wafaHell 0.1.1__tar.gz → 1.0.0__tar.gz

{wafahell-0.1.1 → wafahell-1.0.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: wafaHell
-Version: 0.1.1
+Version: 1.0.0
 Summary: Middleware WAF to Flask
 Author-email: Yago Martins <yagomartins30@gmail.com>
 License: MIT License
@@ -33,6 +33,10 @@ Requires-Python: >=3.9
 Description-Content-Type: text/markdown
 License-File: LICENSE
 Requires-Dist: Flask>=2.0
+Requires-Dist: sqlalchemy>=2.0.0
+Requires-Dist: requests
+Requires-Dist: diskcache
+Requires-Dist: geoip2
 Dynamic: license-file
 
 # WafHell
@@ -42,14 +46,14 @@ Middleware WAF for Flask, to detect SQLi and XSS.
 ## Instalation
 
 ```bash
-pip install wafaHell
+pip install wafahell
 ```
 
 ## Usage
 ```python
 from flask import Flask
-from flask_waf import FlaskWAF
+from wafahell import WafaHell
 
 app = Flask(__name__)
-waf = FlaskWAF(app)
+waf = WafaHell(app)
 ```

{wafahell-0.1.1 → wafahell-1.0.0}/README.md

@@ -5,14 +5,14 @@ Middleware WAF for Flask, to detect SQLi and XSS.
 ## Instalation
 
 ```bash
-pip install wafaHell
+pip install wafahell
 ```
 
 ## Usage
 ```python
 from flask import Flask
-from flask_waf import FlaskWAF
+from wafahell import WafaHell
 
 app = Flask(__name__)
-waf = FlaskWAF(app)
+waf = WafaHell(app)
 ```

{wafahell-0.1.1 → wafahell-1.0.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "wafaHell"                 
-version = "0.1.1"                  
+version = "1.0.0"                  
 description = "Middleware WAF to Flask"
 readme = "README.md"
 authors = [
@@ -19,5 +19,9 @@ classifiers = [
     "Operating System :: OS Independent"
 ]
 dependencies = [
-    "Flask>=2.0"
+    "Flask>=2.0",
+    "sqlalchemy>=2.0.0",
+    "requests",
+    "diskcache",
+    "geoip2"
 ]

wafahell-1.0.0/wafaHell/__init__.py

@@ -0,0 +1,3 @@
+from .middleware import WafaHell
+
+__all__ = ["WafaHell"]

wafahell-1.0.0/wafaHell/app.py

@@ -0,0 +1,31 @@
+from middleware import WafaHell
+from flask import Flask, render_template, request
+from werkzeug.middleware.proxy_fix import ProxyFix
+
+app = Flask(__name__)
+
+
+app.wsgi_app = ProxyFix(
+    app.wsgi_app,
+    x_for=1,
+    x_proto=1,
+    x_host=1,
+    x_port=1
+)
+
+@app.route('/', methods=['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'])
+def home():
+    return "<h1>Bem-vindo à minha aplicação Flask!</h1><p>Acesse /hello?nome=test</p>"
+
+@app.route('/hello', methods=['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'])
+def hello():
+    nome = request.args.get('nome', 'Visitante')
+    return f"<h1>Olá, {nome}!</h1>"
+
+@app.route('/admin/dashboard')
+def dashboard():
+    return "<h1>Dashboard Personalizado</h1><p>Este é o painel de controle personalizado.</p>"
+
+if __name__ == '__main__':
+    WafaHell(app, dashboard_path='/hell/dashboard', block_durantion=1, rate_limit=True, block_ip=True)
+    app.run(debug=True, host='0.0.0.0', port=5000)

wafahell-1.0.0/wafaHell/globals.py

@@ -0,0 +1,5 @@
+import os
+from diskcache import Cache
+
+cache_path = '/dev/shm/waf_cache' if os.path.exists('/dev/shm') else './waf_cache_temp'
+waf_cache = Cache(cache_path)

