Add denied_content_types option

arvancloud · Apr 28, 2018 · e1477cf · e1477cf
1 parent a4e33c4
commit e1477cf
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -28,6 +28,7 @@ lua-resty-waf - High-performance WAF built on the OpenResty stack
 	* [allowed_content_types](#allowed_content_types)
 	* [debug](#debug)
 	* [debug_log_level](#debug_log_level)
+	* [denied_content_types](#denied_content_types)
 	* [deny_status](#deny_status)
 	* [disable_pcre_optimization](#disable_pcre_optimization)
 	* [event_log_altered_only](#event_log_altered_only)
@@ -525,6 +526,27 @@ location / {
 }
 ```
 
+### denied_content_types
+
+*Default*: none
+
+Defines one or more Content-Type headers that will be denied.
+
+*Example*:
+
+
+```lua
+location / {
+    access_by_lua_block {
+        -- define a single denied Content-Type value
+        waf:set_option("denied_content_types", "text/xml")
+
+        -- defines multiple denied Content-Type values
+        waf:set_option("denied_content_types", { "text/html", "text/json", "application/json" })
+    }
+}
+```
+
 ### deny_status
 
 *Default*: ngx.HTTP_FORBIDDEN

diff --git a/lib/resty/waf.lua b/lib/resty/waf.lua
@@ -582,6 +582,7 @@ function _M.new()
 		_add_ruleset_string          = {},
 		_allow_unknown_content_types = false,
 		_allowed_content_types       = {},
+		_denied_content_types        = {},
 		_debug                       = false,
 		_debug_log_level             = ngx_INFO,
 		_deny_status                 = ngx_HTTP_FORBIDDEN,

diff --git a/lib/resty/waf/options.lua b/lib/resty/waf/options.lua
@@ -38,6 +38,9 @@ _M.lookup = {
 	allowed_content_types = function(waf, value)
 		waf._allowed_content_types[value] = true
 	end,
+	denied_content_types = function(waf, value)
+		waf._denied_content_types[value] = true
+	end,
 	res_body_mime_types = function(waf, value)
 		waf._res_body_mime_types[value] = true
 	end,

diff --git a/lib/resty/waf/request.lua b/lib/resty/waf/request.lua
@@ -140,6 +140,8 @@ function _M.parse_request_body(waf, request_headers, collections)
 			--_LOG_"Request body size larger than client_body_buffer_size, ignoring request body"
 			return nil
 		end
+	elseif util.table_has_key(content_type_header, waf._denied_content_types) then
+		ngx.exit(ngx.HTTP_FORBIDDEN)
 	elseif util.table_has_key(content_type_header, waf._allowed_content_types) then
 		-- if the content type has been whitelisted by the user, set REQUEST_BODY as a string
 		ngx.req.read_body()