|
||||
Signature: []interface{}{
|
||||
name: "RegexpInFile",
|
||||
function: RegexpInFile,
|
||||
signature: []interface{}{
|
||||
new(func(string, string) bool),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "Upper",
|
||||
Function: Upper,
|
||||
Signature: []interface{}{
|
||||
name: "Upper",
|
||||
function: Upper,
|
||||
signature: []interface{}{
|
||||
new(func(string) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "Lower",
|
||||
Function: Lower,
|
||||
Signature: []interface{}{
|
||||
name: "Lower",
|
||||
function: Lower,
|
||||
signature: []interface{}{
|
||||
new(func(string) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "IpInRange",
|
||||
Function: IpInRange,
|
||||
Signature: []interface{}{
|
||||
name: "IpInRange",
|
||||
function: IpInRange,
|
||||
signature: []interface{}{
|
||||
new(func(string, string) bool),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "TimeNow",
|
||||
Function: TimeNow,
|
||||
Signature: []interface{}{
|
||||
name: "TimeNow",
|
||||
function: TimeNow,
|
||||
signature: []interface{}{
|
||||
new(func() string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "ParseUri",
|
||||
Function: ParseUri,
|
||||
Signature: []interface{}{
|
||||
name: "ParseUri",
|
||||
function: ParseUri,
|
||||
signature: []interface{}{
|
||||
new(func(string) map[string][]string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "PathUnescape",
|
||||
Function: PathUnescape,
|
||||
Signature: []interface{}{
|
||||
name: "PathUnescape",
|
||||
function: PathUnescape,
|
||||
signature: []interface{}{
|
||||
new(func(string) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "QueryUnescape",
|
||||
Function: QueryUnescape,
|
||||
Signature: []interface{}{
|
||||
name: "QueryUnescape",
|
||||
function: QueryUnescape,
|
||||
signature: []interface{}{
|
||||
new(func(string) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "PathEscape",
|
||||
Function: PathEscape,
|
||||
Signature: []interface{}{
|
||||
name: "PathEscape",
|
||||
function: PathEscape,
|
||||
signature: []interface{}{
|
||||
new(func(string) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "QueryEscape",
|
||||
Function: QueryEscape,
|
||||
Signature: []interface{}{
|
||||
name: "QueryEscape",
|
||||
function: QueryEscape,
|
||||
signature: []interface{}{
|
||||
new(func(string) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "XMLGetAttributeValue",
|
||||
Function: XMLGetAttributeValue,
|
||||
Signature: []interface{}{
|
||||
name: "XMLGetAttributeValue",
|
||||
function: XMLGetAttributeValue,
|
||||
signature: []interface{}{
|
||||
new(func(string, string, string) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "XMLGetNodeValue",
|
||||
Function: XMLGetNodeValue,
|
||||
Signature: []interface{}{
|
||||
name: "XMLGetNodeValue",
|
||||
function: XMLGetNodeValue,
|
||||
signature: []interface{}{
|
||||
new(func(string, string) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "IpToRange",
|
||||
Function: IpToRange,
|
||||
Signature: []interface{}{
|
||||
name: "IpToRange",
|
||||
function: IpToRange,
|
||||
signature: []interface{}{
|
||||
new(func(string, string) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "IsIPV6",
|
||||
Function: IsIPV6,
|
||||
Signature: []interface{}{
|
||||
name: "IsIPV6",
|
||||
function: IsIPV6,
|
||||
signature: []interface{}{
|
||||
new(func(string) bool),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "IsIPV4",
|
||||
Function: IsIPV4,
|
||||
Signature: []interface{}{
|
||||
name: "IsIPV4",
|
||||
function: IsIPV4,
|
||||
signature: []interface{}{
|
||||
new(func(string) bool),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "IsIP",
|
||||
Function: IsIP,
|
||||
Signature: []interface{}{
|
||||
name: "IsIP",
|
||||
function: IsIP,
|
||||
signature: []interface{}{
|
||||
new(func(string) bool),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "LookupHost",
|
||||
Function: LookupHost,
|
||||
Signature: []interface{}{
|
||||
name: "LookupHost",
|
||||
function: LookupHost,
|
||||
signature: []interface{}{