wafahell-1.0.0/wafaHell/logger.py

@@ -0,0 +1,132 @@
+from datetime import datetime
+import logging
+from model import WafLog, get_session
+import re 
+# Handler customizado para salvar no SQLite via SQLAlchemy
+class SQLAlchemyHandler(logging.Handler):
+    def __init__(self):
+            super().__init__()
+            self.session = get_session()
+            # Regex para extrair dados da string formatada pelo parse_req
+            self.attr_pattern = re.compile(
+                r"Attack_type: (?P<type>.*?), IP: (?P<ip>.*?), .*?Path: (?P<path>.*?), Method: (?P<method>.*?), Payload: (?P<payload>.*?), attack_local: (?P<local>.*)"
+            )
+
+    def emit(self, record):
+            session = self.session # Certifique-se de instanciar a sessão
+            try:
+                msg = record.getMessage()
+                
+                # Valores padrão
+                ip, path, method, payload, local, attack_type = (None, None, None, msg, None, "Info")
+
+                # Expandimos a condição para incluir [BLOCKED]
+                if any(tag in msg for tag in ["[ATTACK]", "[RATE LIMIT]", "[BLOCKED]"]):
+                    
+                    def extract(key, text):
+                        # Regex ajustada para capturar até a vírgula ou fim da tag, permitindo espaços internos
+                        match = re.search(rf"{key}:?\s*([^,\]]+)", text)
+                        return match.group(1).strip() if match else None
+
+                    ip = extract("IP", msg)
+                    
+                    if "[BLOCKED]" in msg:
+                        attack_type = "IP BLOCK"
+                        ua = extract("UA", msg)
+                        payload = f"IP Bloqueado. User-Agent: {ua}" if ua else "IP Bloqueado"
+                        path = "---"
+                        method = "---"
+                    elif "[RATE LIMIT]" in msg:
+                        attack_type = "RATE LIMIT"
+                        payload = "Exceeded request limit"
+                        path = extract("Path", msg)
+                        method = extract("Method", msg)
+
+                        bucket = datetime.utcnow().strftime('%Y-%m-%d %H:%M')
+                        log_entry = WafLog(
+                            level=record.levelname,
+                            attack_type=attack_type,
+                            ip=ip,
+                            path=path,
+                            method=method,
+                            payload=payload,
+                            attack_local=local,
+                            time_bucket=bucket
+                        )
+                        
+                        session.add(log_entry)
+                        session.commit()
+                    else:
+                        # Lógica para [ATTACK]
+                        attack_type = extract("Attack_type", msg) or "Unknown"
+                        path = extract("Path", msg)
+                        method = extract("Method", msg)
+                        
+                        # Captura o local completo (ex: HEADER 'User-Agent')
+                        local_match = re.search(r"attack_local:\s*(.+)$", msg)
+                        local = local_match.group(1).strip() if local_match else extract("attack_local", msg)
+                        
+                        # Regex específica para payloads que podem conter vírgulas
+                        payload_match = re.search(r"Payload: (.*?), attack_local:", msg)
+                        payload = payload_match.group(1) if payload_match else extract("Payload", msg)
+                    
+                if not "[RATE LIMIT]" in msg:   
+                    log_entry = WafLog(
+                        level=record.levelname,
+                        attack_type=attack_type,
+                        ip=ip,
+                        path=path,
+                        method=method,
+                        payload=payload,
+                        attack_local=local,
+                        # time_bucket fica None aqui para não filtrar ataques normais no banco
+                    )
+
+                    session.add(log_entry)
+                    session.commit()
+                    
+            except Exception as e:
+                session.rollback()
+            finally:
+                session.close()
+
+class Logger:
+    def __init__(self, name="WAF", log_file="waf.log", level=logging.INFO):
+        self.logger = logging.getLogger(name)
+        self.logger.setLevel(level)
+
+        if not self.logger.handlers:
+            formatter = logging.Formatter(
+                "[%(asctime)s] [%(name)s] [%(levelname)s] %(message)s",
+                datefmt="%H:%M:%S - %d/%m/%Y"
+            )
+
+            # Handler 1: Console
+            console_handler = logging.StreamHandler()
+            console_handler.setFormatter(formatter)
+            self.logger.addHandler(console_handler)
+
+            # Handler 2: Arquivo
+            file_handler = logging.FileHandler(log_file)
+            file_handler.setFormatter(formatter)
+            self.logger.addHandler(file_handler)
+
+            # Handler 3: Banco de Dados (A Mágica acontece aqui)
+            db_handler = SQLAlchemyHandler()
+            db_handler.setLevel(logging.INFO) # Salva INFO, WARNING e acima no DB
+            self.logger.addHandler(db_handler)
+
+    def info(self, msg):
+        self.logger.info(msg)
+
+    def warning(self, msg):
+        self.logger.warning(msg)
+
+    def error(self, msg):
+        self.logger.error(msg)
+
+    def critical(self, msg):
+        self.logger.critical(msg)
+
+    def debug(self, msg):
+        self.logger.debug(msg)

