wafris 2.0.1 → 2.0.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/wafris/version.rb +1 -1
- data/lib/wafris/wafris_request.rb +4 -2
- data/lib/wafris.rb +85 -87
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: b12f70edd52fc81916790101bddabe8e450b1d97683bc115be5737e5a4d3562a
|
4
|
+
data.tar.gz: cf42cbb5eb83750ad066b4762e3b42fead8c02ea3f7c18b6494c0bef1b0c6a48
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 6839912471ef9957061996a9376119f907cf6d99f5d6d92a48c08d57a0c7f106f1d3234b9be431ad6b53b99d6e026bbc614d4fe47398738b48cf935b507b8616
|
7
|
+
data.tar.gz: eca82696939268ef17064912d3d072686ebd01eac5d1a7aa32e35ca2f72c8d7073176c58cc9010a4d308b2113273c43b9f9b1af8a56b5ad559cbc837b3b3092c
|
data/lib/wafris/version.rb
CHANGED
@@ -13,7 +13,7 @@ module Wafris
|
|
13
13
|
@host = encode_to_utf8(request.host.to_s)
|
14
14
|
@request_method = encode_to_utf8(request.request_method)
|
15
15
|
@headers = extract_headers(env)
|
16
|
-
@body = request.body
|
16
|
+
@body = encode_to_utf8(request.body&.string)
|
17
17
|
@request_id = env.fetch('action_dispatch.request_id', SecureRandom.uuid.to_s)
|
18
18
|
@request_timestamp = Time.now.utc.to_i
|
19
19
|
end
|
@@ -27,7 +27,9 @@ module Wafris
|
|
27
27
|
end
|
28
28
|
|
29
29
|
def encode_to_utf8(value)
|
30
|
+
return '' if value.nil?
|
31
|
+
|
30
32
|
value&.dup&.force_encoding('UTF-8')
|
31
33
|
end
|
32
34
|
end
|
33
|
-
end
|
35
|
+
end
|
data/lib/wafris.rb
CHANGED
@@ -164,9 +164,7 @@ module Wafris
|
|
164
164
|
end
|
165
165
|
|
166
166
|
def send_upsync_requests(requests_array)
|
167
|
-
|
168
167
|
begin
|
169
|
-
|
170
168
|
headers = {'Content-Type' => 'application/json'}
|
171
169
|
|
172
170
|
if Rails && Rails.application
|
@@ -214,23 +212,22 @@ module Wafris
|
|
214
212
|
# The 'rule' parameter represents the specific rule that was matched within the category
|
215
213
|
# ex: '192.23.5.4', 'SemRush', etc.
|
216
214
|
def queue_upsync_request(ip, user_agent, path, parameters, host, method, treatment, category, rule, request_id, request_timestamp)
|
217
|
-
|
218
215
|
if @configuration.upsync_status != 'Disabled' || @configuration.upsync_status != 'Uploading'
|
219
216
|
@configuration.upsync_status = 'Uploading'
|
220
217
|
|
221
218
|
# Add request to the queue
|
222
219
|
request = [ip, user_agent, path, parameters, host, method, treatment, category, rule, request_id, request_timestamp]
|
223
220
|
@configuration.upsync_queue << request
|
224
|
-
|
221
|
+
|
225
222
|
# If the queue is full, send the requests to the upsync server
|
226
223
|
if @configuration.upsync_queue.length >= @configuration.upsync_queue_limit || (Time.now.to_i - @configuration.last_upsync_timestamp) >= @configuration.upsync_interval
|
227
224
|
requests_array = @configuration.upsync_queue
|
228
225
|
@configuration.upsync_queue = []
|
229
226
|
@configuration.last_upsync_timestamp = Time.now.to_i
|
230
|
-
|
227
|
+
|
231
228
|
send_upsync_requests(requests_array)
|
232
229
|
end
|
233
|
-
|
230
|
+
|
234
231
|
@configuration.upsync_status = 'Enabled'
|
235
232
|
# Return the treatment - used to return 403 or 200
|
236
233
|
|
@@ -453,92 +450,93 @@ module Wafris
|
|
453
450
|
|
454
451
|
# This is the main loop that evaluates the request
|
455
452
|
# as well as sorts out when downsync and upsync should be called
|
456
|
-
def evaluate(ip, user_agent, path, parameters, host, method,
|
457
|
-
|
453
|
+
def evaluate(ip, user_agent, path, parameters, host, method, _headers, _body, request_id, request_timestamp)
|
454
|
+
@configuration ||= Wafris::Configuration.new
|
458
455
|
|
459
|
-
|
460
|
-
|
461
|
-
|
456
|
+
if @configuration.api_key.nil?