|
||||
new(func(string) []string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "GetDecisionsCount",
|
||||
Function: GetDecisionsCount,
|
||||
Signature: []interface{}{
|
||||
name: "GetDecisionsCount",
|
||||
function: GetDecisionsCount,
|
||||
signature: []interface{}{
|
||||
new(func(string) int),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "GetDecisionsSinceCount",
|
||||
Function: GetDecisionsSinceCount,
|
||||
Signature: []interface{}{
|
||||
name: "GetDecisionsSinceCount",
|
||||
function: GetDecisionsSinceCount,
|
||||
signature: []interface{}{
|
||||
new(func(string, string) int),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "Sprintf",
|
||||
Function: Sprintf,
|
||||
Signature: []interface{}{
|
||||
name: "Sprintf",
|
||||
function: Sprintf,
|
||||
signature: []interface{}{
|
||||
new(func(string, ...interface{}) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "ParseUnix",
|
||||
Function: ParseUnix,
|
||||
Signature: []interface{}{
|
||||
name: "ParseUnix",
|
||||
function: ParseUnix,
|
||||
signature: []interface{}{
|
||||
new(func(string) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "SetInStash", //FIXME: signature will probably blow everything up
|
||||
Function: SetInStash,
|
||||
Signature: []interface{}{
|
||||
name: "SetInStash", //FIXME: signature will probably blow everything up
|
||||
function: SetInStash,
|
||||
signature: []interface{}{
|
||||
new(func(string, string, string, *time.Duration) error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "Fields",
|
||||
Function: Fields,
|
||||
Signature: []interface{}{
|
||||
name: "Fields",
|
||||
function: Fields,
|
||||
signature: []interface{}{
|
||||
new(func(string) []string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "Index",
|
||||
Function: Index,
|
||||
Signature: []interface{}{
|
||||
name: "Index",
|
||||
function: Index,
|
||||
signature: []interface{}{
|
||||
new(func(string, string) int),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "IndexAny",
|
||||
Function: IndexAny,
|
||||
Signature: []interface{}{
|
||||
name: "IndexAny",
|
||||
function: IndexAny,
|
||||
signature: []interface{}{
|
||||
new(func(string, string) int),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "Join",
|
||||
Function: Join,
|
||||
Signature: []interface{}{
|
||||
name: "Join",
|
||||
function: Join,
|
||||
signature: []interface{}{
|
||||
new(func([]string, string) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "Split",
|
||||
Function: Split,
|
||||
Signature: []interface{}{
|
||||
name: "Split",
|
||||
function: Split,
|
||||
signature: []interface{}{
|
||||
new(func(string, string) []string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "SplitAfter",
|
||||
Function: SplitAfter,
|
||||
Signature: []interface{}{
|
||||
name: "SplitAfter",
|
||||
function: SplitAfter,
|
||||
signature: []interface{}{
|
||||
new(func(string, string) []string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "SplitAfterN",
|
||||
Function: SplitAfterN,
|
||||
Signature: []interface{}{
|
||||
name: "SplitAfterN",
|
||||
function: SplitAfterN,
|
||||
signature: []interface{}{
|
||||
new(func(string, string, int) []string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "SplitN",
|
||||
Function: SplitN,
|
||||
Signature: []interface{}{
|
||||
name: "SplitN",
|
||||
function: SplitN,
|
||||
signature: []interface{}{
|
||||
new(func(string, string, int) []string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "Replace",
|
||||
Function: Replace,
|
||||
Signature: []interface{}{
|
||||
name: "Replace",
|
||||
function: Replace,
|
||||
signature: []interface{}{
|
||||
new(func(string, string, string, int) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "ReplaceAll",
|
||||
Function: ReplaceAll,
|
||||
Signature: []interface{}{
|
||||
name: "ReplaceAll",
|
||||
function: ReplaceAll,
|
||||
signature: []interface{}{
|
||||
new(func(string, string, string) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "Trim",
|
||||
Function: Trim,
|
||||
Signature: []interface{}{