wafahell-1.0.0/wafaHell/middleware.py

@@ -0,0 +1,351 @@
+from datetime import datetime, timedelta, timezone 
+import os
+import re
+import subprocess
+import time
+from flask import request as req, abort, g
+from urllib.parse import unquote
+from model import Base, Blocked, WafLog, get_session, engine
+from logger import Logger
+from rateLimiter import RateLimiter
+from sqlalchemy.exc import OperationalError
+from panel import setup_dashboard
+from utils import Admin
+from sqlalchemy import text
+from globals import waf_cache
+
+# Inicializa o RateLimiter
+limiter = RateLimiter(limit=100, window=60)
+
+class WafaHell:
+    def __init__(self, app=None, block_code=403, block_durantion=5, block_ip=False, log_func=None, monitor_mode=False,  rate_limit=False, dashboard_path=None):
+        self.app = app
+        self.block_code = block_code
+        self.log = log_func or Logger()
+        self.monitor_mode = monitor_mode
+        self.block_ip = block_ip
+        self.rate_limit = rate_limit
+        self.dashboard_path = dashboard_path
+        self.block_durantion = block_durantion
+        self.recent_blocks_cache = {}
+
+        self.rules_sqli = [
+            r"(\bUNION\b|\bSELECT\b|\bINSERT\b|\bDROP\b)",  
+            r"' OR '1'='1"                                                                                                                                                                                                                                
+        ]
+        self.rules_xss = [
+            r"<script.*?>.*?</script>",                    
+            r"javascript:"
+        ]
+
+        if app is not None:
+            self.init_app(app)
+
+    def init_app(self, app):
+        Base.metadata.create_all(engine)
+        setup_dashboard(app, self.dashboard_path)
+        Admin.create_admin_user(get_session())
+
+        if not app.secret_key:
+            app.secret_key = os.urandom(24)
+
+        @app.before_request
+        def create_session():
+            try:
+                req.session = get_session()
+            except Exception as e:
+                self.log.error(f"Erro ao criar sessão para requisição: {e}")
+                abort(self.block_code)
+
+        @app.teardown_request
+        def close_session(exc=None):
+            if hasattr(req, 'session'):
+                try:
+                    req.session.close()
+                except Exception as e:
+                    self.log.error(f"Erro ao fechar sessão: {e}")
+        
+
+        @app.before_request
+        def waf_check():
+            self.verify_client_blocked(req)
+            self.verify_rate_limit(req)
+            is_malicious, attack_local, payload, attack_type = self.is_malicious(req)
+            
+            if not is_malicious:
+                return
+            
+            if not self.monitor_mode:
+                self.log.warning(self.parse_req(req, payload, attack_local, attack_type))
+                self.block_ip_address(req.remote_addr, req.headers.get("User-Agent", "unknown"))
+                abort(self.block_code)
+            else:
+                self.log.info(self.parse_req(req, payload, attack_local, attack_type))
+
+        @app.before_request
+        def start_timer():
+            g.waf_start_time = time.time()
+
+        @app.after_request
+        def stop_timer(response):
+            ignored_paths = [self.dashboard_path, f'{self.dashboard_path}/stats', '/static']
+
+            # 1. Ignora rotas do próprio painel para não sujar os logs e métricas
+            if any(req.path.startswith(path) for path in ignored_paths):
+                return response
+            
+            # 2. LOG DE TRÁFEGO LEGÍTIMO
+            # Se o status_code for menor que 400, significa que o WAF não deu abort()
+            # e a requisição seguiu o fluxo normal.
+            if response.status_code != self.block_code:
+                self.log_legit_access(req)
+
+            # 3. RPS Logic (Bucketing by second)
+            current_timestamp = int(time.time())
+            rps_key = f"rps_{current_timestamp}"
+            waf_cache.incr(rps_key, default=0)
+            waf_cache.expire(rps_key, 10)
+
+            # 4. Latency Logic
+            if hasattr(g, 'waf_start_time'):
+                latency = (time.time() - g.waf_start_time) * 1000
+                
+                # Exponential Moving Average
+                old_avg = waf_cache.get('latency_avg', default=0.0)
+                new_avg = (old_avg * 0.95) + (latency * 0.05) if old_avg > 0 else latency
+                
+                waf_cache.set('latency_avg', new_avg, expire=3600)
+                
+            return response
+        
+    def log_legit_access(self, req):
+        session = get_session()
+        try:
