aiwaf-rust 0.1.0__tar.gz

aiwaf_rust-0.1.0/.github/workflows/publish.yml

@@ -0,0 +1,94 @@
+name: Build and Publish Rust Package
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build-wheels:
+    name: Build wheels (${{ matrix.os }} / py${{ matrix.python }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        python: ["3.8", "3.9", "3.10", "3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - id: setup-python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python }}
+
+      - name: Build wheel
+        uses: PyO3/maturin-action@v1
+        env:
+          PYTHON_SYS_EXECUTABLE: ${{ steps.setup-python.outputs.python-path }}
+          PYO3_PYTHON: ${{ steps.setup-python.outputs.python-path }}
+        with:
+          command: build
+          args: --release --out dist
+          sccache: true
+
+      - name: Upload wheels
+        uses: actions/upload-artifact@v4
+        with:
+          name: rust-wheels-${{ matrix.os }}-py${{ matrix.python }}
+          path: dist
+
+  build-sdist:
+    name: Build sdist
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Build sdist
+        uses: PyO3/maturin-action@v1
+        with:
+          command: sdist
+          args: --out dist
+
+      - name: Upload sdist
+        uses: actions/upload-artifact@v4
+        with:
+          name: rust-sdist
+          path: dist
+
+  pypi-publish:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    needs: [build-wheels, build-sdist]
+    permissions:
+      id-token: write
+    environment:
+      name: pypi
+
+    steps:
+      - name: Download wheels
+        uses: actions/download-artifact@v4
+        with:
+          pattern: rust-wheels-*
+          path: dist
+          merge-multiple: true
+
+      - name: Download sdist
+        uses: actions/download-artifact@v4
+        with:
+          name: rust-sdist
+          path: dist
+
+      - name: Publish
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: dist/