|
||||
name: "Trim",
|
||||
function: Trim,
|
||||
signature: []interface{}{
|
||||
new(func(string, string) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "TrimLeft",
|
||||
Function: TrimLeft,
|
||||
Signature: []interface{}{
|
||||
name: "TrimLeft",
|
||||
function: TrimLeft,
|
||||
signature: []interface{}{
|
||||
new(func(string, string) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "TrimRight",
|
||||
Function: TrimRight,
|
||||
Signature: []interface{}{
|
||||
name: "TrimRight",
|
||||
function: TrimRight,
|
||||
signature: []interface{}{
|
||||
new(func(string, string) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "TrimSpace",
|
||||
Function: TrimSpace,
|
||||
Signature: []interface{}{
|
||||
name: "TrimSpace",
|
||||
function: TrimSpace,
|
||||
signature: []interface{}{
|
||||
new(func(string) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "TrimPrefix",
|
||||
Function: TrimPrefix,
|
||||
Signature: []interface{}{
|
||||
name: "TrimPrefix",
|
||||
function: TrimPrefix,
|
||||
signature: []interface{}{
|
||||
new(func(string, string) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "TrimSuffix",
|
||||
Function: TrimSuffix,
|
||||
Signature: []interface{}{
|
||||
name: "TrimSuffix",
|
||||
function: TrimSuffix,
|
||||
signature: []interface{}{
|
||||
new(func(string, string) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "Get",
|
||||
Function: Get,
|
||||
Signature: []interface{}{
|
||||
name: "Get",
|
||||
function: Get,
|
||||
signature: []interface{}{
|
||||
new(func([]string, int) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "ToString",
|
||||
Function: ToString,
|
||||
Signature: []interface{}{
|
||||
name: "ToString",
|
||||
function: ToString,
|
||||
signature: []interface{}{
|
||||
new(func(interface{}) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "Match",
|
||||
Function: Match,
|
||||
Signature: []interface{}{
|
||||
name: "Match",
|
||||
function: Match,
|
||||
signature: []interface{}{
|
||||
new(func(string, string) bool),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "KeyExists",
|
||||
Function: KeyExists,
|
||||
Signature: []interface{}{
|
||||
name: "KeyExists",
|
||||
function: KeyExists,
|
||||
signature: []interface{}{
|
||||
new(func(string, map[string]any) bool),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "LogInfo",
|
||||
Function: LogInfo,
|
||||
Signature: []interface{}{
|
||||
name: "LogInfo",
|
||||
function: LogInfo,
|
||||
signature: []interface{}{
|
||||
new(func(string, ...interface{}) bool),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "B64Decode",
|
||||
Function: B64Decode,
|
||||
Signature: []interface{}{
|
||||
name: "B64Decode",
|
||||
function: B64Decode,
|
||||
signature: []interface{}{
|
||||
new(func(string) string),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "UnmarshalJSON",
|
||||
Function: UnmarshalJSON,
|
||||
Signature: []interface{}{
|
||||
name: "UnmarshalJSON",
|
||||
function: UnmarshalJSON,
|
||||
signature: []interface{}{
|
||||
new(func(string, map[string]interface{}, string) error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "ParseKV",
|
||||
Function: ParseKV,
|
||||
Signature: []interface{}{
|
||||
name: "ParseKV",
|
||||
function: ParseKV,
|
||||
signature: []interface{}{
|
||||
new(func(string, map[string]interface{}, string) error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "Hostname",
|
||||
Function: Hostname,
|
||||
Signature: []interface{}{
|
||||
name: "Hostname",
|
||||
function: Hostname,
|
||||
signature: []interface{}{
|
||||
new(func() (string, error)),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "FloatApproxEqual",
|
||||
Function: FloatApproxEqual,
|
||||
Signature: []interface{}{
|
||||
name: "FloatApproxEqual",
|
||||
function: FloatApproxEqual,
|
||||
signature: []interface{}{
|
||||
new(func(float64, float64) bool),
|
||||
},
|
||||
},
|
||||
|
|
|
@ -60,9 +60,9 @@ func GetExprOptions(ctx map[string]interface{}) []expr.Option {
|
|||
exprFunctionOptions = []expr.Option{}
|
||||