+            new_log = WafLog(
+                timestamp=datetime.now(timezone.utc),
+                attack_type='INFO', # Identificador de tráfego limpo
+                ip=req.remote_addr,
+                path=req.path,
+                method=req.method,
+                level='INFO'
+            )
+            session.add(new_log)
+            session.commit()
+        except Exception as e:
+            session.rollback()
+            self.log.error(f"Error logging legit access: {e}")
+        finally:
+            session.close()
+
+    def detect_attack(self, data: str) -> bool:
+        for pattern in self.rules_xss:
+            if re.search(pattern, data, re.IGNORECASE):
+                return "XSS"
+        for pattern in self.rules_sqli:
+            if re.search(pattern, data, re.IGNORECASE):
+                return "SQLI"
+        return None
+
+    def is_malicious(self, req) -> tuple:
+        attack = self.detect_attack(req.base_url)
+        if attack:
+            print(f"[DEBUG] Attack detected in URL: {attack}")
+            return True, "URL", req.base_url, attack
+        
+        for key, value in req.form.items():
+            attack = self.detect_attack(value)
+            if attack:
+                print(f"[DEBUG] Attack detected in FORM '{key}': {attack}")
+                return True, f"FORM '{key}'", value, attack
+        
+        for key, value in req.args.items():
+            attack = self.detect_attack(value)
+            if attack:
+                print(f"[DEBUG] Attack detected in QUERY '{key}': {attack}")
+                return True, f"QUERY '{key}'", value, attack
+
+        for key, value in req.headers.items():
+            attack = self.detect_attack(value)
+            if attack:
+                print(f"[DEBUG] Attack detected in HEADER '{key}': {attack}")
+                return True, f"HEADER '{key}'", value, attack
+
+        if req.data:
+            body_content = req.data.decode(errors="ignore")
+            attack = self.detect_attack(body_content)
+            if attack:
+                print(f"[DEBUG] Attack detected in BODY: {attack}")
+                return True, "BODY", body_content, attack
+            
+        if req.is_json:
+            json_data = req.get_json(silent=True)
+            if json_data:
+                import json
+                json_str = json.dumps(json_data)
+                attack = self.detect_attack(json_str)
+                if attack:
+                    print(f"[DEBUG] Attack detected in JSON BODY: {attack}")
+                    return True, "JSON BODY", json_str, attack
+
+        return False, None, None, None
+
+    def verify_client_blocked(self, req) -> None:
+        session = req.session
+        try:
+            client_blocked = session.query(Blocked).filter_by(
+                ip=req.remote_addr,
+            ).first()
+
+            if client_blocked:
+
+                now = datetime.now(timezone.utc) if client_blocked.blocked_until.tzinfo else datetime.utcnow()
+                
+                if client_blocked.blocked_until <= now:
+                    # --- TRAVA DE DESBLOQUEIO (Anti-Race Condition) ---
+                    # Usamos um marcador no cache para saber se alguém já está desbloqueando este IP
+                    cache_key = f"unblocking_{req.remote_addr}"
+                    if cache_key in self.recent_blocks_cache:
+                        return # Outra thread já está limpando este IP, apenas saia
+                    
+                    self.recent_blocks_cache[cache_key] = True
+                    # --------------------------------------------------
+
+                    try:
+                        session.delete(client_blocked)
+                        session.commit()
+                        
+                        # Limpa os caches de controle deste IP
+                        self.recent_blocks_cache.pop(req.remote_addr, None)
+                        self.recent_blocks_cache.pop(cache_key, None)
+                        
+                        self.log.info(f"[UNBLOCKED] IP {req.remote_addr} bloqueio expirou.")
+                    except Exception as e:
+                        session.rollback()
+                        self.recent_blocks_cache.pop(cache_key, None)
+                        raise e
+                    return
+
+                # Se chegou aqui, ainda está bloqueado
+                abort(self.block_code)
+
+        except OperationalError:
+            session.rollback()
+            abort(self.block_code)
+
+        try:
+                        
+            client_blocked = session.query(Blocked).filter_by(
+                ip=req.remote_addr,
+                user_agent=req.headers.get("User-Agent")
+            ).first()
+
