forked from p0pr0ck5/lua-resty-waf
-
Notifications
You must be signed in to change notification settings - Fork 0
/
waf.lua
620 lines (496 loc) · 15.5 KB
/
waf.lua
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
local _M = {}
_M.version = "0.7.0"
local calc = require "lib.rule_calc"
local logger = require("lib.log")
local lookup = require("lib.lookup")
local opts = require("lib.opts")
local phase_t = require("lib.phase")
local random = require("lib.random")
local storage = require("lib.storage")
local util = require("lib.util")
local mt = { __index = _M }
-- default list of rulesets (global here to have offsets precomputed)
local _global_rulesets = { 11000, 20000, 21000, 35000, 40000, 41000, 42000, 90000, 99000 }
-- ruleset table cache
local _ruleset_defs = {}
-- default options
local default_opts = util.table_copy(opts.defaults)
-- get a subset or superset of request data collection
local function _parse_collection(self, collection, parse)
if (type(collection) ~= "table" and parse) then
-- if a collection isn't a table it can't be parsed,
-- so we shouldn't return the original collection as
-- it may have an illegal operator called on it
return nil
end
if (type(collection) ~= "table" or not parse) then
-- this collection isnt parseable but it's not unsafe to use
return collection
end
-- get the next (first)(only) k/v pair in the parse table
local key, value = next(parse)
return lookup.parse_collection[key](self, collection, value)
end
-- buffer a single log event into the per-request ctx table
-- all event logs will be written out at the completion of the transaction if either:
-- 1. the transaction was altered (e.g. a rule matched with an ACCEPT or DENY action), or
-- 2. the event_log_altered_only option is unset
local function _log_event(self, rule, value, ctx)
local t = {
id = rule.id,
match = value
}
if (self._event_log_verbosity > 1) then
t.description = rule.description
end
if (self._event_log_verbosity > 2) then
t.opts = rule.opts
t.action = rule.action
end
if (self._event_log_verbosity > 3) then
t.var = rule.var
end
if (rule.logdata) then
t.logdata = util.parse_dynamic_value(self, rule.logdata, ctx.collections)
end
ctx.log_entries_n = ctx.log_entries_n + 1
ctx.log_entries[ctx.log_entries_n] = t
end
-- restore options from a previous phase
local function _load(self, opts)
for k, v in pairs(opts) do
self[k] = v
end
end
-- save options to the ctx table to be used in another phase
local function _save(self, ctx)
local opts = {}
for k, v in pairs(self) do
opts[k] = v
end
ctx.opts = opts
end
local function _transaction_id_header(self, ctx)
-- upstream request header
if (self._req_tid_header) then
ngx.req.set_header("X-Lua-Resty-WAF-ID", self.transaction_id)
end
-- downstream response header
if (self._res_tid_header) then
ngx.header["X-Lua-Resty-WAF-ID"] = self.transaction_id
end
ctx.t_header_set = true
end
-- cleanup
local function _finalize(self, ctx)
-- set X-Lua-Resty-WAF-ID headers as appropriate
if (not ctx.t_header_set) then
_transaction_id_header(self, ctx)
end
-- save our options for the next phase
_save(self, ctx)
-- persistent variable storage
storage.persist(self, ctx.storage)
-- store the local copy of the ctx table
ngx.ctx = ctx
end
-- non-disruptive actions for persistent storage handling
local function _handle_storage(self, opts, ctx, collections)
if (opts.initcol) then
for col, value in pairs(opts.initcol) do