aiwaf_rust-0.1.0/.gitignore

@@ -0,0 +1,5 @@
+# Python virtual environments
+.venv/
+venv/
+env/
+ENV/

aiwaf_rust-0.1.0/Cargo.lock

@@ -0,0 +1,291 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 4
+
+[[package]]
+name = "aho-corasick"
+version = "1.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ddd31a130427c27518df266943a5308ed92d4b226cc639f5a8f1002816174301"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "aiwaf_rust"
+version = "0.1.0"
+dependencies = [
+ "once_cell",
+ "pyo3",
+ "regex",
+]
+
+[[package]]
+name = "autocfg"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
+
+[[package]]
+name = "bitflags"
+version = "2.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af"
+
+[[package]]
+name = "cfg-if"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
+
+[[package]]
+name = "heck"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8"
+
+[[package]]
+name = "indoc"
+version = "2.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "79cf5c93f93228cf8efb3ba362535fb11199ac548a09ce117c9b1adc3030d706"
+dependencies = [
+ "rustversion",
+]
+
+[[package]]
+name = "libc"
+version = "0.2.182"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112"
+
+[[package]]
+name = "lock_api"
+version = "0.4.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "224399e74b87b5f3557511d98dff8b14089b3dadafcab6bb93eab67d3aace965"
+dependencies = [
+ "scopeguard",
+]
+
+[[package]]
+name = "memchr"
+version = "2.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
+
+[[package]]
+name = "memoffset"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "488016bfae457b036d996092f6cb448677611ce4449e970ceaf42695203f218a"
+dependencies = [
+ "autocfg",
+]
+
+[[package]]
+name = "once_cell"
+version = "1.21.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"
+
+[[package]]
+name = "parking_lot"
+version = "0.12.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93857453250e3077bd71ff98b6a65ea6621a19bb0f559a85248955ac12c45a1a"
+dependencies = [
+ "lock_api",
+ "parking_lot_core",
+]
+
+[[package]]
+name = "parking_lot_core"
+version = "0.9.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2621685985a2ebf1c516881c026032ac7deafcda1a2c9b7850dc81e3dfcb64c1"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "redox_syscall",
+ "smallvec",
+ "windows-link",
+]
+
+[[package]]
+name = "portable-atomic"
+version = "1.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49"
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.106"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "pyo3"
+version = "0.21.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a5e00b96a521718e08e03b1a622f01c8a8deb50719335de3f60b3b3950f069d8"
+dependencies = [
+ "cfg-if",
+ "indoc",
+ "libc",
+ "memoffset",
+ "parking_lot",
+ "portable-atomic",
+ "pyo3-build-config",
+ "pyo3-ffi",
+ "pyo3-macros",
+ "unindent",
+]
+
+[[package]]
+name = "pyo3-build-config"
+version = "0.21.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7883df5835fafdad87c0d888b266c8ec0f4c9ca48a5bed6bbb592e8dedee1b50"
+dependencies = [
+ "once_cell",
+ "target-lexicon",
+]
+
+[[package]]
+name = "pyo3-ffi"
+version = "0.21.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "01be5843dc60b916ab4dad1dca6d20b9b4e6ddc8e15f50c47fe6d85f1fb97403"
+dependencies = [
+ "libc",
+ "pyo3-build-config",
+]
+
+[[package]]
+name = "pyo3-macros"
+version = "0.21.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77b34069fc0682e11b31dbd10321cbf94808394c56fd996796ce45217dfac53c"
+dependencies = [
+ "proc-macro2",
+ "pyo3-macros-backend",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "pyo3-macros-backend"
+version = "0.21.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "08260721f32db5e1a5beae69a55553f56b99bd0e1c3e6e0a5e8851a9d0f5a85c"
+dependencies = [
+ "heck",
+ "proc-macro2",
+ "pyo3-build-config",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "quote"
+version = "1.0.44"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "21b2ebcf727b7760c461f091f9f0f539b77b8e87f2fd88131e7f1b433b3cece4"
+dependencies = [
+ "proc-macro2",
+]
+
+[[package]]
+name = "redox_syscall"
+version = "0.5.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d"
+dependencies = [
+ "bitflags",
+]
+
+[[package]]
+name = "regex"
+version = "1.12.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e10754a14b9137dd7b1e3e5b0493cc9171fdd105e0ab477f51b72e7f3ac0e276"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-automata",
+ "regex-syntax",
+]
+
+[[package]]
+name = "regex-automata"
+version = "0.4.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6e1dd4122fc1595e8162618945476892eefca7b88c52820e74af6262213cae8f"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-syntax",
+]
+
+[[package]]
+name = "regex-syntax"
+version = "0.8.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a96887878f22d7bad8a3b6dc5b7440e0ada9a245242924394987b21cf2210a4c"
+
+[[package]]
+name = "rustversion"
+version = "1.0.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d"
+
+[[package]]
+name = "scopeguard"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
+
+[[package]]
+name = "smallvec"
+version = "1.15.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
+
+[[package]]
+name = "syn"
+version = "2.0.116"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3df424c70518695237746f84cede799c9c58fcb37450d7b23716568cc8bc69cb"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "target-lexicon"
+version = "0.12.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "61c41af27dd6d1e27b1b16b489db798443478cef1f06a660c96db617ba5de3b1"
+
+[[package]]
+name = "unicode-ident"
+version = "1.0.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "537dd038a89878be9b64dd4bd1b260315c1bb94f4d784956b81e27a088d9a09e"
+
+[[package]]
+name = "unindent"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7264e107f553ccae879d21fbea1d6724ac785e8c3bfc762137959b5802826ef3"
+
+[[package]]
+name = "windows-link"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"

aiwaf_rust-0.1.0/Cargo.toml

@@ -0,0 +1,19 @@
+[package]
+name = "aiwaf_rust"
+version = "0.1.0"
+edition = "2021"
+description = "Rust-powered WAF heuristics exposed to Python via PyO3"
+license = "MIT"
+readme = "README.md"
+repository = "https://github.com/your-org/aiwaf-rust"
+keywords = ["waf", "security", "python", "pyo3"]
+categories = ["network-programming", "web-programming"]
+
+[lib]
+name = "aiwaf_rust"
+crate-type = ["cdylib"]
+
+[dependencies]
+once_cell = "1"
+pyo3 = { version = "0.21", features = ["extension-module"] }
+regex = "1"

aiwaf_rust-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 AIWAF
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

aiwaf_rust-0.1.0/PKG-INFO

@@ -0,0 +1,32 @@
+Metadata-Version: 2.4
+Name: aiwaf-rust
+Version: 0.1.0
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Programming Language :: Rust
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+License-File: LICENSE
+Summary: Rust-powered WAF heuristics exposed to Python via PyO3
+Author: AIWAF maintainers
+License: MIT
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown; charset=UTF-8; variant=GFM
+
+# aiwaf-rust
+
+Rust-based request-header and behavior heuristics exposed as a Python extension via PyO3.
+
+## Build locally
+
+```bash
+pip install maturin
+maturin develop
+```
+
+## Run Rust tests
+
+```bash
+cargo test
+```
+

aiwaf_rust-0.1.0/README.md

@@ -0,0 +1,16 @@
+# aiwaf-rust
+
+Rust-based request-header and behavior heuristics exposed as a Python extension via PyO3.
+
+## Build locally
+
+```bash
+pip install maturin
+maturin develop
+```
+
+## Run Rust tests
+
+```bash
+cargo test
+```