+            if not client_blocked:
+                return
+
+            # Normaliza o tempo para comparação
+            now = datetime.now(timezone.utc) if client_blocked.blocked_until.tzinfo else datetime.utcnow()
+            
+            if client_blocked.blocked_until <= now:
+                # --- TRAVA DE DESBLOQUEIO (Anti-Race Condition) ---
+                # Usamos um marcador no cache para saber se alguém já está desbloqueando este IP
+                cache_key = f"unblocking_{req.remote_addr}"
+                if cache_key in self.recent_blocks_cache:
+                    return # Outra thread já está limpando este IP, apenas saia
+                
+                self.recent_blocks_cache[cache_key] = True
+                # --------------------------------------------------
+
+                try:
+                    session.delete(client_blocked)
+                    session.commit()
+                    
+                    # Limpa os caches de controle deste IP
+                    self.recent_blocks_cache.pop(req.remote_addr, None)
+                    self.recent_blocks_cache.pop(cache_key, None)
+                    
+                    self.log.info(f"[UNBLOCKED] IP {req.remote_addr} bloqueio expirou.")
+                except Exception as e:
+                    session.rollback()
+                    self.recent_blocks_cache.pop(cache_key, None)
+                    raise e
+                return
+                
+            abort(self.block_code)
+
+        except OperationalError:
+            session.rollback()
+            abort(self.block_code)
+
+    def block_ip_address(self, ip, user_agent=None):
+        if not self.block_ip:
+            return
+
+        # 1. Trava de Memória (ajuda, mas não resolve 100% em multi-processo)
+        now_ts = datetime.now().timestamp()
+        if ip in self.recent_blocks_cache:
+            if now_ts - self.recent_blocks_cache[ip] < 5:
+                return 
+        self.recent_blocks_cache[ip] = now_ts
+
+        session = get_session()
+        try:
+            # 2. TRAVA DE BANCO: Verifica se já houve um log desse IP nos últimos 2 segundos
+            # Isso evita que as 6 threads do ffuf que passaram pela trava de memória gravem no banco
+            
+            time_threshold = datetime.now(timezone.utc) - timedelta(seconds=2)
+            
+            # Buscamos na tabela de LOGS (WafLog) se já existe um registro recente
+           
+            exists_recent_log = session.query(WafLog).filter(
+                WafLog.ip == ip,
+                WafLog.attack_type.in_(['RATE LIMIT', 'IP BLOCK']),
+                WafLog.timestamp >= time_threshold
+            ).first()
+
+            if not exists_recent_log:
+                # Só prossegue se não houver log recente
+                exists_block = session.query(Blocked).filter_by(ip=ip).first()
+                if not exists_block:
+                    now = datetime.now(timezone.utc)
+                    until = now + timedelta(minutes=self.block_durantion)
+                    
+                    new_block = Blocked(
+                        ip=ip, user_agent=user_agent,
+                        blocked_at=now, blocked_until=until
+                    )
+                    session.add(new_block)
+                    session.commit()
+                    
+                    
+                    
+        except Exception as e:
+            session.rollback()
+            self.log.error(f"Erro ao persistir bloqueio: {e}")
+        finally:
+            session.close()
+
+    def verify_rate_limit(self, req) -> None:
+        if self.rate_limit:
+                ip = req.remote_addr
+                ua = req.headers.get("User-Agent", "unknown")
+                
+                if limiter.is_rate_limited(ip, ua):
+                    if self.monitor_mode:
+                        return
+                    
+                    
+                    if self.block_ip:
+                        self.block_ip_address(ip, ua)
+                        self.log.warning(f"[RATE LIMIT] IP: {ip} exceeded limit.")
+                        self.log.warning(f"[BLOCKED] IP: {ip}, UA: {ua}")
+                        abort(self.block_code)
+
+                    self.log.warning(f"[RATE LIMIT] IP: {ip} exceeded limit.")
+
+    def parse_req(self, req, payload, attack_local=None, attack_type=None) -> str:
+        ip = req.remote_addr
+        user_agent = req.headers.get("User-Agent", "unknown")
+        path = req.path
+        method = req.method
+        attack_local = attack_local or "unknown"
+        return f"[ATTACK] Attack_type: {attack_type}, IP: {ip}, User-Agent: {user_agent}, Path: {path}, Method: {method}, Payload: {unquote(payload)}, attack_local: {attack_local}"