local parsed = util.parse_dynamic_value(self, value, collections)
logger.log(self, "Initializing " .. col .. " as " .. parsed)
storage.initialize(self, ctx.storage, parsed)
ctx.col_lookup[col] = parsed
collections[col] = ctx.storage[parsed]
end
end
if (opts.setvar) then
for k in ipairs(opts.setvar) do
local element = opts.setvar[k]
local value = util.parse_dynamic_value(self, element.value, collections)
storage.set_var(self, ctx, element, value)
end
end
if (opts.expirevar) then
for k in ipairs(opts.expirevar) do
local element = opts.expirevar[k]
logger.log(self, "Expiring " .. element.col .. ":" .. element.key .. " in " .. element.time)
storage.set_var(self, ctx, element, element.time + ngx.time())
end
end
end
-- use the lookup table to figure out what to do
local function _rule_action(self, action, ctx, collections)
if (not action) then
return
end
if (util.table_has_key(action, lookup.alter_actions)) then
ctx.altered[ctx.phase] = true
_finalize(self, ctx)
end
lookup.actions[action](self, ctx, collections)
end
-- transform collection values based on rule opts
local function _do_transform(self, collection, transform)
local t = {}
if (type(transform) == "table") then
t = collection
for k, v in ipairs(transform) do
t = _do_transform(self, t, transform[k])
end
else
-- if the collection is a table, loop through it and add the values to the tmp table
-- otherwise, this returns directly to _process_rule or a recursed call from multiple transforms
if (type(collection) == "table") then
for k, v in pairs(collection) do
t[k] = _do_transform(self, collection[k], transform)
end
else
if (not collection) then
return collection -- dont transform if the collection was nil, i.e. a specific arg key dne
end
logger.log(self, "doing transform of type " .. transform .. " on collection value " .. tostring(collection))
return lookup.transform[transform](self, collection)
end
end
return t
end
-- process an individual rule
local function _process_rule(self, rule, collections, ctx)
local id = rule.id
local vars = rule.vars
local opts = rule.opts or {}
local action = rule.action
local pattern = rule.pattern
local operator = rule.operator
local offset
ctx.id = id
ctx.rule_score = opts.score
for k, v in ipairs(vars) do
local collection, var
var = vars[k]
if (var.unconditional) then
collection = true
elseif (type(collections[var.type]) == "function") then
collection = collections[var.type](self)
else
local collection_key = var.collection_key
logger.log(self, "Checking for collection_key " .. collection_key)
if (not var.storage and not ctx.transform_key[collection_key]) then
logger.log(self, "Collection cache miss")
collection = _parse_collection(self, collections[var.type], var.parse)
if (opts.transform) then
collection = _do_transform(self, collection, opts.transform)
end
if (collection and var.length) then
logger.log(self, "col length is " .. #collection)
collection = #collection
end
ctx.transform[collection_key] = collection
ctx.transform_key[collection_key] = true
elseif (var.storage) then
logger.log(self, "Forcing cache miss")
collection = _parse_collection(self, collections[var.type], var.parse)
else
logger.log(self, "Collection cache hit!")
collection = ctx.transform[collection_key]
end
end
if (not collection) then
logger.log(self, "No values for this collection")
offset = rule.offset_nomatch
else
if (opts.parsepattern) then