aiwaf_rust-0.1.0/pyproject.toml

@@ -0,0 +1,25 @@
+[build-system]
+requires = ["maturin>=1.6,<2.0"]
+build-backend = "maturin"
+
+[project]
+name = "aiwaf-rust"
+version = "0.1.0"
+description = "Rust-powered WAF heuristics exposed to Python via PyO3"
+readme = "README.md"
+requires-python = ">=3.8"
+license = { text = "MIT" }
+authors = [
+  { name = "AIWAF maintainers" }
+]
+classifiers = [
+  "Programming Language :: Python :: 3",
+  "Programming Language :: Python :: 3 :: Only",
+  "Programming Language :: Rust",
+  "License :: OSI Approved :: MIT License",
+  "Operating System :: OS Independent"
+]
+
+[tool.maturin]
+manifest-path = "Cargo.toml"
+module-name = "aiwaf_rust"

aiwaf_rust-0.1.0/src/lib.rs

@@ -0,0 +1,645 @@
+use once_cell::sync::Lazy;
+use pyo3::exceptions::PyKeyError;
+use pyo3::prelude::*;
+use pyo3::types::{PyAny, PyDict};
+use pyo3::FromPyObject;
+use regex::Regex;
+use std::collections::{HashMap, HashSet};
+
+static LEGITIMATE_BOTS: Lazy<Vec<Regex>> = Lazy::new(|| {
+    vec![
+        Regex::new(r"googlebot").unwrap(),
+        Regex::new(r"bingbot").unwrap(),
+        Regex::new(r"slurp").unwrap(),
+        Regex::new(r"duckduckbot").unwrap(),
+        Regex::new(r"baiduspider").unwrap(),
+        Regex::new(r"yandexbot").unwrap(),
+        Regex::new(r"facebookexternalhit").unwrap(),
+        Regex::new(r"twitterbot").unwrap(),
+        Regex::new(r"linkedinbot").unwrap(),
+        Regex::new(r"whatsapp").unwrap(),
+        Regex::new(r"telegrambot").unwrap(),
+        Regex::new(r"applebot").unwrap(),
+        Regex::new(r"pingdom").unwrap(),
+        Regex::new(r"uptimerobot").unwrap(),
+        Regex::new(r"statuscake").unwrap(),
+        Regex::new(r"site24x7").unwrap(),
+    ]
+});
+
+static SUSPICIOUS_UA: Lazy<Vec<(&'static str, Regex)>> = Lazy::new(|| {
+    vec![
+        (r"bot", Regex::new(r"bot").unwrap()),
+        (r"crawler", Regex::new(r"crawler").unwrap()),
+        (r"spider", Regex::new(r"spider").unwrap()),
+        (r"scraper", Regex::new(r"scraper").unwrap()),
+        (r"curl", Regex::new(r"curl").unwrap()),
+        (r"wget", Regex::new(r"wget").unwrap()),
+        (r"python", Regex::new(r"python").unwrap()),
+        (r"java", Regex::new(r"java").unwrap()),
+        (r"node", Regex::new(r"node").unwrap()),
+        (r"go-http", Regex::new(r"go-http").unwrap()),
+        (r"axios", Regex::new(r"axios").unwrap()),
+        (r"okhttp", Regex::new(r"okhttp").unwrap()),
+        (r"libwww", Regex::new(r"libwww").unwrap()),
+        (r"lwp-trivial", Regex::new(r"lwp-trivial").unwrap()),
+        (r"mechanize", Regex::new(r"mechanize").unwrap()),
+        (r"requests", Regex::new(r"requests").unwrap()),
+        (r"urllib", Regex::new(r"urllib").unwrap()),
+        (r"httpie", Regex::new(r"httpie").unwrap()),
+        (r"postman", Regex::new(r"postman").unwrap()),
+        (r"insomnia", Regex::new(r"insomnia").unwrap()),
+        (r"^$", Regex::new(r"^$").unwrap()),
+        (r"mozilla/4\.0$", Regex::new(r"mozilla/4\.0$").unwrap()),
+    ]
+});
+
+fn get_header(headers: &Bound<'_, PyDict>, key: &str) -> Option<String> {
+    headers
+        .get_item(key)
+        .ok()
+        .flatten()
+        .and_then(|v| v.str().ok())
+        .and_then(|s| s.to_str().ok().map(|v| v.to_string()))
+}
+
+fn has_header(headers: &Bound<'_, PyDict>, key: &str) -> bool {
+    match get_header(headers, key) {
+        Some(value) => !value.is_empty(),
+        None => false,
+    }
+}
+
+fn check_user_agent(user_agent: &str) -> Option<String> {
+    if user_agent.is_empty() {
+        return Some("Empty user agent".to_string());
+    }
+
+    let ua_lower = user_agent.to_lowercase();
+
+    for legit in LEGITIMATE_BOTS.iter() {
+        if legit.is_match(&ua_lower) {
+            return None;
+        }
+    }
+
+    for (pattern, regex) in SUSPICIOUS_UA.iter() {
+        if regex.is_match(&ua_lower) {
+            return Some(format!("Pattern: {}", pattern));
+        }
+    }
+
+    if user_agent.len() < 10 {
+        return Some("Too short".to_string());
+    }
+    if user_agent.len() > 500 {
+        return Some("Too long".to_string());
+    }
+
+    None
+}
+
+#[pyfunction]
+fn validate_headers(headers: Bound<'_, PyDict>) -> PyResult<Option<String>> {
+    validate_headers_with_config(headers, None, None)
+}
+
+#[pyfunction]
