From e1477cf4e454d2ddef35f2fab0c312af418a7056 Mon Sep 17 00:00:00 2001
From: Navid <yaa110@gmail.com>
Date: Sat, 28 Apr 2018 14:08:07 +0430
Subject: [PATCH] Add denied_content_types option

---
 README.md                 | 22 ++++++++++++++++++++++
 lib/resty/waf.lua         |  1 +
 lib/resty/waf/options.lua |  3 +++
 lib/resty/waf/request.lua |  2 ++
 4 files changed, 28 insertions(+)

diff --git a/README.md b/README.md
index 47e6923a..3cb95017 100644
--- a/README.md
+++ b/README.md
@@ -28,6 +28,7 @@ lua-resty-waf - High-performance WAF built on the OpenResty stack
 	* [allowed_content_types](#allowed_content_types)
 	* [debug](#debug)
 	* [debug_log_level](#debug_log_level)
+	* [denied_content_types](#denied_content_types)
 	* [deny_status](#deny_status)
 	* [disable_pcre_optimization](#disable_pcre_optimization)
 	* [event_log_altered_only](#event_log_altered_only)
@@ -525,6 +526,27 @@ location / {
 }
 ```
 
+### denied_content_types
+
+*Default*: none
+
+Defines one or more Content-Type headers that will be denied.
+
+*Example*:
+
+
+```lua
+location / {
+    access_by_lua_block {
+        -- define a single denied Content-Type value
+        waf:set_option("denied_content_types", "text/xml")
+
+        -- defines multiple denied Content-Type values
+        waf:set_option("denied_content_types", { "text/html", "text/json", "application/json" })
+    }
+}
+```
+
 ### deny_status
 
 *Default*: ngx.HTTP_FORBIDDEN
diff --git a/lib/resty/waf.lua b/lib/resty/waf.lua
index 0b22841d..d15fee97 100644
--- a/lib/resty/waf.lua
+++ b/lib/resty/waf.lua
@@ -582,6 +582,7 @@ function _M.new()
 		_add_ruleset_string          = {},
 		_allow_unknown_content_types = false,
 		_allowed_content_types       = {},
+		_denied_content_types        = {},
 		_debug                       = false,
 		_debug_log_level             = ngx_INFO,
 		_deny_status                 = ngx_HTTP_FORBIDDEN,
diff --git a/lib/resty/waf/options.lua b/lib/resty/waf/options.lua
index 6f39796d..3229c0f4 100644
--- a/lib/resty/waf/options.lua
+++ b/lib/resty/waf/options.lua
@@ -38,6 +38,9 @@ _M.lookup = {
 	allowed_content_types = function(waf, value)
 		waf._allowed_content_types[value] = true
 	end,
+	denied_content_types = function(waf, value)
+		waf._denied_content_types[value] = true
+	end,
 	res_body_mime_types = function(waf, value)
 		waf._res_body_mime_types[value] = true
 	end,
diff --git a/lib/resty/waf/request.lua b/lib/resty/waf/request.lua
index c50ad697..20f5a8f4 100644
--- a/lib/resty/waf/request.lua
+++ b/lib/resty/waf/request.lua
@@ -140,6 +140,8 @@ function _M.parse_request_body(waf, request_headers, collections)
 			--_LOG_"Request body size larger than client_body_buffer_size, ignoring request body"
 			return nil
 		end
+	elseif util.table_has_key(content_type_header, waf._denied_content_types) then
+		ngx.exit(ngx.HTTP_FORBIDDEN)
 	elseif util.table_has_key(content_type_header, waf._allowed_content_types) then
 		-- if the content type has been whitelisted by the user, set REQUEST_BODY as a string
 		ngx.req.read_body()