管理系统增加XSS和SQL注入攻击防御

Author: iwind

internal/ttlcache/utils.go

@@ -1,6 +1,6 @@
 package ttlcache
 
-import "github.com/cespare/xxhash"
+import "github.com/cespare/xxhash/v2"
 
 func HashKey(key []byte) uint64 {
 	return xxhash.Sum64(key)

internal/waf/injectionutils/libinjection/COPYING

@@ -0,0 +1,32 @@
+Copyright (c) 2012-2016, Nick Galbreath
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+1. Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+notice, this list of conditions and the following disclaimer in the
+documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+https://github.com/client9/libinjection
+http://opensource.org/licenses/BSD-3-Clause

internal/waf/injectionutils/libinjection/README.md

@@ -0,0 +1 @@
+copy from https://github.com/libinjection/libinjection

internal/waf/injectionutils/libinjection/src/libinjection.h

@@ -0,0 +1,65 @@
+/**
+ * Copyright 2012-2016 Nick Galbreath
+ * [email protected]
+ * BSD License -- see COPYING.txt for details
+ *
+ * https://libinjection.client9.com/
+ *
+ */
+
+#ifndef LIBINJECTION_H
+#define LIBINJECTION_H
+
+#ifdef __cplusplus
+# define LIBINJECTION_BEGIN_DECLS    extern "C" {
+# define LIBINJECTION_END_DECLS      }
+#else
+# define LIBINJECTION_BEGIN_DECLS
+# define LIBINJECTION_END_DECLS
+#endif
+
+LIBINJECTION_BEGIN_DECLS
+
+/*
+ * Pull in size_t
+ */
+#include <string.h>
+
+/*
+ * Version info.
+ *
+ * This is moved into a function to allow SWIG and other auto-generated
+ * binding to not be modified during minor release changes.  We change
+ * change the version number in the c source file, and not regenerated
+ * the binding
+ *
+ * See python's normalized version
+ * http://www.python.org/dev/peps/pep-0386/#normalizedversion
+ */
+const char* libinjection_version(void);
+
+/**
+ * Simple API for SQLi detection - returns a SQLi fingerprint or NULL
+ * is benign input
+ *
+ * \param[in] s  input string, may contain nulls, does not need to be null-terminated
+ * \param[in] slen input string length
+ * \param[out] fingerprint buffer of 8+ characters.  c-string,
+ * \return 1 if SQLi, 0 if benign.  fingerprint will be set or set to empty string.
+ */
+int libinjection_sqli(const char* s, size_t slen, char fingerprint[]);
+
+/** ALPHA version of xss detector.
+ *
+ * NOT DONE.
+ *
+ * \param[in] s  input string, may contain nulls, does not need to be null-terminated
+ * \param[in] slen input string length
+ * \return 1 if XSS found, 0 if benign
+ *
+ */
+int libinjection_xss(const char* s, size_t slen, int strictMode);
+
+LIBINJECTION_END_DECLS
+
+#endif /* LIBINJECTION_H */