appsec

package
v1.6.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 11, 2024 License: MIT Imports: 25 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	BanRemediation     = "ban"
	CaptchaRemediation = "captcha"
	AllowRemediation   = "allow"
)
View Source 
const (
	URIHeaderName       = "X-Crowdsec-Appsec-Uri"
	VerbHeaderName      = "X-Crowdsec-Appsec-Verb"
	HostHeaderName      = "X-Crowdsec-Appsec-Host"
	IPHeaderName        = "X-Crowdsec-Appsec-Ip"
	APIKeyHeaderName    = "X-Crowdsec-Appsec-Api-Key"
	UserAgentHeaderName = "X-Crowdsec-Appsec-User-Agent"
)

Variables

View Source 
var APPSEC_RULE = "appsec-rule"
View Source 
var AppsecRulesDetails = make(map[int]RulesDetails)

FIXME: this shouldn't be a global Is using the id is a good idea ? might be too specific to coraza and not easily reusable

View Source 
var DebugRules map[int]bool = map[int]bool{}

Functions

func GetOnLoadEnv 

func GetOnLoadEnv(w *AppsecRuntimeConfig) map[string]interface{}

func GetOnMatchEnv 

func GetOnMatchEnv(w *AppsecRuntimeConfig, request *ParsedRequest, evt types.Event) map[string]interface{}

func GetPostEvalEnv 

func GetPostEvalEnv(w *AppsecRuntimeConfig, request *ParsedRequest) map[string]interface{}

func GetPreEvalEnv 

func GetPreEvalEnv(w *AppsecRuntimeConfig, request *ParsedRequest) map[string]interface{}

func GetRuleDebug 

func GetRuleDebug(id int) bool

func LoadAppsecRules 

func LoadAppsecRules(hubInstance *cwhub.Hub) error

func NewCrzLogger 

func NewCrzLogger(logger *log.Entry) crzLogger

func ParseQuery added in v1.6.1 

func ParseQuery(query string) url.Values

parseQuery and parseQuery are copied net/url package, but allow semicolon in values

func SetRuleDebug 

func SetRuleDebug(id int, debug bool)

Types

type AppsecCollection 

type AppsecCollection struct {
	Rules []string
	// contains filtered or unexported fields
}

func LoadCollection 

func LoadCollection(pattern string, logger *log.Entry) ([]AppsecCollection, error)

func (AppsecCollection) String 

func (w AppsecCollection) String() string

type AppsecCollectionConfig 

type AppsecCollectionConfig struct {
	Type              string                   `yaml:"type"`
	Name              string                   `yaml:"name"`
	Debug             bool                     `yaml:"debug"`
	Description       string                   `yaml:"description"`
	SecLangFilesRules []string                 `yaml:"seclang_files_rules"`
	SecLangRules      []string                 `yaml:"seclang_rules"`
	Rules             []appsec_rule.CustomRule `yaml:"rules"`

	Labels map[string]interface{} `yaml:"labels"` //Labels is K:V list aiming at providing context the overflow

	Data interface{} `yaml:"data"` //Ignore it
	// contains filtered or unexported fields
}

to be filled w/ seb update

type AppsecConfig 

type AppsecConfig struct {
	Name                   string   `yaml:"name"`
	OutOfBandRules         []string `yaml:"outofband_rules"`
	InBandRules            []string `yaml:"inband_rules"`
	DefaultRemediation     string   `yaml:"default_remediation"`
	DefaultPassAction      string   `yaml:"default_pass_action"`
	BouncerBlockedHTTPCode int      `yaml:"blocked_http_code"`      //returned to the bouncer
	BouncerPassedHTTPCode  int      `yaml:"passed_http_code"`       //returned to the bouncer
	UserBlockedHTTPCode    int      `yaml:"user_blocked_http_code"` //returned to the user
	UserPassedHTTPCode     int      `yaml:"user_passed_http_code"`  //returned to the user

	OnLoad            []Hook              `yaml:"on_load"`
	PreEval           []Hook              `yaml:"pre_eval"`
	PostEval          []Hook              `yaml:"post_eval"`
	OnMatch           []Hook              `yaml:"on_match"`
	VariablesTracking []string            `yaml:"variables_tracking"`
	InbandOptions     AppsecSubEngineOpts `yaml:"inband_options"`
	OutOfBandOptions  AppsecSubEngineOpts `yaml:"outofband_options"`

	LogLevel *log.Level `yaml:"log_level"`
	Logger   *log.Entry `yaml:"-"`
}

func (*AppsecConfig) Build 

func (wc *AppsecConfig) Build() (*AppsecRuntimeConfig, error)

func (*AppsecConfig) GetDataDir 

func (wc *AppsecConfig) GetDataDir() string

func (*AppsecConfig) Load 

func (wc *AppsecConfig) Load(configName string) error

func (*AppsecConfig) LoadByPath 

func (wc *AppsecConfig) LoadByPath(file string) error

type AppsecRuntimeConfig 

type AppsecRuntimeConfig struct {
	Name           string
	OutOfBandRules []AppsecCollection