logger.log(self, "Parsing dynamic pattern: " .. pattern)
pattern = util.parse_dynamic_value(self, pattern, collections)
end
local match, value
if (var.unconditional) then
match = true
value = 1
else
match, value = lookup.operators[operator](self, collection, pattern, ctx)
end
if (rule.op_negated) then
match = not match
end
if (match) then
logger.log(self, "Match of rule " .. id)
-- store this match as the most recent match
collections.MATCHED_VAR = value
collections.MATCHED_VAR_NAME = var
-- also add the match to our list of matches for the transaction
if value then
local match_n = ctx.match_n + 1
collections.MATCHED_VARS[match_n] = value
collections.MATCHED_VAR_NAMES[match_n] = var
ctx.match_n = match_n
end
-- auto populate collection elements
if (not rule.op_negated) then
if (operator == "REGEX") then
collections.TX["0"] = value[0]
for i in ipairs(value) do
collections.TX[tostring(i)] = value[i]
end
else
collections.TX["0"] = value
end
end
collections.RULE = rule
-- wrapper for initcol, setvar, and expirevar actions
_handle_storage(self, opts, ctx, collections)
-- log the event
if (not opts.nolog) then
_log_event(self, rule, value, ctx)
else
logger.log(self, "We had a match, but not logging because opts.nolog is set")
end
-- wrapper for the rules action
_rule_action(self, action, ctx, collections)
offset = rule.offset_match
break
else
offset = rule.offset_nomatch
end
end
end
logger.log(self, "Returning offset " .. tostring(offset))
return offset
end
-- calculate rule jump offsets
local function _calculate_offset(ruleset)
for phase, i in pairs(phase_t.phases) do
if (ruleset[phase]) then
calc.calculate(ruleset[phase])
else
ruleset[phase] = {}
end
end
ruleset.initted = true
end
-- merge the default and any custom rules
local function _merge_rulesets(self)
local default = _global_rulesets
local added = self._add_ruleset
local ignored = self._ignore_ruleset
local t = {}
for k, v in ipairs(default) do
t[v] = true
end
for k, v in ipairs(added) do
logger.log(self, "Adding ruleset " .. v)
t[v] = true
end
for k, v in ipairs(ignored) do
logger.log(self, "Ignoring ruleset " .. v)
t[v] = nil
end
t = util.table_keys(t)
-- rulesets will be processed in numeric order
table.sort(t, function(a, b)
return string.lower(a) < string.lower(b)
end)
self._active_rulesets = t
end
-- main entry point
function _M.exec(self)
if (self._mode == "INACTIVE") then
logger.log(self, "Operational mode is INACTIVE, not running")
return
end
local phase = ngx.get_phase()
if (not phase_t.is_valid_phase(phase)) then
logger.fatal_fail("lua-resty-waf should not be run in phase " .. phase)
end
local ctx = ngx.ctx
local collections = ctx.collections or {}
-- restore options from a previous phase
if (ctx.opts) then
_load(self, ctx.opts)
end
ctx.altered = ctx.altered or {}
ctx.col_lookup = ctx.col_lookup or {}
ctx.log_entries = ctx.log_entries or {}
ctx.log_entries_n = ctx.log_entries_n or 0
ctx.storage = ctx.storage or {}
ctx.transform = ctx.transform or {}
ctx.transform_key = ctx.transform_key or {}
ctx.score = ctx.score or 0
ctx.t_header_set = ctx.t_header_set or false
ctx.phase = phase
ctx.match_n = ctx.match_n or 0
-- pre-initialize the TX collection
ctx.storage["TX"] = ctx.storage["TX"] or {}
ctx.col_lookup["TX"] = "TX"
-- see https://groups.google.com/forum/#!topic/openresty-en/LVR9CjRT5-Y
if (ctx.altered[phase]) then
logger.log(self, "Transaction was already altered, not running!")