for _, function := range exprFuncs {
|
||||
exprFunctionOptions = append(exprFunctionOptions,
|
||||
expr.Function(function.Name,
|
||||
function.Function,
|
||||
function.Signature...,
|
||||
expr.Function(function.name,
|
||||
function.function,
|
||||
function.signature...,
|
||||
))
|
||||
}
|
||||
}
|
||||
|
|
|
@ -58,12 +58,12 @@ type ReqDumpFilter struct {
|
|||
ArgsDrop bool
|
||||
}
|
||||
|
||||
func (r *ParsedRequest) DumpRequest(params ...any) (any, error) {
|
||||
func (r *ParsedRequest) DumpRequest(params ...any) *ReqDumpFilter {
|
||||
filter := ReqDumpFilter{}
|
||||
filter.BodyDrop = true
|
||||
filter.HeadersNameFilters = []string{"cookie", "authorization"}
|
||||
filter.req = r
|
||||
return &filter, nil
|
||||
return &filter
|
||||
}
|
||||
|
||||
// clear filters
|
||||
|
|
|
@ -161,8 +161,7 @@ func TestBodyDumper(t *testing.T) {
|
|||
for idx, test := range tests {
|
||||
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
tmp_dr, _ := test.req.DumpRequest()
|
||||
orig_dr := tmp_dr.(*ReqDumpFilter)
|
||||
orig_dr := test.req.DumpRequest()
|
||||
result := test.filter(orig_dr).GetFilteredRequest()
|
||||
|
||||
if len(result.Body) != len(test.expect.Body) {
|
||||
|
|
|
@ -34,26 +34,19 @@ const (
|
|||
func (h *Hook) Build(hookStage int) error {
|
||||
|
||||
ctx := map[string]interface{}{}
|
||||
opts := []expr.Option{}
|
||||
switch hookStage {
|
||||
case hookOnLoad:
|
||||
opts = GetOnLoadEnv(ctx, &WaapRuntimeConfig{})
|
||||
ctx = GetOnLoadEnv(&WaapRuntimeConfig{})
|
||||
case hookPreEval:
|
||||
ctx["IsInBand"] = true
|
||||
ctx["IsOutBand"] = true
|
||||
opts = GetPreEvalEnv(ctx, &WaapRuntimeConfig{}, &ParsedRequest{})
|
||||
ctx = GetPreEvalEnv(&WaapRuntimeConfig{}, &ParsedRequest{})
|
||||
case hookPostEval:
|
||||
ctx["IsInBand"] = true
|
||||
ctx["IsOutBand"] = true
|
||||
opts = GetPostEvalEnv(ctx, &WaapRuntimeConfig{}, &ParsedRequest{})
|
||||
ctx = GetPostEvalEnv(&WaapRuntimeConfig{}, &ParsedRequest{})
|
||||
case hookOnMatch:
|
||||
ctx["evt"] = types.Event{}
|
||||
ctx["IsInBand"] = true
|
||||
ctx["IsOutBand"] = true
|
||||
opts = GetOnMatchEnv(ctx, &WaapRuntimeConfig{}, &ParsedRequest{})
|
||||
ctx = GetOnMatchEnv(&WaapRuntimeConfig{}, &ParsedRequest{}, types.Event{})
|
||||
}
|
||||
opts := GetExprWAFOptions(ctx)
|
||||
if h.Filter != "" {
|
||||
program, err := expr.Compile(h.Filter, opts...)
|
||||
program, err := expr.Compile(h.Filter, opts...) //FIXME: opts
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to compile filter %s : %w", h.Filter, err)
|
||||
}
|
||||
|
@ -290,7 +283,7 @@ func (wc *WaapConfig) Build() (*WaapRuntimeConfig, error) {
|
|||
func (w *WaapRuntimeConfig) ProcessOnLoadRules() error {
|
||||
for _, rule := range w.CompiledOnLoad {
|
||||
if rule.FilterExpr != nil {
|
||||
output, err := exprhelpers.Run(rule.FilterExpr, map[string]interface{}{}, w.Logger, w.Logger.Level >= log.DebugLevel)
|
||||
output, err := exprhelpers.Run(rule.FilterExpr, GetOnLoadEnv(w), w.Logger, w.Logger.Level >= log.DebugLevel)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to run waap on_load filter %s : %w", rule.Filter, err)
|
||||
}
|
||||
|
@ -306,7 +299,7 @@ func (w *WaapRuntimeConfig) ProcessOnLoadRules() error {
|
|||
}
|
||||
}
|
||||
for _, applyExpr := range rule.ApplyExpr {
|
||||
_, err := exprhelpers.Run(applyExpr, map[string]interface{}{}, w.Logger, w.Logger.Level >= log.DebugLevel)
|
||||
_, err := exprhelpers.Run(applyExpr, GetOnLoadEnv(w), w.Logger, w.Logger.Level >= log.DebugLevel)
|
||||
if err != nil {
|
||||
log.Errorf("unable to apply waap on_load expr: %s", err)
|
||||
continue
|
||||
|
@ -317,14 +310,10 @@ func (w *WaapRuntimeConfig) ProcessOnLoadRules() error {
|
|||
}
|
||||
|
||||
func (w *WaapRuntimeConfig) ProcessOnMatchRules(request *ParsedRequest, evt types.Event) error {
|
||||
ctx := map[string]interface{}{
|
||||
"evt": evt,
|
||||
"IsInBand": request.IsInBand,
|
||||
"IsOutBand": request.IsOutBand,
|
||||
}
|
||||
|
||||
for _, rule := range w.CompiledOnMatch {
|
||||
if rule.FilterExpr != nil {