+fn validate_headers_with_config(
+    headers: Bound<'_, PyDict>,
+    required_headers: Option<Vec<String>>,
+    min_score: Option<i32>,
+) -> PyResult<Option<String>> {
+    let required = required_headers.unwrap_or_else(|| {
+        vec!["HTTP_USER_AGENT".to_string(), "HTTP_ACCEPT".to_string()]
+    });
+    let required_set: HashSet<String> = required.iter().cloned().collect();
+    let check_required = !required.is_empty();
+
+    let mut missing = Vec::new();
+    if check_required {
+        if required_set.contains("HTTP_USER_AGENT") && !has_header(&headers, "HTTP_USER_AGENT") {
+            missing.push("user-agent".to_string());
+        }
+        if required_set.contains("HTTP_ACCEPT") && !has_header(&headers, "HTTP_ACCEPT") {
+            missing.push("accept".to_string());
+        }
+    }
+
+    if !missing.is_empty() {
+        return Ok(Some(format!(
+            "Missing required headers: {}",
+            missing.join(", ")
+        )));
+    }
+
+    let user_agent = get_header(&headers, "HTTP_USER_AGENT").unwrap_or_default();
+    if let Some(reason) = check_user_agent(&user_agent) {
+        return Ok(Some(format!("Suspicious user agent: {}", reason)));
+    }
+
+    let server_protocol = get_header(&headers, "SERVER_PROTOCOL").unwrap_or_default();
+    let accept = get_header(&headers, "HTTP_ACCEPT").unwrap_or_default();
+    let accept_language = get_header(&headers, "HTTP_ACCEPT_LANGUAGE").unwrap_or_default();
+    let accept_encoding = get_header(&headers, "HTTP_ACCEPT_ENCODING").unwrap_or_default();
+    let connection = get_header(&headers, "HTTP_CONNECTION").unwrap_or_default();
+
+    if check_required {
+        if server_protocol.starts_with("HTTP/2")
+            && user_agent.to_lowercase().contains("mozilla/4.0")
+        {
+            return Ok(Some(
+                "Suspicious headers: HTTP/2 with old browser user agent".to_string(),
+            ));
+        }
+        if !user_agent.is_empty()
+            && accept.is_empty()
+            && required_set.contains("HTTP_ACCEPT")
+        {
+            return Ok(Some(
+                "Suspicious headers: User-Agent present but no Accept header".to_string(),
+            ));
+        }
+        if accept == "*/*" && accept_language.is_empty() && accept_encoding.is_empty() {
+            return Ok(Some(
+                "Suspicious headers: Generic Accept header without language/encoding".to_string(),
+            ));
+        }
+        if !user_agent.is_empty()
+            && accept_language.is_empty()
+            && accept_encoding.is_empty()
+            && connection.is_empty()
+        {
+            return Ok(Some(
+                "Suspicious headers: Missing all browser-standard headers".to_string(),
+            ));
+        }
+        if !user_agent.is_empty()
+            && server_protocol == "HTTP/1.0"
+            && user_agent.to_lowercase().contains("chrome")
+        {
+            return Ok(Some(
+                "Suspicious headers: Modern browser with HTTP/1.0".to_string(),
+            ));
+        }
+    }
+
+    let mut score = 0;
+    if has_header(&headers, "HTTP_USER_AGENT") {
+        score += 2;
+    }
+    if has_header(&headers, "HTTP_ACCEPT") {
+        score += 2;
+    }
+
+    for header in [
+        "HTTP_ACCEPT_LANGUAGE",
+        "HTTP_ACCEPT_ENCODING",
+        "HTTP_CONNECTION",
+        "HTTP_CACHE_CONTROL",
+    ] {
+        if has_header(&headers, header) {
+            score += 1;
+        }
+    }
+
+    if !accept_language.is_empty() && !accept_encoding.is_empty() {
+        score += 1;
+    }
+    if connection == "keep-alive" {
+        score += 1;
+    }
+    if accept.contains("text/html") && accept.contains("application/xml") {
+        score += 1;
+    }
+
+    let min_score = min_score.unwrap_or(3);
+    if min_score > 0 && score < min_score {
+        return Ok(Some(format!("Low header quality score: {}", score)));
+    }
+
+    Ok(None)
+}
+
+#[derive(Clone)]
+struct FeatureRecordInput {
+    ip: String,
+    path_lower: String,
+    path_len: usize,
+    timestamp: f64,
+    response_time: f64,
+    status_idx: i32,
+    kw_check: bool,
+    total_404: i32,
+}
+
+impl<'py> FromPyObject<'py> for FeatureRecordInput {
+    fn extract(ob: &'py PyAny) -> PyResult<Self> {
+        let dict: &PyDict = ob.downcast()?;