return
end
-- populate the collections table
lookup.collections[phase](self, collections, ctx)
-- don't run through the rulesets if we're going to be here again
-- (e.g. multiple chunks are going through body_filter)
if ctx.short_circuit then return end
-- store the collections table in ctx, which will get saved to ngx.ctx
ctx.collections = collections
-- build rulesets
if (self.need_merge) then
_merge_rulesets(self)
end
logger.log(self, "Beginning run of phase " .. phase)
for _, ruleset in ipairs(self._active_rulesets) do
logger.log(self, "Beginning ruleset " .. ruleset)
local rs = _ruleset_defs[ruleset]
if (not rs) then
local err
rs, err = util.load_ruleset(ruleset)
if (err) then
logger.fatal_fail(err)
else
logger.log(self, "Doing offset calculation of " .. ruleset)
_calculate_offset(rs)
_ruleset_defs[ruleset] = rs
end
end
local offset = 1
local rule = rs[phase][offset]
while rule do
local id = rule.id
if (not util.table_has_key(id, self._ignore_rule)) then
logger.log(self, "Processing rule " .. id)
local returned_offset = _process_rule(self, rule, collections, ctx)
if (returned_offset) then
offset = offset + returned_offset
else
offset = nil
end
else
logger.log(self, "Ignoring rule " .. id)
offset = offset + rule.offset_nomatch
end
if not offset then break end
rule = rs[phase][offset]
end
end
_finalize(self, ctx)
end
-- instantiate a new instance of the module
function _M.new(self)
-- we need a separate copy of this table since we will
-- potentially override values with set_option
local t = util.table_copy(default_opts)
t.transaction_id = random.random_bytes(10)
-- handle conditions where init() wasnt called
-- and the default rulesets weren't merged
if (not t._active_rulesets) then
t.need_merge = true
end
return setmetatable(t, mt)
end
-- configuraton wrapper for per-instance options
function _M.set_option(self, option, value)
if (type(value) == "table") then
for _, v in ipairs(value) do
_M.set_option(self, option, v)
end
else
if (lookup.set_option[option]) then
lookup.set_option[option](self, value)
else
local _option = "_" .. option
self[_option] = value
end
end
end
-- configuraton wrapper for default options
function _M.default_option(option, value)
if (type(value) == "table") then
for _, v in ipairs(value) do
_M.default_option(option, v)
end
else
if (lookup.set_option[option]) then
lookup.set_option[option](default_opts, value)
else
local _option = "_" .. option
default_opts[_option] = value
end
end
end
-- reset the given option to its static default
function _M.reset_option(self, option)
local _option = "_" .. option
self[_option] = opts.defaults[_option]
if (option == "add_ruleset" or option == "ignore_ruleset") then
self.need_merge = true
end
end
-- init_by_lua handler precomputations
function _M.init()
-- do an initial rule merge based on default_option calls
-- this prevents have to merge every request in scopes
-- which do not further alter elected rulesets
_merge_rulesets(default_opts)
-- do offset jump calculations for default rulesets
-- this is also lazily handled in exec() for rulesets
-- that dont appear here
for _, ruleset in ipairs(default_opts._active_rulesets) do
local rs, err = util.load_ruleset(ruleset)
if (err) then
ngx.log(ngx.ERR, err)
else
_calculate_offset(rs)
_ruleset_defs[ruleset] = rs
end
end
-- clear this flag if we handled additional rulesets
-- so its not passed to new objects
default_opts.need_merge = false
end
-- push log data regarding matching rule(s) to the configured target
-- in the case of socket or file logging, this data will be buffered
function _M.write_log_events(self)
-- there is a small bit of code duplication here to get our context
-- because this lives outside exec()
local ctx = ngx.ctx
if (ctx.opts) then
_load(self, ctx.opts)
end
if (table.getn(util.table_keys(ctx.altered)) == 0 and self._event_log_altered_only) then
logger.log(self, "Not logging a request that wasn't altered")
return
end
if (ctx.log_entries_n == 0) then
logger.log(self, "Not logging a request that had no rule alerts")
return
end
local entry = {
timestamp = ngx.time(),
client = ctx.collections["REMOTE_ADDR"],
method = ctx.collections["METHOD"],
uri = ctx.collections["URI"],
alerts = ctx.log_entries,
score = ctx.score,
id = self.transaction_id,
}
if self._event_log_request_arguments then
entry.uri_args = ctx.collections["URI_ARGS"]
end
if self._event_log_request_headers then
entry.request_headers = ctx.collections["REQUEST_HEADERS"]
end
if self._event_log_request_body then
entry.request_body = ctx.collections["REQUEST_BODY"]
end
if (table.getn(util.table_keys(self._event_log_ngx_vars)) ~= 0) then
entry.ngx = {}
for k, v in pairs(self._event_log_ngx_vars) do
entry.ngx[k] = ngx.var[k]
end
end
lookup.write_log_events[self._event_log_target](self, entry)
end
return _M