|
457
|
+
return "Passed"
|
458
|
+
else
|
459
|
+
rules_db_filename = current_db('custom_rules')
|
460
|
+
data_subscriptions_db_filename = current_db('data_subscriptions')
|
462
461
|
|
463
|
-
|
464
|
-
data_subscriptions_db_filename = current_db('data_subscriptions')
|
465
|
-
|
466
|
-
if rules_db_filename.to_s.strip != '' && data_subscriptions_db_filename.strip.to_s.strip != ''
|
467
|
-
|
468
|
-
rules_db = SQLite3::Database.new "#{@configuration.db_file_path}/#{rules_db_filename}"
|
469
|
-
data_subscriptions_db = SQLite3::Database.new "#{@configuration.db_file_path}/#{data_subscriptions_db_filename}"
|
462
|
+
if rules_db_filename.to_s.strip != '' && data_subscriptions_db_filename.strip.to_s.strip != ''
|
470
463
|
|
471
|
-
|
472
|
-
|
473
|
-
|
474
|
-
|
475
|
-
|
476
|
-
|
477
|
-
|
478
|
-
|
479
|
-
end
|
480
|
-
|
481
|
-
# Blocked IPs
|
482
|
-
if exact_match(ip, 'blocked_ips', rules_db)
|
483
|
-
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bi', ip, request_id, request_timestamp)
|
484
|
-
end
|
485
|
-
|
486
|
-
# Blocked CIDR Ranges
|
487
|
-
if ip_in_cidr_range(ip, 'blocked_cidr_ranges', rules_db)
|
488
|
-
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bc', ip, request_id, request_timestamp)
|
489
|
-
end
|
490
|
-
|
491
|
-
# Blocked Country Codes
|
492
|
-
country_code = get_country_code(ip, data_subscriptions_db)
|
493
|
-
if exact_match(country_code, 'blocked_country_codes', rules_db)
|
494
|
-
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bs', "G_#{country_code}", request_id, request_timestamp)
|
495
|
-
end
|
496
|
-
|
497
|
-
# Blocked Reputation IP Ranges
|
498
|
-
if ip_in_cidr_range(ip, 'reputation_ip_ranges', data_subscriptions_db)
|
499
|
-
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bs', "R", request_id, request_timestamp)
|
500
|
-
end
|
501
|
-
|
502
|
-
# Blocked User Agents
|
503
|
-
user_agent_match = substring_match(user_agent, 'blocked_user_agents', rules_db)
|
504
|
-
if user_agent_match
|
505
|
-
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bu', user_agent_match, request_id, request_timestamp)
|
506
|
-
end
|
507
|
-
|
508
|
-
# Blocked Paths
|
509
|
-
path_match = substring_match(path, 'blocked_paths', rules_db)
|
510
|
-
if path_match
|
511
|
-
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bp', path_match, request_id, request_timestamp)
|
512
|
-
end
|
513
|
-
|
514
|
-
# Blocked Parameters
|
515
|
-
parameters_match = substring_match(parameters, 'blocked_parameters', rules_db)
|
516
|
-
if parameters_match
|
517
|
-
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'ba', parameters_match, request_id, request_timestamp)
|
518
|
-
end
|
519
|
-
|
520
|
-
# Blocked Hosts
|
521
|
-
if exact_match(host, 'blocked_hosts', rules_db)
|
522
|
-
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bh', host, request_id, request_timestamp)
|
523
|
-
end
|
524
|
-
|
525
|
-
# Blocked Methods
|
526
|
-
if exact_match(method, 'blocked_methods', rules_db)
|
527
|
-
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bm', method, request_id, request_timestamp)
|
528
|
-
end
|
529
|
-
|
530
|
-
# Rate Limiting
|
531
|
-
rule_id = check_rate_limit(ip, path, method, rules_db)
|
532
|
-
if rule_id
|
533
|
-
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'brl', rule_id, request_id, request_timestamp)
|
534
|
-
end
|
535
|
-
|
464
|
+
rules_db = SQLite3::Database.new "#{@configuration.db_file_path}/#{rules_db_filename}"
|
465
|
+
data_subscriptions_db =
|
466
|
+
SQLite3::Database.new "#{@configuration.db_file_path}/#{data_subscriptions_db_filename}"
|
467
|
+
|
468
|
+
# Allowed IPs
|
469
|
+
if exact_match(ip, 'allowed_ips', rules_db)
|
470
|
+
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Allowed', 'ai',
