Skip to content

Commit

Permalink
Syncing anuraaga's main before donation (envoyproxy#8)
Browse files Browse the repository at this point in the history 
* Allow building filter in mode that prints timing of each lifecycle me… (envoyproxy#33)

…thod

* Add variables for running FTW in cloud mode with envoy wasm disabled (envoyproxy#34)

* Switch FTW backend to faster server (envoyproxy#35)

* Try adding -crt-static to rust build (envoyproxy#36)

* Build wasi-libc for TinyGo instead of using wasi SDK (envoyproxy#37)

* Fix aho-corasick wasm lib and use it for pm (envoyproxy#38)

* Update to latest coraza (envoyproxy#39)

* Move cgo declaration to tinygo build tag to prevent warning when runn… (envoyproxy#40)

…ing tests

* Remove year from copyright header

Co-authored-by: Anuraag Agrawal <anuraaga@gmail.com>
  • Loading branch information
@jcchavezs @anuraaga
jcchavezs and anuraaga committed Sep 30, 2022
1 parent 71aac7a commit e619253
Show file tree
Hide file tree
Showing 34 changed files with 391 additions and 123 deletions.
1 change: 1 addition & 0 deletions buildtools/aho-corasick/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ RUN mkdir -p /aho-corasick && curl -L https://github.com/BurntSushi/aho-corasick
WORKDIR /aho-corasick
ADD aho-corasick.patch aho-corasick.patch
RUN patch -p1 < aho-corasick.patch
ENV RUSTFLAGS "-C target-feature=-crt-static"
RUN cargo build --release --target wasm32-wasi

CMD ["cp", "target/wasm32-wasi/release/libaho_corasick.a", "/out/libaho_corasick.a"]
35 changes: 29 additions & 6 deletions buildtools/aho-corasick/aho-corasick.patch
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,12 @@
diff --git a/.gitignore b/.gitignore
index f1a4d65..d6ff1a3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
+.idea
.*.swp
doc
tags
diff --git a/Cargo.toml b/Cargo.toml
index 610bd4d..55e2f37 100644
--- a/Cargo.toml
Expand All @@ -12,22 +21,35 @@ index 610bd4d..55e2f37 100644
[features]
diff --git a/src/exports.rs b/src/exports.rs
new file mode 100644
index 0000000..f97de6d
index 0000000..29c203d
--- /dev/null
+++ b/src/exports.rs
@@ -0,0 +1,93 @@
@@ -0,0 +1,107 @@
+use std::mem::MaybeUninit;
+use std::slice;
+use std::str;
+use crate::{AhoCorasick, AhoCorasickBuilder, MatchKind};
+
+static mut MATCHERS: Vec<AhoCorasick> = Vec::new();
+
+#[no_mangle]
+pub extern "C" fn new_matcher(patterns_ptr: usize, patterns_len: usize) -> usize {
+ let patterns_str = ptr_to_string(patterns_ptr, patterns_len);
+ std::mem::forget(&patterns_str);
+pub extern "C" fn new_matcher(patterns_ptr: *mut u8, patterns_len: usize) -> usize {
+ let all_patterns = unsafe {
+ slice::from_raw_parts(patterns_ptr, patterns_len)
+ };
+
+ let patterns = patterns_str.split(' ');
+ let mut patterns = Vec::new();
+
+ let mut off = 0;
+ while off < patterns_len {
+ let pattern_len = u32::from_le_bytes([all_patterns[off], all_patterns[off+1], all_patterns[off+2], all_patterns[off+3]]) as usize;
+ off += 4;
+ let pattern = unsafe {
+ str::from_utf8_unchecked(&all_patterns[off..off+pattern_len])
+ };
+ patterns.push(pattern);
+ off += pattern_len;
+ }
+
+ let ac = AhoCorasickBuilder::new()
+ .ascii_case_insensitive(true)
Expand All @@ -39,6 +61,7 @@ index 0000000..f97de6d
+ MATCHERS.push(ac);
+ MATCHERS.len() - 1
+ }
+
+}
+
+#[no_mangle]
Expand Down
11 changes: 6 additions & 5 deletions buildtools/tinygo/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,11 @@ RUN curl -L https://go.dev/dl/go1.19.1.linux-${TARGETARCH:-amd64}.tar.gz | tar -
ENV PATH /go/bin:/root/go/bin:$PATH
ENV GOROOT /go

RUN apt-get install -y libclang-14-dev wabt binaryen
RUN apt-get install -y libclang-14-dev wabt binaryen git