|
||||
output, err := exprhelpers.Run(rule.FilterExpr, ctx, w.Logger, w.Logger.Level >= log.DebugLevel)
|
||||
output, err := exprhelpers.Run(rule.FilterExpr, GetOnMatchEnv(w, request, evt), w.Logger, w.Logger.Level >= log.DebugLevel)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to run waap on_match filter %s : %w", rule.Filter, err)
|
||||
}
|
||||
|
@ -340,7 +329,7 @@ func (w *WaapRuntimeConfig) ProcessOnMatchRules(request *ParsedRequest, evt type
|
|||
}
|
||||
}
|
||||
for _, applyExpr := range rule.ApplyExpr {
|
||||
_, err := exprhelpers.Run(applyExpr, ctx, w.Logger, w.Logger.Level >= log.DebugLevel)
|
||||
_, err := exprhelpers.Run(applyExpr, GetOnMatchEnv(w, request, evt), w.Logger, w.Logger.Level >= log.DebugLevel)
|
||||
if err != nil {
|
||||
log.Errorf("unable to apply waap on_match expr: %s", err)
|
||||
continue
|
||||
|
@ -351,13 +340,9 @@ func (w *WaapRuntimeConfig) ProcessOnMatchRules(request *ParsedRequest, evt type
|
|||
}
|
||||
|
||||
func (w *WaapRuntimeConfig) ProcessPreEvalRules(request *ParsedRequest) error {
|
||||
ctx := map[string]interface{}{
|
||||
"IsInBand": request.IsInBand,
|
||||
"IsOutBand": request.IsOutBand,
|
||||
}
|
||||
for _, rule := range w.CompiledPreEval {
|
||||
if rule.FilterExpr != nil {
|
||||
output, err := exprhelpers.Run(rule.FilterExpr, GetPreEvalEnv(ctx, w, request), w.Logger, w.Logger.Level >= log.DebugLevel)
|
||||
output, err := exprhelpers.Run(rule.FilterExpr, GetPreEvalEnv(w, request), w.Logger, w.Logger.Level >= log.DebugLevel)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to run waap pre_eval filter %s : %w", rule.Filter, err)
|
||||
}
|
||||
|
@ -374,7 +359,7 @@ func (w *WaapRuntimeConfig) ProcessPreEvalRules(request *ParsedRequest) error {
|
|||
}
|
||||
// here means there is no filter or the filter matched
|
||||
for _, applyExpr := range rule.ApplyExpr {
|
||||
_, err := exprhelpers.Run(applyExpr, ctx, w.Logger, w.Logger.Level >= log.DebugLevel)
|
||||
_, err := exprhelpers.Run(applyExpr, GetPreEvalEnv(w, request), w.Logger, w.Logger.Level >= log.DebugLevel)
|
||||
if err != nil {
|
||||
log.Errorf("unable to apply waap pre_eval expr: %s", err)
|
||||
continue
|
||||
|
@ -386,13 +371,9 @@ func (w *WaapRuntimeConfig) ProcessPreEvalRules(request *ParsedRequest) error {
|
|||
}
|
||||
|
||||
func (w *WaapRuntimeConfig) ProcessPostEvalRules(request *ParsedRequest) error {
|
||||
ctx := map[string]interface{}{
|
||||
"IsInBand": request.IsInBand,
|
||||
"IsOutBand": request.IsOutBand,
|
||||
}
|
||||
for _, rule := range w.CompiledPostEval {
|
||||
if rule.FilterExpr != nil {
|
||||
output, err := exprhelpers.Run(rule.FilterExpr, ctx, w.Logger, w.Logger.Level >= log.DebugLevel)
|
||||
output, err := exprhelpers.Run(rule.FilterExpr, GetPostEvalEnv(w, request), w.Logger, w.Logger.Level >= log.DebugLevel)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to run waap post_eval filter %s : %w", rule.Filter, err)
|
||||
}
|
||||
|
@ -409,7 +390,7 @@ func (w *WaapRuntimeConfig) ProcessPostEvalRules(request *ParsedRequest) error {
|
|||
}
|
||||
// here means there is no filter or the filter matched
|
||||
for _, applyExpr := range rule.ApplyExpr {
|
||||
_, err := exprhelpers.Run(applyExpr, ctx, w.Logger, w.Logger.Level >= log.DebugLevel)
|
||||
_, err := exprhelpers.Run(applyExpr, GetPostEvalEnv(w, request), w.Logger, w.Logger.Level >= log.DebugLevel)
|
||||
if err != nil {
|
||||
log.Errorf("unable to apply waap post_eval expr: %s", err)
|
||||
continue
|
||||
|
@ -570,7 +551,6 @@ func (w *WaapRuntimeConfig) SetActionByID(params ...any) (any, error) {
|
|||
|
||||
// func (w *WaapRuntimeConfig) SetActionByID(name string, action string) error {
|
||||
func (w *WaapRuntimeConfig) SetActionByName(params ...any) (any, error) {
|
||||
fmt.Printf("%v+\n", w)
|
||||
if w.RemediationByTag == nil {
|
||||
w.RemediationByTag = make(map[string]string)
|
||||
}
|
||||
|
|
|
@ -1,3 +1,11 @@
|
|||
package waf
|
||||
|
||||
//This is a copy paste from expr_lib.go, we probably want to only have one ?