+
+        let get_required = |key: &str| -> PyResult<&PyAny> {
+            dict.get_item(key)?
+                .ok_or_else(|| PyErr::new::<PyKeyError, _>(key.to_string()))
+        };
+
+        Ok(Self {
+            ip: get_required("ip")?.extract()?,
+            path_lower: get_required("path_lower")?.extract()?,
+            path_len: get_required("path_len")?.extract()?,
+            timestamp: get_required("timestamp")?.extract()?,
+            response_time: get_required("response_time")?.extract()?,
+            status_idx: get_required("status_idx")?.extract()?,
+            kw_check: get_required("kw_check")?.extract()?,
+            total_404: get_required("total_404")?.extract()?,
+        })
+    }
+}
+
+#[derive(Clone)]
+struct RecentEntryInput {
+    path_lower: String,
+    timestamp: f64,
+    status: i32,
+    kw_check: bool,
+}
+
+impl<'py> FromPyObject<'py> for RecentEntryInput {
+    fn extract(ob: &'py PyAny) -> PyResult<Self> {
+        let dict: &PyDict = ob.downcast()?;
+
+        let get_required = |key: &str| -> PyResult<&PyAny> {
+            dict.get_item(key)?
+                .ok_or_else(|| PyErr::new::<PyKeyError, _>(key.to_string()))
+        };
+
+        Ok(Self {
+            path_lower: get_required("path_lower")?.extract()?,
+            timestamp: get_required("timestamp")?.extract()?,
+            status: get_required("status")?.extract()?,
+            kw_check: get_required("kw_check")?.extract()?,
+        })
+    }
+}
+
+fn build_timestamp_index(records: &[FeatureRecordInput]) -> HashMap<String, Vec<f64>> {
+    let mut map: HashMap<String, Vec<f64>> = HashMap::new();
+    for rec in records {
+        map.entry(rec.ip.clone())
+            .or_default()
+            .push(rec.timestamp);
+    }
+    for timestamps in map.values_mut() {
+        timestamps.sort_by(|a, b| a.partial_cmp(b).unwrap_or(std::cmp::Ordering::Equal));
+    }
+    map
+}
+
+fn count_burst(timestamps: Option<&Vec<f64>>, current: f64) -> i32 {
+    if let Some(ts) = timestamps {
+        let min_ts = current - 10.0;
+        ts.iter()
+            .filter(|value| **value >= min_ts && **value <= current)
+            .count() as i32
+    } else {
+        0
+    }
+}
+
+fn keyword_hits(path_lower: &str, keywords: &[String], enabled: bool) -> i32 {
+    if !enabled {
+        return 0;
+    }
+    keywords
+        .iter()
+        .filter(|kw| path_lower.contains(kw.as_str()))
+        .count() as i32
+}
+
+fn lower_bound(values: &[f64], target: f64) -> usize {
+    let mut left = 0usize;
+    let mut right = values.len();
+    while left < right {
+        let mid = (left + right) / 2;
+        if values[mid] < target {
+            left = mid + 1;
+        } else {
+            right = mid;
+        }
+    }
+    left
+}
+
+fn upper_bound(values: &[f64], target: f64) -> usize {
+    let mut left = 0usize;
+    let mut right = values.len();
+    while left < right {
+        let mid = (left + right) / 2;
+        if values[mid] <= target {
+            left = mid + 1;
+        } else {
+            right = mid;
+        }
+    }
+    left
+}
+
+fn is_scanning_path(path_lower: &str) -> bool {
+    let scanning_patterns = [
+        "wp-admin",
+        "wp-content",
+        "wp-includes",
+        "wp-config",
+        "xmlrpc.php",
+        "admin",
+        "phpmyadmin",
+        "adminer",
+        "config",
+        "configuration",
+        "settings",
+        "setup",
+        "install",
+        "installer",
+        "backup",
+        "database",
+        "db",
+        "mysql",
+        "sql",
+        "dump",
+        ".env",
+        ".git",
+        ".htaccess",
+        ".htpasswd",
+        "passwd",
+        "shadow",
+        "robots.txt",
+        "sitemap.xml",
+        "cgi-bin",
+        "scripts",
+        "shell",
+        "cmd",
+        "exec",
+        ".php",
+        ".asp",
+        ".aspx",
+        ".jsp",
+        ".cgi",
+        ".pl",
+    ];
+
+    if scanning_patterns.iter().any(|pat| path_lower.contains(pat)) {
+        return true;
+    }
+    if path_lower.contains("../") || path_lower.contains("..\\") {
+        return true;
+    }
+    let encoded = ["%2e%2e", "%252e", "%c0%ae"];
+    if encoded.iter().any(|enc| path_lower.contains(enc)) {
+        return true;
+    }
+    false