|
471
|
+
ip, request_id, request_timestamp)
|
536
472
|
end
|
537
|
-
|
538
|
-
# Passed if no allow or block rules matched
|
539
|
-
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Passed', 'passed', '-', request_id, request_timestamp)
|
540
473
|
|
541
|
-
|
474
|
+
# Allowed CIDR Ranges
|
475
|
+
if ip_in_cidr_range(ip, 'allowed_cidr_ranges', rules_db)
|
476
|
+
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Allowed', 'ac', ip, request_id, request_timestamp)
|
477
|
+
end
|
478
|
+
|
479
|
+
# Blocked IPs
|
480
|
+
if exact_match(ip, 'blocked_ips', rules_db)
|
481
|
+
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bi', ip, request_id, request_timestamp)
|
482
|
+
end
|
483
|
+
|
484
|
+
# Blocked CIDR Ranges
|
485
|
+
if ip_in_cidr_range(ip, 'blocked_cidr_ranges', rules_db)
|
486
|
+
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bc', ip, request_id, request_timestamp)
|
487
|
+
end
|
488
|
+
|
489
|
+
# Blocked Country Codes
|
490
|
+
country_code = get_country_code(ip, data_subscriptions_db)
|
491
|
+
if exact_match(country_code, 'blocked_country_codes', rules_db)
|
492
|
+
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bs', "G_#{country_code}", request_id, request_timestamp)
|
493
|
+
end
|
494
|
+
|
495
|
+
# Blocked Reputation IP Ranges
|
496
|
+
if ip_in_cidr_range(ip, 'reputation_ip_ranges', data_subscriptions_db)
|
497
|
+
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bs', "R", request_id, request_timestamp)
|
498
|
+
end
|
499
|
+
|
500
|
+
# Blocked User Agents
|
501
|
+
user_agent_match = substring_match(user_agent, 'blocked_user_agents', rules_db)
|
502
|
+
if user_agent_match
|
503
|
+
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bu', user_agent_match, request_id, request_timestamp)
|
504
|
+
end
|
505
|
+
|
506
|
+
# Blocked Paths
|
507
|
+
path_match = substring_match(path, 'blocked_paths', rules_db)
|
508
|
+
if path_match
|
509
|
+
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bp', path_match, request_id, request_timestamp)
|
510
|
+
end
|
511
|
+
|
512
|
+
# Blocked Parameters
|
513
|
+
parameters_match = substring_match(parameters, 'blocked_parameters', rules_db)
|
514
|
+
if parameters_match
|
515
|
+
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'ba', parameters_match, request_id, request_timestamp)
|
516
|
+
end
|
517
|
+
|
518
|
+
# Blocked Hosts
|
519
|
+
if exact_match(host, 'blocked_hosts', rules_db)
|
520
|
+
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bh', host, request_id, request_timestamp)
|
521
|
+
end
|
522
|
+
|
523
|
+
# Blocked Methods
|
524
|
+
if exact_match(method, 'blocked_methods', rules_db)
|
525
|
+
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'bm', method, request_id, request_timestamp)
|
526
|
+
end
|
527
|
+
|
528
|
+
# Rate Limiting
|
529
|
+
rule_id = check_rate_limit(ip, path, method, rules_db)
|
530
|
+
if rule_id
|
531
|
+
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Blocked', 'brl', rule_id, request_id, request_timestamp)
|
532
|
+
end
|
533
|
+
|
534
|
+
end
|
535
|
+
|
536
|
+
# Passed if no allow or block rules matched
|
537
|
+
return queue_upsync_request(ip, user_agent, path, parameters, host, method, 'Passed', 'passed', '-', request_id, request_timestamp)
|
538
|
+
|
539
|
+
end # end api_key.nil?
|
542
540
|
end # end evaluate
|
543
541
|
|
544
542
|
def debug(api_key)
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: wafris
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.0.
|
4
|
+
version: 2.0.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Michael Buckbee
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2024-
|
12
|
+
date: 2024-10-02 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: rack
|