wafahell-1.0.0/wafaHell/mock.py

@@ -0,0 +1,53 @@
+import requests
+
+# Configuração do alvo
+BASE_URL = "http://127.0.0.1:5000/hello"
+
+# Definição dos payloads de teste (SQLi e XSS clássicos)
+payloads = {
+    "URL Query": {"url": f"{BASE_URL}?id=1' OR '1'='1"},
+    "Form Data": {"method": "POST", "data": {"user": "<script>alert(1)</script>"}},
+    "JSON Body": {"method": "POST", "json": {"search": "SELECT * FROM users"}},
+    "Cookies": {"method": "POST", "cookies": {"session": "UNION SELECT NULL,NULL--"}},
+    "Custom Header": {"method": "POST", "headers": {"User-Agent": "'; DROP TABLE logs;--"}},
+    "Multipart File": {"method": "POST", "files": {"file": ("README.md", "payload: <script>alert('XSS')</script>")}},
+}
+
+def run_mock():
+    print(f"🚀 Iniciando Mock de Testes WafaHell no alvo: {BASE_URL}\n")
+    print(f"{'VETOR DE TESTE':<20} | {'STATUS':<10} | {'RESULTADO'}")
+    print("-" * 55)
+
+    for test_name, config in payloads.items():
+        try:
+            # Prepara a requisição
+            url = config.get("url", BASE_URL)
+            method = config.get("method", "GET")
+            
+            # Executa a requisição com os parâmetros dinâmicos
+            response = requests.request(
+                method=method,
+                url=url,
+                data=config.get("data"),
+                json=config.get("json"),
+                cookies=config.get("cookies"),
+                headers=config.get("headers"),
+                files=config.get("files"),
+                timeout=5
+            )
+
+            # Validação: 403 significa que o WAF bloqueou (Sucesso no teste)
+            if response.status_code == 403:
+                status_txt = "✅ BLOQUEADO"
+                result_txt = "Sucesso (WAF Ativo)"
+            else:
+                status_txt = f"❌ {response.status_code}"
+                result_txt = "Falha (Vulnerável!)"
+
+            print(f"{test_name:<20} | {status_txt:<10} | {result_txt}")
+
+        except Exception as e:
+            print(f"{test_name:<20} | ⚠️ ERRO      | {str(e)}")
+
+if __name__ == "__main__":
+    run_mock()