	InBandRules []AppsecCollection

	DefaultRemediation        string
	RemediationByTag          map[string]string //Also used for ByName, as the name (for modsec rules) is a tag crowdsec-NAME
	RemediationById           map[int]string
	CompiledOnLoad            []Hook
	CompiledPreEval           []Hook
	CompiledPostEval          []Hook
	CompiledOnMatch           []Hook
	CompiledVariablesTracking []*regexp.Regexp
	Config                    *AppsecConfig

	//those are ephemeral, created/destroyed with every req
	OutOfBandTx ExtendedTransaction //is it a good idea ?
	InBandTx    ExtendedTransaction //is it a good idea ?
	Response    AppsecTempResponse

	Logger *log.Entry

	//Set by on_load to ignore some rules on loading
	DisabledInBandRuleIds   []int
	DisabledInBandRulesTags []string //Also used for ByName, as the name (for modsec rules) is a tag crowdsec-NAME

	DisabledOutOfBandRuleIds   []int
	DisabledOutOfBandRulesTags []string //Also used for ByName, as the name (for modsec rules) is a tag crowdsec-NAME
}

runtime version of AppsecConfig

func (*AppsecRuntimeConfig) CancelAlert 

func (w *AppsecRuntimeConfig) CancelAlert() error

func (*AppsecRuntimeConfig) CancelEvent 

func (w *AppsecRuntimeConfig) CancelEvent() error

func (*AppsecRuntimeConfig) ClearResponse 

func (w *AppsecRuntimeConfig) ClearResponse()

func (*AppsecRuntimeConfig) DisableInBandRuleByID 

func (w *AppsecRuntimeConfig) DisableInBandRuleByID(id int) error

Disable a rule at load time, meaning it will not run for any request

func (*AppsecRuntimeConfig) DisableInBandRuleByName 

func (w *AppsecRuntimeConfig) DisableInBandRuleByName(name string) error

Disable a rule at load time, meaning it will not run for any request

func (*AppsecRuntimeConfig) DisableInBandRuleByTag 

func (w *AppsecRuntimeConfig) DisableInBandRuleByTag(tag string) error

Disable a rule at load time, meaning it will not run for any request

func (*AppsecRuntimeConfig) DisableOutBandRuleByID 

func (w *AppsecRuntimeConfig) DisableOutBandRuleByID(id int) error

Disable a rule at load time, meaning it will not run for any request

func (*AppsecRuntimeConfig) DisableOutBandRuleByName 

func (w *AppsecRuntimeConfig) DisableOutBandRuleByName(name string) error

Disable a rule at load time, meaning it will not run for any request

func (*AppsecRuntimeConfig) DisableOutBandRuleByTag 

func (w *AppsecRuntimeConfig) DisableOutBandRuleByTag(tag string) error

Disable a rule at load time, meaning it will not run for any request

func (*AppsecRuntimeConfig) GenerateResponse 

func (w *AppsecRuntimeConfig) GenerateResponse(response AppsecTempResponse, logger *log.Entry) (int, BodyResponse)

func (*AppsecRuntimeConfig) ProcessOnLoadRules 

func (w *AppsecRuntimeConfig) ProcessOnLoadRules() error

func (*AppsecRuntimeConfig) ProcessOnMatchRules 

func (w *AppsecRuntimeConfig) ProcessOnMatchRules(request *ParsedRequest, evt types.Event) error