+}
+
+#[pyfunction]
+fn extract_features<'py>(
+    py: Python<'py>,
+    records: Vec<FeatureRecordInput>,
+    static_keywords: Vec<String>,
+) -> PyResult<Vec<Py<PyDict>>> {
+    if records.is_empty() {
+        return Ok(Vec::new());
+    }
+
+    let keywords: Vec<String> = static_keywords
+        .into_iter()
+        .map(|kw| kw.to_lowercase())
+        .collect();
+
+    let timestamp_index = build_timestamp_index(&records);
+    let mut output = Vec::with_capacity(records.len());
+
+    for rec in records.into_iter() {
+        let timestamps = timestamp_index.get(&rec.ip);
+        let burst = count_burst(timestamps, rec.timestamp);
+        let kw = keyword_hits(&rec.path_lower, &keywords, rec.kw_check);
+
+        let feature = PyDict::new_bound(py);
+        feature.set_item("ip", rec.ip.clone())?;
+        feature.set_item("path_len", rec.path_len)?;
+        feature.set_item("kw_hits", kw)?;
+        feature.set_item("resp_time", rec.response_time)?;
+        feature.set_item("status_idx", rec.status_idx)?;
+        feature.set_item("burst_count", burst)?;
+        feature.set_item("total_404", rec.total_404)?;
+        output.push(feature.into());
+    }
+
+    Ok(output)
+}
+
+#[pyfunction]
+fn analyze_recent_behavior<'py>(
+    py: Python<'py>,
+    entries: Vec<RecentEntryInput>,
+    static_keywords: Vec<String>,
+) -> PyResult<Option<Py<PyDict>>> {
+    if entries.is_empty() {
+        return Ok(None);
+    }
+
+    let keywords: Vec<String> = static_keywords
+        .into_iter()
+        .map(|kw| kw.to_lowercase())
+        .collect();
+    let mut timestamps: Vec<f64> = entries.iter().map(|e| e.timestamp).collect();
+    timestamps.sort_by(|a, b| a.partial_cmp(b).unwrap_or(std::cmp::Ordering::Equal));
+
+    let mut total_kw_hits = 0f64;
+    let mut total_burst = 0f64;
+    let mut max_404s = 0i32;
+    let mut scanning_404s = 0i32;
+
+    for entry in entries.iter() {
+        if entry.status == 404 {
+            max_404s += 1;
+            if is_scanning_path(&entry.path_lower) {
+                scanning_404s += 1;
+            }
+        }
+        let kw = keyword_hits(&entry.path_lower, &keywords, entry.kw_check);
+        total_kw_hits += kw as f64;
+
+        let lower = lower_bound(&timestamps, entry.timestamp - 10.0);
+        let upper = upper_bound(&timestamps, entry.timestamp + 10.0);
+        let burst = (upper.saturating_sub(lower)) as i32;
+        total_burst += burst as f64;
+    }
+
+    let total_requests = entries.len() as i32;
+    let avg_kw_hits = if total_requests > 0 {
+        total_kw_hits / total_requests as f64
+    } else {
+        0.0
+    };
+    let avg_burst = if total_requests > 0 {
+        total_burst / total_requests as f64
+    } else {
+        0.0
+    };
+    let legitimate_404s = (max_404s - scanning_404s).max(0);
+
+    let mut should_block = true;
+    if max_404s == 0 && avg_kw_hits == 0.0 && scanning_404s == 0 {
+        should_block = false;
+    } else if avg_kw_hits < 3.0
+        && scanning_404s < 5
+        && legitimate_404s < 20
+        && avg_burst < 25.0
+        && total_requests < 150
+    {
+        should_block = false;
+    }
+
+    let result = PyDict::new_bound(py);
+    result.set_item("avg_kw_hits", avg_kw_hits)?;
+    result.set_item("max_404s", max_404s)?;
+    result.set_item("avg_burst", avg_burst)?;
+    result.set_item("total_requests", total_requests)?;
+    result.set_item("scanning_404s", scanning_404s)?;
+    result.set_item("legitimate_404s", legitimate_404s)?;
+    result.set_item("should_block", should_block)?;
+
+    Ok(Some(result.into()))
+}
+
+#[pymodule]
+fn aiwaf_rust(_py: Python<'_>, m: &Bound<'_, PyModule>) -> PyResult<()> {
+    m.add_function(wrap_pyfunction!(validate_headers, m)?)?;
+    m.add_function(wrap_pyfunction!(validate_headers_with_config, m)?)?;
+    m.add_function(wrap_pyfunction!(extract_features, m)?)?;
+    m.add_function(wrap_pyfunction!(analyze_recent_behavior, m)?)?;
+    Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use pyo3::types::PyDict;
+
+    fn dict_from_pairs<'a>(
+        py: Python<'a>,
+        pairs: &'a [(&'a str, &'a str)],
+    ) -> Bound<'a, PyDict> {
+        let dict = PyDict::new_bound(py);
+        for (k, v) in pairs {
+            dict.set_item(*k, *v).unwrap();
+        }
+        dict