# https://github.com/tinygo-org/tinygo/commit/9e4e182615cd80303c564f95020e0c3bd10af64a
RUN go install github.com/tinygo-org/tinygo@9e4e182615cd80303c564f95020e0c3bd10af64a

RUN mkdir -p $(tinygo env TINYGOROOT)/lib/wasi-libc/ && \
ln -s /wasi-sysroot $(tinygo env TINYGOROOT)/lib/wasi-libc/sysroot
RUN git clone --shallow-submodules --recursive https://github.com/tinygo-org/tinygo --branch dev
WORKDIR /tinygo
RUN git reset --hard 9e4e182615cd80303c564f95020e0c3bd10af64a
RUN go install
RUN make wasi-libc
2 changes: 1 addition & 1 deletion config.go
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright 2022 The OWASP Coraza contributors
// Copyright The OWASP Coraza contributors
// SPDX-License-Identifier: Apache-2.0

package main
Expand Down
2 changes: 1 addition & 1 deletion config_test.go
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright 2022 The OWASP Coraza contributors
// Copyright The OWASP Coraza contributors
// SPDX-License-Identifier: Apache-2.0

package main
Expand Down
2 changes: 1 addition & 1 deletion ftw/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ WORKDIR /workspace

RUN apk update && apk add curl

RUN go install github.com/anuraaga/go-ftw@dev
RUN go install github.com/fzipi/go-ftw@fd953f4f9ddd0f21595be4f48f0b468dda32e801

ADD https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0-rc1.tar.gz /workspace/coreruleset/
RUN cd coreruleset && tar -xf v4.0.0-rc1.tar.gz --strip-components 1
Expand Down
6 changes: 4 additions & 2 deletions ftw/docker-compose.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
services:
httpbin:
image: kennethreitz/httpbin:latest
image: ealen/echo-server:latest
chown:
image: alpine:3.16
command:
Expand All @@ -16,7 +16,7 @@ services:
image: envoyproxy/envoy:v1.23-latest
command:
- -c
- /conf/envoy-config.yaml
- ${ENVOY_CONFIG:-/conf/envoy-config.yaml}
- --log-level
- info
- --component-log-level
Expand Down Expand Up @@ -54,6 +54,8 @@ services:
depends_on:
- wasm-logs
build: .
environment:
- FTW_CLOUDMODE
volumes:
- logs:/home/envoy/logs:ro
volumes:
Expand Down
44 changes: 44 additions & 0 deletions ftw/envoy-config-nowasm.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
static_resources:
listeners:
- address:
socket_address:
address: 0.0.0.0
port_value: 80
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: auto
http_protocol_options:
accept_http_10: true
route_config:
virtual_hosts:
- name: local_route
domains:
- "*"
routes:
- match:
prefix: "/"
route:
cluster: local_server
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

clusters:
- name: local_server
connect_timeout: 6000s
type: strict_dns
lb_policy: round_robin
load_assignment:
cluster_name: local_server
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: httpbin
port_value: 80
4 changes: 3 additions & 1 deletion ftw/tests.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,4 +29,6 @@ while [[ "$status_code" -eq "000" ]]; do
done
echo -e "\n[Ok] Got status code $status_code, expected 200. Ready to start."

go-ftw run -d coreruleset/tests/regression/tests --config ftw.yml --read-timeout=10s || (echo "Envoy Logs:" && cat /home/envoy/logs/envoy.log)
FTW_CLOUDMODE=${FTW_CLOUDMODE:-false}

go-ftw run -d coreruleset/tests/regression/tests --config ftw.yml --read-timeout=10s --cloud=$FTW_CLOUDMODE || (echo "Envoy Logs:" && cat /home/envoy/logs/envoy.log)
8 changes: 4 additions & 4 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,23 +3,23 @@ module github.com/jcchavezs/coraza-wasm-filter
go 1.17

require (
github.com/corazawaf/coraza/v3 v3.0.0-20220913021343-a3bd8c85ebf5
github.com/corazawaf/coraza/v3 v3.0.0-20220928011626-fce26f25ab3e
github.com/magefile/mage v1.13.0
github.com/stretchr/testify v1.8.0
github.com/tetratelabs/proxy-wasm-go-sdk v0.19.1-0.20220831045923-bd6f69563ef4
github.com/tetratelabs/proxy-wasm-go-sdk v0.19.1-0.20220922045757-132ee0a06ac2
github.com/tidwall/gjson v1.14.3
)