|
||||
|
||||
type exprCustomFunc struct {
|
||||
name string
|
||||
function func(params ...any) (any, error)
|
||||
signature []interface{}
|
||||
}
|
||||
|
||||
var exprFuncs = []exprCustomFunc{}
|
||||
|
|
|
@ -3,183 +3,40 @@ package waf
|
|||
import (
|
||||
"github.com/antonmedv/expr"
|
||||
"github.com/crowdsecurity/crowdsec/pkg/exprhelpers"
|
||||
"github.com/crowdsecurity/crowdsec/pkg/types"
|
||||
)
|
||||
|
||||
var exprOnLoadOptions = []expr.Option{}
|
||||
var exprPreEvalOptions = []expr.Option{}
|
||||
var exprPostEvalOptions = []expr.Option{}
|
||||
var exprOnMatchOptions = []expr.Option{}
|
||||
|
||||
func GetOnLoadEnv(ctx map[string]interface{}, w *WaapRuntimeConfig) []expr.Option {
|
||||
func GetExprWAFOptions(ctx map[string]interface{}) []expr.Option {
|
||||
baseHelpers := exprhelpers.GetExprOptions(ctx)
|
||||
onLoadHelpers := []exprhelpers.ExprCustomFunc{
|
||||
{
|
||||
Name: "RemoveInBandRuleByID",
|
||||
Function: w.DisableInBandRuleByID,
|
||||
Signature: []interface{}{
|
||||
new(func(int) error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "RemoveInBandRuleByTag",
|
||||
Function: w.DisableInBandRuleByTag,
|
||||
Signature: []interface{}{
|
||||
new(func(string) error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "RemoveInBandRuleByName",
|
||||
Function: w.DisableInBandRuleByName,
|
||||
Signature: []interface{}{
|
||||
new(func(string) error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "RemoveOutBandRuleByID",
|
||||
Function: w.DisableOutBandRuleByID,
|
||||
Signature: []interface{}{
|
||||
new(func(int) error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "RemoveOutBandRuleByTag",
|
||||
Function: w.DisableOutBandRuleByTag,
|
||||
Signature: []interface{}{
|
||||
new(func(string) error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "RemoveOutBandRuleByName",
|
||||
Function: w.DisableOutBandRuleByName,
|
||||
Signature: []interface{}{
|
||||
new(func(string) error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "SetRemediationByTag",
|
||||
Function: w.SetActionByTag,
|
||||
Signature: []interface{}{
|
||||
new(func(string, string) error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "SetRemediationByID",
|
||||
Function: w.SetActionByID,
|
||||
Signature: []interface{}{
|
||||
new(func(int, string) error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "SetRemediationByName",
|
||||
Function: w.SetActionByName,
|
||||
Signature: []interface{}{
|
||||
new(func(string, string) error),
|
||||
},
|
||||
},
|
||||
|
||||
for _, function := range exprFuncs {
|
||||
baseHelpers = append(baseHelpers,
|
||||
expr.Function(function.name,
|
||||
function.function,
|
||||
function.signature...,
|
||||
))
|
||||
}
|
||||
return baseHelpers
|
||||
}
|
||||
|
||||
if len(exprOnLoadOptions) == 0 {
|
||||
for _, function := range onLoadHelpers {
|
||||
exprOnLoadOptions = append(exprOnLoadOptions,
|
||||
expr.Function(
|
||||
function.Name,
|
||||
function.Function,
|
||||
function.Signature...,
|
||||
),
|
||||
)
|
||||
}
|
||||
exprOnLoadOptions = append(exprOnLoadOptions, baseHelpers...)