+    }
+
+    #[test]
+    fn validate_headers_blocks_missing_required() {
+        Python::with_gil(|py| {
+            let headers = dict_from_pairs(py, &[("HTTP_USER_AGENT", "Mozilla/5.0")]);
+            let result = validate_headers(headers).unwrap();
+            assert!(matches!(result, Some(msg) if msg.contains("Missing required headers")));
+        });
+    }
+
+    #[test]
+    fn validate_headers_with_config_allows_empty_required() {
+        Python::with_gil(|py| {
+            let headers = dict_from_pairs(py, &[("HTTP_USER_AGENT", "EmailScanner/1.0")]);
+            let result = validate_headers_with_config(headers, Some(vec![]), Some(0)).unwrap();
+            assert!(result.is_none());
+        });
+    }
+
+    #[test]
+    fn validate_headers_with_config_respects_required() {
+        Python::with_gil(|py| {
+            let headers = dict_from_pairs(py, &[("HTTP_USER_AGENT", "Mozilla/5.0")]);
+            let required = vec!["HTTP_USER_AGENT".to_string(), "HTTP_ACCEPT".to_string()];
+            let result = validate_headers_with_config(headers, Some(required), Some(3)).unwrap();
+            assert!(matches!(result, Some(msg) if msg.contains("Missing required headers")));
+        });
+    }
+
+    #[test]
+    fn validate_headers_blocks_suspicious_user_agent() {
+        Python::with_gil(|py| {
+            let headers = dict_from_pairs(py, &[
+                ("HTTP_USER_AGENT", "python-requests/2.25.1"),
+                ("HTTP_ACCEPT", "*/*"),
+            ]);
+            let result = validate_headers(headers).unwrap();
+            assert!(matches!(result, Some(msg) if msg.contains("Suspicious user agent")));
+        });
+    }
+
+    #[test]
+    fn validate_headers_blocks_suspicious_combinations() {
+        Python::with_gil(|py| {
+            let headers = dict_from_pairs(py, &[
+                ("HTTP_USER_AGENT", "Mozilla/4.0"),
+                ("HTTP_ACCEPT", "text/html"),
+                ("SERVER_PROTOCOL", "HTTP/2"),
+            ]);
+            let result = validate_headers(headers).unwrap();
+            assert!(matches!(result, Some(msg) if msg.contains("Suspicious headers")));
+        });
+    }
+
+    #[test]
+    fn validate_headers_allows_legit_browser() {
+        Python::with_gil(|py| {
+            let headers = dict_from_pairs(py, &[
+                ("HTTP_USER_AGENT", "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"),
+                ("HTTP_ACCEPT", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"),
+                ("HTTP_ACCEPT_LANGUAGE", "en-US,en;q=0.5"),
+                ("HTTP_ACCEPT_ENCODING", "gzip, deflate"),
+                ("HTTP_CONNECTION", "keep-alive"),
+            ]);
+            let result = validate_headers(headers).unwrap();
+            assert!(result.is_none());
+        });
+    }
+
+    #[test]
+    fn validate_headers_allows_legit_bot() {
+        Python::with_gil(|py| {
+            let headers = dict_from_pairs(py, &[
+                ("HTTP_USER_AGENT", "Googlebot/2.1 (+http://www.google.com/bot.html)"),
+                ("HTTP_ACCEPT", "*/*"),
+                ("HTTP_ACCEPT_LANGUAGE", "en-US"),
+            ]);
+            let result = validate_headers(headers).unwrap();
+            assert!(result.is_none());
+        });
+    }
+
+    #[test]
+    fn validate_headers_blocks_accept_star_missing_lang_encoding() {
+        Python::with_gil(|py| {
+            let headers = dict_from_pairs(py, &[
+                ("HTTP_USER_AGENT", "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"),
+                ("HTTP_ACCEPT", "*/*"),
+            ]);
+            let result = validate_headers(headers).unwrap();
+            assert!(matches!(result, Some(msg) if msg.contains("Generic Accept header")));
+        });
+    }
+
+    #[test]
+    fn validate_headers_blocks_http10_chrome() {
+        Python::with_gil(|py| {
+            let headers = dict_from_pairs(py, &[
+                ("HTTP_USER_AGENT", "Mozilla/5.0 Chrome/120.0.0.0"),
+                ("HTTP_ACCEPT", "text/html"),
+                ("HTTP_ACCEPT_LANGUAGE", "en-US"),
+                ("SERVER_PROTOCOL", "HTTP/1.0"),
+            ]);
+            let result = validate_headers(headers).unwrap();
+            assert!(matches!(result, Some(msg) if msg.contains("HTTP/1.0")));
+        });
+    }
+}