func (*AppsecRuntimeConfig) ProcessPostEvalRules 

func (w *AppsecRuntimeConfig) ProcessPostEvalRules(request *ParsedRequest) error

func (*AppsecRuntimeConfig) ProcessPreEvalRules 

func (w *AppsecRuntimeConfig) ProcessPreEvalRules(request *ParsedRequest) error

func (*AppsecRuntimeConfig) RemoveInbandRuleByID 

func (w *AppsecRuntimeConfig) RemoveInbandRuleByID(id int) error

func (*AppsecRuntimeConfig) RemoveInbandRuleByName 

func (w *AppsecRuntimeConfig) RemoveInbandRuleByName(name string) error

func (*AppsecRuntimeConfig) RemoveInbandRuleByTag 

func (w *AppsecRuntimeConfig) RemoveInbandRuleByTag(tag string) error

func (*AppsecRuntimeConfig) RemoveOutbandRuleByID 

func (w *AppsecRuntimeConfig) RemoveOutbandRuleByID(id int) error

func (*AppsecRuntimeConfig) RemoveOutbandRuleByName 

func (w *AppsecRuntimeConfig) RemoveOutbandRuleByName(name string) error

func (*AppsecRuntimeConfig) RemoveOutbandRuleByTag 

func (w *AppsecRuntimeConfig) RemoveOutbandRuleByTag(tag string) error

func (*AppsecRuntimeConfig) SendAlert 

func (w *AppsecRuntimeConfig) SendAlert() error

func (*AppsecRuntimeConfig) SendEvent 

func (w *AppsecRuntimeConfig) SendEvent() error

func (*AppsecRuntimeConfig) SetAction 

func (w *AppsecRuntimeConfig) SetAction(action string) error

func (*AppsecRuntimeConfig) SetActionByID 

func (w *AppsecRuntimeConfig) SetActionByID(id int, action string) error

func (*AppsecRuntimeConfig) SetActionByName 

func (w *AppsecRuntimeConfig) SetActionByName(name string, action string) error

func (*AppsecRuntimeConfig) SetActionByTag 

func (w *AppsecRuntimeConfig) SetActionByTag(tag string, action string) error

func (*AppsecRuntimeConfig) SetHTTPCode 

func (w *AppsecRuntimeConfig) SetHTTPCode(code int) error

type AppsecSubEngineOpts 

type AppsecSubEngineOpts struct {
	DisableBodyInspection    bool `yaml:"disable_body_inspection"`
	RequestBodyInMemoryLimit *int `yaml:"request_body_in_memory_limit"`
}

type AppsecTempResponse 

type AppsecTempResponse struct {
	InBandInterrupt         bool
	OutOfBandInterrupt      bool
	Action                  string //allow, deny, captcha, log
	UserHTTPResponseCode    int    //The response code to send to the user
	BouncerHTTPResponseCode int    //The response code to send to the remediation component
	SendEvent               bool   //do we send an internal event on rule match
	SendAlert               bool   //do we send an alert on rule match
}

type BodyResponse 

type BodyResponse struct {
	Action     string `json:"action"`
	HTTPStatus int    `json:"http_status"`
}

type ExtendedTransaction 

type ExtendedTransaction struct {
	Tx experimental.FullTransaction
}

func NewExtendedTransaction 

func NewExtendedTransaction(engine coraza.WAF, uuid string) ExtendedTransaction

func NewTransaction 

func NewTransaction(tx experimental.FullTransaction) ExtendedTransaction

func (*ExtendedTransaction) AddGetRequestArgument 

func (t *ExtendedTransaction) AddGetRequestArgument(name string, value string)

func (*ExtendedTransaction) AddRequestHeader 

func (t *ExtendedTransaction) AddRequestHeader(name string, value string)

func (*ExtendedTransaction) ID 

func (t *ExtendedTransaction) ID() string

func (*ExtendedTransaction) Interruption 

func (t *ExtendedTransaction) Interruption() *types.Interruption

func (*ExtendedTransaction) IsInterrupted 

func (t *ExtendedTransaction) IsInterrupted() bool

func (*ExtendedTransaction) IsRuleEngineOff 

func (t *ExtendedTransaction) IsRuleEngineOff() bool

func (*ExtendedTransaction) MatchedRules 

func (t *ExtendedTransaction) MatchedRules() []types.MatchedRule

func (*ExtendedTransaction) ProcessConnection 

func (t *ExtendedTransaction) ProcessConnection(client string, cPort int, server string, sPort int)

func (*ExtendedTransaction) ProcessLogging 

func (t *ExtendedTransaction) ProcessLogging()

func (*ExtendedTransaction) ProcessRequestBody 

func (t *ExtendedTransaction) ProcessRequestBody() (*types.Interruption, error)

func (*ExtendedTransaction) ProcessRequestHeaders 

func (t *ExtendedTransaction) ProcessRequestHeaders() *types.Interruption

func (*ExtendedTransaction) ProcessURI 

func (t *ExtendedTransaction) ProcessURI(uri string, method string, httpVersion string)

func (*ExtendedTransaction) RemoveRuleByIDWithError 

func (t *ExtendedTransaction) RemoveRuleByIDWithError(id int) error

func (*ExtendedTransaction) RemoveRuleByTagWithError 

func (t *ExtendedTransaction) RemoveRuleByTagWithError(tag string) error

func (*ExtendedTransaction) SetServerName 

func (t *ExtendedTransaction) SetServerName(name string)

func (*ExtendedTransaction) Variables 

func (t *ExtendedTransaction) Variables() plugintypes.TransactionVariables

func (*ExtendedTransaction) WriteRequestBody 

func (t *ExtendedTransaction) WriteRequestBody(body []byte) (*types.Interruption, int, error)

type Hook 

type Hook struct {
	Filter     string      `yaml:"filter"`
	FilterExpr *vm.Program `yaml:"-"`

