✨ Check Cookie

Author: ADD-SP

inc/ngx_http_waf_module.h

@@ -14,6 +14,7 @@
 #define ARGS_FILE ("args")
 #define UA_FILE ("user-agent")
 #define REFERER_FILE ("referer")
+#define COOKIE_FILE ("cookie")
 #define POST_FILE ("post")
 #define WHITE_IPV4_FILE ("white-ipv4")
 #define WHITE_URL_FILE ("white-url")
@@ -66,6 +67,7 @@ typedef struct {
     ngx_array_t                    *black_args;                 /* args 黑名单 */
     ngx_array_t                    *black_ua;                   /* user-agent 黑名单 */
     ngx_array_t                    *black_referer;              /* Referer 黑名单 */
+    ngx_array_t                    *black_cookie;               /* Cookie 黑名单 */
     ngx_array_t                    *black_post;                 /* 请求体内容黑名单 */
     ngx_array_t                    *white_ipv4;                 /* IPV4 白名单 */
     ngx_array_t                    *white_url;                  /* URL 白名单 */
@@ -77,8 +79,8 @@ typedef struct {
     hash_table_item_int_ulong_t    *ipv4_times_old_cur;         /* 执行函数 free_hash_table 时用于记录当前处理到旧的 IPV4 访问频率统计表的哪一项 */
     ngx_int_t                       free_hash_table_step;       /* 记录 free_hash_table 执行到哪一阶段 */
 
-    ngx_int_t                       read_body_done;             /* 请求体是否读取完毕 */
-    ngx_int_t                       waiting_more_body;          /* 是否需要接受更多请求体 */
+    ngx_int_t                       read_body_done:1;           /* 请求体是否读取完毕 */
+    ngx_int_t                       waiting_more_body:1;        /* 是否需要接受更多请求体 */
 }ngx_http_waf_srv_conf_t;
 
 typedef struct {

rules/cookie

@@ -0,0 +1,20 @@
+\.\./
+\:\$
+\$\{
+select.+(from|limit)
+(?:(union(.*?)select))
+having|rongjitest
+sleep\((\s*)(\d*)(\s*)\)
+benchmark\((.*)\,(.*)\)
+base64_decode\(
+(?:from\W+information_schema\W)
+(?:(?:current_)user|database|schema|connection_id)\s*\(
+(?:etc\/\W*passwd)
+into(\s+)+(?:dump|out)file\s*
+group\s+by.+\(
+xwork.MethodAccessor
+(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(
+xwork\.MethodAccessor
+(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/
+java\.lang
+\$_(GET|post|cookie|files|session|env|phplib|GLOBALS|SERVER)\[

src/ngx_http_waf_module.c

@@ -119,6 +119,7 @@ static char* ngx_http_waf_rule_path_conf(ngx_conf_t* cf, ngx_command_t* cmd, voi
     CHECK_AND_LOAD_CONF(cf, full_path, end, ARGS_FILE, srv_conf->black_args, 0);
     CHECK_AND_LOAD_CONF(cf, full_path, end, UA_FILE, srv_conf->black_ua, 0);
     CHECK_AND_LOAD_CONF(cf, full_path, end, REFERER_FILE, srv_conf->black_referer, 0);
+    CHECK_AND_LOAD_CONF(cf, full_path, end, COOKIE_FILE, srv_conf->black_cookie, 0);
     CHECK_AND_LOAD_CONF(cf, full_path, end, POST_FILE, srv_conf->black_post, 0);
     CHECK_AND_LOAD_CONF(cf, full_path, end, WHITE_IPV4_FILE, srv_conf->white_ipv4, 1);
     CHECK_AND_LOAD_CONF(cf, full_path, end, WHITE_URL_FILE, srv_conf->white_url, 0);
@@ -182,6 +183,7 @@ static void* ngx_http_waf_create_srv_conf(ngx_conf_t* cf) {
     srv_conf->black_args = ngx_array_create(cf->pool, 10, sizeof(ngx_regex_elt_t));
     srv_conf->black_ua = ngx_array_create(cf->pool, 10, sizeof(ngx_regex_elt_t));
     srv_conf->black_referer = ngx_array_create(cf->pool, 10, sizeof(ngx_regex_elt_t));
+    srv_conf->black_cookie = ngx_array_create(cf->pool, 10, sizeof(ngx_regex_elt_t));
     srv_conf->black_post = ngx_array_create(cf->pool, 10, sizeof(ngx_regex_elt_t));
     srv_conf->white_ipv4 = ngx_array_create(cf->pool, 10, sizeof(ipv4_t));
     srv_conf->white_url = ngx_array_create(cf->pool, 10, sizeof(ngx_regex_elt_t));
@@ -213,7 +215,7 @@ static ngx_int_t ngx_http_waf_init_after_load_config(ngx_conf_t* cf) {
     ngx_http_core_main_conf_t* cmcf;
 
     cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
-    h = ngx_array_push(&cmcf->phases[NGX_HTTP_ACCESS_PHASE].handlers);
+    h = ngx_array_push(&cmcf->phases[NGX_HTTP_PREACCESS_PHASE].handlers);
     if (h == NULL) {
         return NGX_ERROR;
     }
@@ -313,7 +315,7 @@ static ngx_int_t ngx_http_waf_handler_ip_url_referer_ua_args_post(ngx_http_reque
 
     if (r->headers_in.user_agent != NULL
         && ngx_regex_exec_array(srv_conf->black_ua, &r->headers_in.user_agent->value, r->connection->log) == NGX_OK) {
-        ngx_log_error(NGX_LOG_WARN, r->connection->log, 0, "ngx_waf: USER-AGENT");
+        ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0, "ngx_waf: USER-AGENT");
         return NGX_HTTP_FORBIDDEN;
     }
 
@@ -323,10 +325,21 @@ static ngx_int_t ngx_http_waf_handler_ip_url_referer_ua_args_post(ngx_http_reque
     }
     if (r->headers_in.referer != NULL
         && ngx_regex_exec_array(srv_conf->black_referer, &r->headers_in.referer->value, r->connection->log) == NGX_OK) {
-        ngx_log_error(NGX_LOG_WARN, r->connection->log, 0, "ngx_waf: REFERER");
+        ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0, "ngx_waf: REFERER");
         return NGX_HTTP_FORBIDDEN;
     }
 
+    if (r->headers_in.cookies.nelts != 0) {
+        ngx_table_elt_t** p = r->headers_in.cookies.elts;
+        size_t i = 0;
+        for (; i < r->headers_in.cookies.nelts; i++, p++) {
+            if (ngx_regex_exec_array(srv_conf->black_cookie, &((*p)->value), r->connection->log) == NGX_OK) {
+                ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0, "ngx_waf: COOKIE");
+                return NGX_HTTP_FORBIDDEN;
+            }
+        }
+    }
+
     if (((r->method & NGX_HTTP_POST) != 0) && srv_conf->read_body_done == FALSE) {
         r->request_body_in_persistent_file = 0;
         r->request_body_in_clean_file = 0;
@@ -421,9 +434,6 @@ void check_post(ngx_http_request_t* r)
             continue;
         }
 
-        u_char str[4096];
-        to_c_str(str, body_str);
-
         if (ngx_regex_exec_array(srv_conf->black_post, &body_str, r->connection->log) == NGX_OK) {
             is_blocked = TRUE;
             break;