require (
github.com/corazawaf/libinjection-go v0.0.0-20220909190158-227e7e772cef // indirect
github.com/corazawaf/libinjection-go v0.1.1 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/kr/pretty v0.1.0 // indirect
github.com/petar-dambovaliev/aho-corasick v0.0.0-20211021192214-5ab2d9280aa9 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/tetratelabs/wazero v1.0.0-beta.2 // indirect
github.com/tidwall/match v1.1.1 // indirect
github.com/tidwall/pretty v1.2.0 // indirect
golang.org/x/net v0.0.0-20220809184613-07c6da5e1ced // indirect
golang.org/x/net v0.0.0-20220909164309-bea034e7d591 // indirect
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)
20 changes: 10 additions & 10 deletions go.sum
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
github.com/anuraaga/go-modsecurity v0.0.0-20220824035035-b9a4099778df/go.mod h1:7jguE759ADzy2EkxGRXigiC0ER1Yq2IFk2qNtwgzc7U=
github.com/corazawaf/coraza/v3 v3.0.0-20220913021343-a3bd8c85ebf5 h1:yfQWquK/A4egSMhxEoQQrMglWnTkXLkkHIhh+SeqPHQ=
github.com/corazawaf/coraza/v3 v3.0.0-20220913021343-a3bd8c85ebf5/go.mod h1:xhc7feR6FUfYgmBmRw3UObvLiyzT3XPQtlJD+huy+Mc=
github.com/corazawaf/libinjection-go v0.0.0-20220909190158-227e7e772cef h1:q9ty0pTOklSWgTasNL1N820pNVcn933BFz5w79DPbbo=
github.com/corazawaf/libinjection-go v0.0.0-20220909190158-227e7e772cef/go.mod h1:OP4TM7xdJ2skyXqNX1AN1wN5nNZEmJNuWbNPOItn7aw=
github.com/corazawaf/coraza/v3 v3.0.0-20220928011626-fce26f25ab3e h1:5EnuiKFLRHct8ZHuzEgPjoAYy21ufDgXt01tqQVFzcg=
github.com/corazawaf/coraza/v3 v3.0.0-20220928011626-fce26f25ab3e/go.mod h1:D89v4pivoxiY7Ij65EryL3ERX7/I/AyRnZEKxkNI4QA=
github.com/corazawaf/libinjection-go v0.1.1 h1:N/SMuy9Q4wPL72pU/OsoYjIIjfvUbsVwHf8A3tWMLKg=
github.com/corazawaf/libinjection-go v0.1.1/go.mod h1:OP4TM7xdJ2skyXqNX1AN1wN5nNZEmJNuWbNPOItn7aw=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
Expand All @@ -27,8 +27,8 @@ github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSS
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/tetratelabs/proxy-wasm-go-sdk v0.19.1-0.20220831045923-bd6f69563ef4 h1:FSXp4DrzGamerGY9bhBsL2yJdedDZbMwSsxJEaVxHWo=
github.com/tetratelabs/proxy-wasm-go-sdk v0.19.1-0.20220831045923-bd6f69563ef4/go.mod h1:YVEdbjpYmWRaTXSHuIK6O1kibi313mcQpTbcuBTd4Mg=
github.com/tetratelabs/proxy-wasm-go-sdk v0.19.1-0.20220922045757-132ee0a06ac2 h1:Dd0c7ZCOStoWSnBtfcoF7mXC0MPA9YfbrCHkE4qexZs=
github.com/tetratelabs/proxy-wasm-go-sdk v0.19.1-0.20220922045757-132ee0a06ac2/go.mod h1:YVEdbjpYmWRaTXSHuIK6O1kibi313mcQpTbcuBTd4Mg=
github.com/tetratelabs/wazero v1.0.0-beta.2 h1:Qa1R1oizAYHcmy8PljgINdXUZ/nRQkxUBbYfGSb4IBE=
github.com/tetratelabs/wazero v1.0.0-beta.2/go.mod h1:CD5smBN5rGZo7UNe8aUiWyYE3bDWED/CQSonog9NSEg=
github.com/tidwall/gjson v1.14.3 h1:9jvXn7olKEHU1S9vwoMGliaT8jq1vJ7IH/n9zD9Dnlw=
Expand All @@ -53,8 +53,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/net v0.0.0-20220809184613-07c6da5e1ced h1:3dYNDff0VT5xj+mbj2XucFst9WKk6PdGOrb9n+SbIvw=
golang.org/x/net v0.0.0-20220809184613-07c6da5e1ced/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
golang.org/x/net v0.0.0-20220909164309-bea034e7d591 h1:D0B/7al0LLrVC8aWF4+oxpv/m8bc7ViFfVS8/gXGdqI=
golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
Expand All @@ -71,8 +71,8 @@ golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220808155132-1c4a2a72c664 h1:v1W7bwXHsnLLloWYTVEdvGvA7BHMeBYsPcF0GLDxIRs=
golang.org/x/sys v0.0.0-20220808155132-1c4a2a72c664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220913175220-63ea55921009 h1:PuvuRMeLWqsf/ZdT1UUZz0syhioyv1mzuFZsXs4fvhw=
golang.org/x/sys v0.0.0-20220913175220-63ea55921009/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
Expand Down
9 changes: 9 additions & 0 deletions init_tinygo.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
// Copyright The OWASP Coraza contributors
// SPDX-License-Identifier: Apache-2.0