|
||||
}
|
||||
|
||||
return exprOnLoadOptions
|
||||
}
|
||||
|
||||
func GetPreEvalEnv(ctx map[string]interface{}, w *WaapRuntimeConfig, request *ParsedRequest) []expr.Option {
|
||||
|
||||
baseHelpers := exprhelpers.GetExprOptions(ctx)
|
||||
preEvalHelpers := []exprhelpers.ExprCustomFunc{
|
||||
{
|
||||
Name: "RemoveInBandRuleByID",
|
||||
Function: w.RemoveInbandRuleByID,
|
||||
Signature: []interface{}{
|
||||
new(func(int) error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "RemoveInBandRuleByTag",
|
||||
Function: w.RemoveInbandRuleByTag,
|
||||
Signature: []interface{}{
|
||||
new(func(string) error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "RemoveInBandRuleByName",
|
||||
Function: w.RemoveInbandRuleByName,
|
||||
Signature: []interface{}{
|
||||
new(func(string) error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "RemoveOutBandRuleByID",
|
||||
Function: w.RemoveOutbandRuleByID,
|
||||
Signature: []interface{}{
|
||||
new(func(int) error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "RemoveOutBandRuleByTag",
|
||||
Function: w.RemoveOutbandRuleByTag,
|
||||
Signature: []interface{}{
|
||||
new(func(string) error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "RemoveOutBandRuleByName",
|
||||
Function: w.RemoveOutbandRuleByName,
|
||||
Signature: []interface{}{
|
||||
new(func(string) error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "SetRemediationByTag",
|
||||
Function: w.SetActionByTag,
|
||||
Signature: []interface{}{
|
||||
new(func(string, string) error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "SetRemediationByID",
|
||||
Function: w.SetActionByID,
|
||||
Signature: []interface{}{
|
||||
new(func(int, string) error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "SetRemediationByName",
|
||||
Function: w.SetActionByName,
|
||||
Signature: []interface{}{
|
||||
new(func(string, string) error),
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
if len(exprPreEvalOptions) == 0 {
|
||||
for _, function := range preEvalHelpers {
|
||||
exprPreEvalOptions = append(exprPreEvalOptions,
|
||||
expr.Function(
|
||||
function.Name,
|
||||
function.Function,
|
||||
function.Signature...,
|
||||
),
|
||||
)
|
||||
}
|
||||
exprPreEvalOptions = append(exprPreEvalOptions, baseHelpers...)
|
||||
}
|
||||
|
||||
return exprPreEvalOptions
|
||||
|
||||
func GetOnLoadEnv(w *WaapRuntimeConfig) map[string]interface{} {
|
||||
//FIXME: use expr.Function instead of this
|
||||
/*return map[string]interface{}{
|
||||
return map[string]interface{}{
|
||||
"RemoveInBandRuleByID": w.DisableInBandRuleByID,
|
||||
"RemoveInBandRuleByTag": w.DisableInBandRuleByTag,
|
||||
"RemoveInBandRuleByName": w.DisableInBandRuleByName,
|
||||
"RemoveOutBandRuleByID": w.DisableOutBandRuleByID,
|
||||
"RemoveOutBandRuleByTag": w.DisableOutBandRuleByTag,
|
||||
"RemoveOutBandRuleByName": w.DisableOutBandRuleByName,
|
||||
"SetRemediationByTag": w.SetActionByTag,
|
||||
"SetRemediationByID": w.SetActionByID,
|
||||
"SetRemediationByName": w.SetActionByName,
|
||||
}
|
||||
}
|
||||
|
||||
func GetPreEvalEnv(w *WaapRuntimeConfig, request *ParsedRequest) map[string]interface{} {
|
||||
//FIXME: use expr.Function instead of this
|
||||
return map[string]interface{}{
|
||||
"IsInBand": request.IsInBand,
|
||||
"IsOutBand": request.IsOutBand,
|
||||
"RemoveInBandRuleByID": w.RemoveInbandRuleByID,
|
||||
|
@ -191,114 +48,20 @@ func GetPreEvalEnv(ctx map[string]interface{}, w *WaapRuntimeConfig, request *Pa
|
|||
"SetRemediationByTag": w.SetActionByTag,
|
||||
"SetRemediationByID": w.SetActionByID,
|
||||
"SetRemediationByName": w.SetActionByName,
|
||||
}*/
|
||||
}
|
||||
}
|
||||
|
||||
func GetPostEvalEnv(ctx map[string]interface{}, w *WaapRuntimeConfig, request *ParsedRequest) []expr.Option {
|
||||
baseHelpers := exprhelpers.GetExprOptions(ctx)
|
||||
postEvalHelpers := []exprhelpers.ExprCustomFunc{
|
||||
{
|
||||
Name: "DumpRequest",
|
||||
Function: request.DumpRequest,
|
||||
Signature: []interface{}{
|
||||
new(func() *ReqDumpFilter),
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
if len(exprPostEvalOptions) == 0 {
|
||||
for _, function := range postEvalHelpers {
|
||||
exprPostEvalOptions = append(exprPostEvalOptions,
|
||||
expr.Function(
|
||||
function.Name,
|
||||
function.Function,
|
||||
function.Signature...,
|
||||
),
|
||||
)
|
||||
}
|
||||
exprPostEvalOptions = append(exprPostEvalOptions, baseHelpers...)