	OnSuccess string        `yaml:"on_success"`
	Apply     []string      `yaml:"apply"`
	ApplyExpr []*vm.Program `yaml:"-"`
}

func (*Hook) Build 

func (h *Hook) Build(hookStage int) error

type ParsedRequest 

type ParsedRequest struct {
	RemoteAddr           string                  `json:"remote_addr,omitempty"`
	Host                 string                  `json:"host,omitempty"`
	ClientIP             string                  `json:"client_ip,omitempty"`
	URI                  string                  `json:"uri,omitempty"`
	Args                 url.Values              `json:"args,omitempty"`
	ClientHost           string                  `json:"client_host,omitempty"`
	Headers              http.Header             `json:"headers,omitempty"`
	URL                  *url.URL                `json:"url,omitempty"`
	Method               string                  `json:"method,omitempty"`
	Proto                string                  `json:"proto,omitempty"`
	Body                 []byte                  `json:"body,omitempty"`
	TransferEncoding     []string                `json:"transfer_encoding,omitempty"`
	UUID                 string                  `json:"uuid,omitempty"`
	Tx                   ExtendedTransaction     `json:"-"`
	ResponseChannel      chan AppsecTempResponse `json:"-"`
	IsInBand             bool                    `json:"-"`
	IsOutBand            bool                    `json:"-"`
	AppsecEngine         string                  `json:"appsec_engine,omitempty"`
	RemoteAddrNormalized string                  `json:"normalized_remote_addr,omitempty"`
	HTTPRequest          *http.Request           `json:"-"`
}

func NewParsedRequestFromRequest 

func NewParsedRequestFromRequest(r *http.Request, logger *logrus.Entry) (ParsedRequest, error)

Generate a ParsedRequest from a http.Request. ParsedRequest can be consumed by the App security Engine

func (*ParsedRequest) DumpRequest 

func (r *ParsedRequest) DumpRequest(params ...any) *ReqDumpFilter

type ReqDumpFilter 

type ReqDumpFilter struct {
	HeadersContentFilters []string
	HeadersNameFilters    []string
	HeadersDrop           bool

	BodyDrop bool

	ArgsContentFilters []string
	ArgsNameFilters    []string
	ArgsDrop           bool
	// contains filtered or unexported fields
}

func (*ReqDumpFilter) FilterArgs 

func (r *ReqDumpFilter) FilterArgs(out *ParsedRequest) error

func (*ReqDumpFilter) FilterBody 

func (r *ReqDumpFilter) FilterBody(out *ParsedRequest) error

func (*ReqDumpFilter) FilterHeaders 

func (r *ReqDumpFilter) FilterHeaders(out *ParsedRequest) error

func (*ReqDumpFilter) GetFilteredRequest 

func (r *ReqDumpFilter) GetFilteredRequest() *ParsedRequest

func (*ReqDumpFilter) NoFilters 

func (r *ReqDumpFilter) NoFilters() *ReqDumpFilter

clear filters

func (*ReqDumpFilter) ToJSON 

func (r *ReqDumpFilter) ToJSON() error

func (*ReqDumpFilter) WithArgsContentFilter 

func (r *ReqDumpFilter) WithArgsContentFilter(filter string) *ReqDumpFilter

func (*ReqDumpFilter) WithArgsNameFilter 

func (r *ReqDumpFilter) WithArgsNameFilter(filter string) *ReqDumpFilter

func (*ReqDumpFilter) WithBody 

func (r *ReqDumpFilter) WithBody() *ReqDumpFilter

func (*ReqDumpFilter) WithEmptyArgsFilters 

func (r *ReqDumpFilter) WithEmptyArgsFilters() *ReqDumpFilter

func (*ReqDumpFilter) WithEmptyHeadersFilters 

func (r *ReqDumpFilter) WithEmptyHeadersFilters() *ReqDumpFilter

func (*ReqDumpFilter) WithHeaders 

func (r *ReqDumpFilter) WithHeaders() *ReqDumpFilter

func (*ReqDumpFilter) WithHeadersContentFilter 

func (r *ReqDumpFilter) WithHeadersContentFilter(filter string) *ReqDumpFilter

func (*ReqDumpFilter) WithHeadersNameFilter 

func (r *ReqDumpFilter) WithHeadersNameFilter(filter string) *ReqDumpFilter

func (*ReqDumpFilter) WithNoBody 

func (r *ReqDumpFilter) WithNoBody() *ReqDumpFilter

func (*ReqDumpFilter) WithNoHeaders 

func (r *ReqDumpFilter) WithNoHeaders() *ReqDumpFilter

type RulesDetails 

type RulesDetails struct {
	LogLevel log.Level
	Hash     string
	Version  string
	Name     string
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.