//go:build tinygo

package main

// #cgo LDFLAGS: lib/libinjection.a lib/libre2.a lib/libcre2.a lib/libc++.a lib/libc++abi.a lib/libclang_rt.builtins-wasm32.a lib/libaho_corasick.a
import "C"
22 changes: 16 additions & 6 deletions internal/ahocorasick/ahocorasick.go
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
// Copyright 2022 The OWASP Coraza contributors
// Copyright The OWASP Coraza contributors
// SPDX-License-Identifier: Apache-2.0

//go:build tinygo

package ahocorasick

import (
"encoding/binary"
"reflect"
"runtime"
"unsafe"
)

Expand All @@ -21,10 +21,20 @@ type Matcher struct {
ptr uint32
}

func NewMatcher(patternsStr string) Matcher {
sh := (*reflect.StringHeader)(unsafe.Pointer(&patternsStr))
ac := newMatcher(unsafe.Pointer(sh.Data), uint32(sh.Len))
runtime.KeepAlive(patternsStr)
func NewMatcher(patterns []string) Matcher {
var bufSize int
for _, p := range patterns {
bufSize += 4
bufSize += len(p)
}

buf := make([]byte, 0, bufSize)
for _, p := range patterns {
buf = binary.LittleEndian.AppendUint32(buf, uint32(len(p)))
buf = append(buf, p...)
}

ac := newMatcher(unsafe.Pointer(&buf[0]), uint32(bufSize))
return Matcher{ptr: ac}
}

Expand Down
8 changes: 7 additions & 1 deletion internal/calloc/calloc.go
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright 2022 The OWASP Coraza contributors
// Copyright The OWASP Coraza contributors
// SPDX-License-Identifier: Apache-2.0

//go:build tinygo
Expand Down Expand Up @@ -37,3 +37,9 @@ func posix_memalign(memptr *unsafe.Pointer, alignment, size uintptr) int {
*memptr = libc_malloc(size)
return 0
}

//export aligned_alloc
func aligned_alloc(alignment, size uintptr) unsafe.Pointer {
// Ignore alignment for now
return libc_malloc(size)
}
2 changes: 1 addition & 1 deletion internal/calloc/doc.go
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright 2022 The OWASP Coraza contributors
// Copyright The OWASP Coraza contributors
// SPDX-License-Identifier: Apache-2.0

// Package calloc reimplements some memory allocation functions that C++ expects to exist
Expand Down
2 changes: 1 addition & 1 deletion internal/injection/injection.go
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright 2022 The OWASP Coraza contributors
// Copyright The OWASP Coraza contributors
// SPDX-License-Identifier: Apache-2.0

//go:build tinygo
Expand Down
49 changes: 49 additions & 0 deletions internal/operators/from_file.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
// Copyright The OWASP Coraza contributors
// SPDX-License-Identifier: Apache-2.0

//go:build tinygo

package operators

import (
"errors"
"io/fs"
"os"
"path"
)

var errEmptyPaths = errors.New("empty paths")

func loadFromFile(filepath string, paths []string, root fs.FS) ([]byte, error) {
if path.IsAbs(filepath) {
return fs.ReadFile(root, filepath)
}

if len(paths) == 0 {
return nil, errEmptyPaths
}

// handling files by operators is hard because we must know the paths where we can
// search, for example, the policy path or the binary path...
// CRS stores the .data files in the same directory as the directives
var (
content []byte
err error
)

for _, p := range paths {
absFilepath := path.Join(p, filepath)
content, err = fs.ReadFile(root, absFilepath)
if err != nil {
if os.IsNotExist(err) {
continue
} else {
return nil, err
}
}

return content, nil
}

return nil, err
}
Loading

0 comments on commit e619253

Please sign in to comment.