|
||||
}
|
||||
|
||||
return exprPostEvalOptions
|
||||
|
||||
/*//FIXME: use expr.Function instead of this
|
||||
func GetPostEvalEnv(w *WaapRuntimeConfig, request *ParsedRequest) map[string]interface{} {
|
||||
//FIXME: use expr.Function instead of this
|
||||
return map[string]interface{}{
|
||||
"IsInBand": request.IsInBand,
|
||||
"IsOutBand": request.IsOutBand,
|
||||
"DumpRequest": request.DumpRequest,
|
||||
}*/
|
||||
}
|
||||
}
|
||||
|
||||
func GetOnMatchEnv(ctx map[string]interface{}, w *WaapRuntimeConfig, request *ParsedRequest) []expr.Option {
|
||||
baseHelpers := exprhelpers.GetExprOptions(ctx)
|
||||
onMatchHelpers := []exprhelpers.ExprCustomFunc{
|
||||
{
|
||||
Name: "SetRemediation",
|
||||
Function: w.SetAction,
|
||||
Signature: []interface{}{
|
||||
new(func(string) error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "SetReturnCode",
|
||||
Function: w.SetHTTPCode,
|
||||
Signature: []interface{}{
|
||||
new(func(int) error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "CancelEvent",
|
||||
Function: w.CancelEvent,
|
||||
Signature: []interface{}{
|
||||
new(func() error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "SendEvent",
|
||||
Function: w.SendEvent,
|
||||
Signature: []interface{}{
|
||||
new(func() error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "CancelAlert",
|
||||
Function: w.CancelAlert,
|
||||
Signature: []interface{}{
|
||||
new(func() error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "SendAlert",
|
||||
Function: w.SendAlert,
|
||||
Signature: []interface{}{
|
||||
new(func() error),
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "DumpRequest",
|
||||
Function: request.DumpRequest,
|
||||
Signature: []interface{}{
|
||||
new(func() *ReqDumpFilter),
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
if len(exprOnMatchOptions) == 0 {
|
||||
for _, function := range onMatchHelpers {
|
||||
exprOnMatchOptions = append(exprOnMatchOptions,
|
||||
expr.Function(
|
||||
function.Name,
|
||||
function.Function,
|
||||
function.Signature...,
|
||||
),
|
||||
)
|
||||
}
|
||||
exprOnMatchOptions = append(exprOnMatchOptions, baseHelpers...)
|
||||
}
|
||||
|
||||
return exprOnMatchOptions
|
||||
|
||||
/*//FIXME: use expr.Function instead of this
|
||||
func GetOnMatchEnv(w *WaapRuntimeConfig, request *ParsedRequest, evt types.Event) map[string]interface{} {
|
||||
//FIXME: use expr.Function instead of this
|
||||
return map[string]interface{}{
|
||||
"evt": evt,
|
||||
"req": request,
|
||||
|
@ -311,5 +74,5 @@ func GetOnMatchEnv(ctx map[string]interface{}, w *WaapRuntimeConfig, request *Pa
|
|||
"CancelAlert": w.CancelAlert,
|
||||
"SendAlert": w.SendAlert,
|
||||
"DumpRequest": request.DumpRequest,
|
||||
}*/
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue