-
-
Notifications
You must be signed in to change notification settings - Fork 195
/
validate_byte_range.go
89 lines (76 loc) · 1.89 KB
/
validate_byte_range.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
// Copyright 2022 Juan Pablo Tosso and the OWASP Coraza contributors
// SPDX-License-Identifier: Apache-2.0
//go:build !coraza.disabled_operators.validateByteRange
package operators
import (
"fmt"
"strconv"
"strings"
"github.com/corazawaf/coraza/v3/experimental/plugins/plugintypes"
)
type validateByteRange struct {
validBytes [256]bool // array, not slice, so don't pass as-is to functions
}
var _ plugintypes.Operator = (*validateByteRange)(nil)
func newValidateByteRange(options plugintypes.OperatorOptions) (plugintypes.Operator, error) {
data := options.Arguments
if data == "" {
return &unconditionalMatch{}, nil
}
var validBytes [256]bool
for _, br := range strings.Split(data, ",") {
br = strings.TrimSpace(br)
start, end, ok := strings.Cut(br, "-")
if !ok {
if b, err := strconv.Atoi(start); err != nil {
return nil, err
} else if err := validateByte(b); err != nil {
return nil, err
} else {
validBytes[b] = true
}
continue
}
s, err := strconv.Atoi(start)
if err != nil {
return nil, err
}
if err := validateByte(s); err != nil {
return nil, err
}
e, err := strconv.Atoi(end)
if err != nil {
return nil, err
}
if err := validateByte(e); err != nil {
return nil, err
}
for i := s; i <= e; i++ {
validBytes[i] = true
}
}
return &validateByteRange{validBytes: validBytes}, nil
}
func validateByte(b int) error {
if b < 0 || b > 255 {
return fmt.Errorf("invalid byte %d", b)
}
return nil
}
func (o *validateByteRange) Evaluate(tx plugintypes.TransactionState, data string) bool {
if data == "" {
return false
}
// we must iterate each byte from input and check if it is in the range
// if every byte is within the range we return false
for i := 0; i < len(data); i++ {
c := data[i]
if !o.validBytes[c] {
return true
}
}
return false
}
func init() {
Register("validateByteRange", newValidateByteRange)
}