waf skip body when protocol is grpc, websocket or sse (#943)

alibaba · May 15, 2024 · 42c9c3d · 42c9c3d
1 parent 8736188
commit 42c9c3d
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 2 deletions.
diff --git a/plugins/wasm-go/extensions/waf/go.sum b/plugins/wasm-go/extensions/waf/go.sum
@@ -10,8 +10,7 @@ github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/higress-group/nottinygc v0.0.0-20231101025119-e93c4c2f8520 h1:IHDghbGQ2DTIXHBHxWfqCYQW1fKjyJ/I7W1pMyUDeEA=
 github.com/higress-group/nottinygc v0.0.0-20231101025119-e93c4c2f8520/go.mod h1:Nz8ORLaFiLWotg6GeKlJMhv8cci8mM43uEnLA5t8iew=
-github.com/higress-group/proxy-wasm-go-sdk v0.0.0-20240226065437-8f7a0b3c9071 h1:STb5rOHRZOzoiAa+gTz2LFqO1nYj7U/1eIVUJJadU4A=
-github.com/higress-group/proxy-wasm-go-sdk v0.0.0-20240226065437-8f7a0b3c9071/go.mod h1:hNFjhrLUIq+kJ9bOcs8QtiplSQ61GZXtd2xHKx4BYRo=
+github.com/higress-group/proxy-wasm-go-sdk v0.0.0-20240318034951-d5306e367c43 h1:dCw7F/9ciw4NZN7w68wQRaygZ2zGOWMTIEoRvP1tlWs=
 github.com/higress-group/proxy-wasm-go-sdk v0.0.0-20240318034951-d5306e367c43/go.mod h1:hNFjhrLUIq+kJ9bOcs8QtiplSQ61GZXtd2xHKx4BYRo=
 github.com/magefile/mage v1.14.0 h1:6QDX3g6z1YvJ4olPhT1wksUcSa/V0a1B+pJb73fBjyo=
 github.com/magefile/mage v1.14.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=

diff --git a/plugins/wasm-go/extensions/waf/wasmplugin/plugin.go b/plugins/wasm-go/extensions/waf/wasmplugin/plugin.go
@@ -69,6 +69,15 @@ func parseConfig(json gjson.Result, config *WafConfig, log wrapper.Log) error {
 }
 
 func onHttpRequestHeaders(ctx wrapper.HttpContext, config WafConfig, log wrapper.Log) types.Action {
+	ctx.SetContext("skipwaf", false)
+
+	if ignoreBody() {
+		ctx.DontReadRequestBody()
+		ctx.DontReadResponseBody()
+		ctx.SetContext("skipwaf", true)
+		return types.ActionContinue
+	}
+
 	ctx.SetContext("interruptionHandled", false)
 	ctx.SetContext("processedRequestBody", false)
 	ctx.SetContext("processedResponseBody", false)
@@ -192,6 +201,10 @@ func onHttpRequestBody(ctx wrapper.HttpContext, config WafConfig, body []byte, l
 }
 
 func onHttpResponseHeaders(ctx wrapper.HttpContext, config WafConfig, log wrapper.Log) types.Action {
+	if ctx.GetContext("skipwaf").(bool) {
+		return types.ActionContinue
+	}
+
 	if ctx.GetContext("interruptionHandled").(bool) {
 		return types.ActionContinue
 	}
@@ -306,6 +319,10 @@ func onHttpResponseBody(ctx wrapper.HttpContext, config WafConfig, body []byte,
 }
 
 func onHttpStreamDone(ctx wrapper.HttpContext, config WafConfig, log wrapper.Log) {
+	if ctx.GetContext("skipwaf").(bool) {
+		return
+	}
+
 	tx := ctx.GetContext("tx").(ctypes.Transaction)
 
 	if !tx.IsRuleEngineOff() {

diff --git a/plugins/wasm-go/extensions/waf/wasmplugin/utils.go b/plugins/wasm-go/extensions/waf/wasmplugin/utils.go
@@ -138,3 +138,34 @@ func logError(error ctypes.MatchedRule) {
 		proxywasm.LogDebug(msg)
 	}
 }
+
+func isWebSocketRequest() bool {
+	if value, err := proxywasm.GetHttpRequestHeader("Upgrade"); err == nil {
+		if value == "websocket" {
+			return true
+		}
+	}
+	return false
+}
+
+func isSSERequest() bool {
+	if value, err := proxywasm.GetHttpRequestHeader("Accept"); err == nil {
+		if value == "text/event-stream" {
+			return true
+		}
+	}
+	return false
+}
+
+func isGrpcRequest() bool {
+	if value, err := proxywasm.GetHttpRequestHeader("Content-Type"); err == nil {
+		if value == "application/grpc" {
+			return true
+		}
+	}
+	return false
+}
+
+func ignoreBody() bool {
+	return isWebSocketRequest() || isSSERequest() || isGrpcRequest()
+}