aiwaf_rust-0.1.0/workflows/publish.yml

@@ -0,0 +1,94 @@
+name: Build and Publish Rust Package
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build-wheels:
+    name: Build wheels (${{ matrix.os }} / py${{ matrix.python }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        python: ["3.8", "3.9", "3.10", "3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - id: setup-python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python }}
+
+      - name: Build wheel
+        uses: PyO3/maturin-action@v1
+        env:
+          PYTHON_SYS_EXECUTABLE: ${{ steps.setup-python.outputs.python-path }}
+          PYO3_PYTHON: ${{ steps.setup-python.outputs.python-path }}
+        with:
+          command: build
+          args: --release --out dist
+          sccache: true
+
+      - name: Upload wheels
+        uses: actions/upload-artifact@v4
+        with:
+          name: rust-wheels-${{ matrix.os }}-py${{ matrix.python }}
+          path: dist
+
+  build-sdist:
+    name: Build sdist
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Build sdist
+        uses: PyO3/maturin-action@v1
+        with:
+          command: sdist
+          args: --out dist
+
+      - name: Upload sdist
+        uses: actions/upload-artifact@v4
+        with:
+          name: rust-sdist
+          path: dist
+
+  pypi-publish:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    needs: [build-wheels, build-sdist]
+    permissions:
+      id-token: write
+    environment:
+      name: pypi
+
+    steps:
+      - name: Download wheels
+        uses: actions/download-artifact@v4
+        with:
+          pattern: rust-wheels-*
+          path: dist
+          merge-multiple: true
+
+      - name: Download sdist
+        uses: actions/download-artifact@v4
+        with:
+          name: rust-sdist
+          path: dist
+
+      - name: Publish
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: dist/

aiwaf_rust-0.1.0/workflows/rust-publish.yml

@@ -0,0 +1,92 @@
+name: Build and Publish Rust Extension
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build-wheels:
+    name: Build rust wheels (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        python: ["3.8", "3.9", "3.10", "3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - id: setup-python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python }}
+
+      - name: Build wheels
+        uses: PyO3/maturin-action@v1
+        env:
+          PYTHON_SYS_EXECUTABLE: ${{ steps.setup-python.outputs.python-path }}
+          PYO3_PYTHON: ${{ steps.setup-python.outputs.python-path }}
+        with:
+          command: build
+          args: --release -m Cargo.toml --out dist
+          sccache: true
+
+      - name: Upload wheels
+        uses: actions/upload-artifact@v4
+        with:
+          name: rust-wheels-${{ matrix.os }}-py${{ matrix.python }}
+          path: dist
+
+  build-sdist:
+    name: Build rust sdist
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+
+      - name: Build sdist
+        uses: PyO3/maturin-action@v1
+        with:
+          command: sdist
+          args: -m Cargo.toml --out dist
+
+      - name: Upload sdist
+        uses: actions/upload-artifact@v4
+        with:
+          name: rust-sdist
+          path: dist
+
+  pypi-publish:
+    name: Publish rust package to PyPI
+    runs-on: ubuntu-latest
+    needs: [build-wheels, build-sdist]
+    permissions:
+      id-token: write
+    environment:
+      name: pypi
+    steps:
+      - name: Download wheels
+        uses: actions/download-artifact@v4
+        with:
+          pattern: rust-wheels-*
+          path: dist
+          merge-multiple: true
+
+      - name: Download sdist
+        uses: actions/download-artifact@v4
+        with:
+          name: rust-sdist
+          path: dist
+
+      - name: Publish
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: dist/