Content based block filter #2002
Conversation
MustafaSaber
force-pushed
the
feature/body-filtering-v2
branch
from
c9bc52a
to
2a12c3e
Compare
filters/block/matcher.go
Outdated
|
|
||
| func newMatcher( | ||
| input io.ReadCloser, | ||
| matchList []string, |
There was a problem hiding this comment.
We need to store the []byte converted strings
type matchData struct { b []byte }
matchList []matchData,
There was a problem hiding this comment.
filters/block/matcher.go
Outdated
| var consumed int | ||
|
|
||
| for _, s := range m.matchList { | ||
| if bytes.Contains(b, []byte(s)) { |
There was a problem hiding this comment.
We can prepare string s from matchList to be a []byte already, such that we do the conversion once.
There was a problem hiding this comment.
filters/block/matcher.go
Outdated
| log "github.com/sirupsen/logrus" | ||
| ) | ||
|
|
||
| type maxBufferHandling int |
There was a problem hiding this comment.
please move the type to the iota const, such that these are close together
filters/block/matcher.go
Outdated
|
|
||
| // init: | ||
| input io.ReadCloser | ||
| matchList []string |
There was a problem hiding this comment.
this should be either a map[int][]byte or a []buffer with type buffer []byte
see also https://go.dev/play/p/IKAa6eA91YD
I think the type is more memory efficient, but it does not really matter if we do not store millions of strings.
docs/reference/filters.md
Outdated
|
|
||
| Block a request based on it's body content. | ||
|
|
||
| The filter max request body is 2MiB by default and can be overidden with `-max-matcher-buffer-size=<int>`. |
There was a problem hiding this comment.
The sentence is not correct because it is only using a 2MiB buffer as default and does not stop processing the body.
docs/reference/filters.md
Outdated
|
|
||
| Parameters: | ||
|
|
||
| * toblockList (List of []bytes) |
There was a problem hiding this comment.
It's a list of string instead of list of []byte from the user perspective, which is what we document here.
docs/reference/filters.md
Outdated
| Example: | ||
|
|
||
| ``` | ||
| * -> block("maliciousCotent") -> "http://example.com"; |
There was a problem hiding this comment.
maliciousCotent -> malicious Content
filters/block/matcher.go
Outdated
| return n, nil | ||
| } | ||
|
|
||
| // Closes closes the undelrying reader if it implements io.Closer. |
There was a problem hiding this comment.
godoc: Closes -> Close first has to match the func name
There was a problem hiding this comment.
Also tell in the godoc that it's not safe for concurrent use and it is reentrant.
filters/block/matcher.go
Outdated
| ready *bytes.Buffer | ||
| pending *bytes.Buffer | ||
|
|
||
| // metrices: |
filters/block/matcher.go
Outdated
| // | ||
| type matcher struct { | ||
|
|
||
| // init: |
filters/block/matcher.go
Outdated
| // metrices: | ||
| metrics metrics.Metrics | ||
|
|
||
| // final: |
filters/block/matcher.go
Outdated
|
|
||
| if m.err == proxy.ErrBlocked { | ||
| m.metrics.IncCounter("blocked.requests") | ||
| log.Errorf("Content blocked: %v", proxy.ErrBlocked) |
There was a problem hiding this comment.
We should not log here, because it's more the library part.
filters/block/matcher.go
Outdated
|
|
||
| if err == proxy.ErrBlocked { | ||
| m.metrics.IncCounter("blocked.requests") | ||
| log.Errorf("Content blocked: %v", proxy.ErrBlocked) |
skipper.go
Outdated
| @@ -774,6 +775,10 @@ type Options struct { | |||
| // MaxAuditBody sets the maximum read size of the body read by the audit log filter | |||
| MaxAuditBody int | |||
|
|
|||
| // MaxMatcherBufferSize sets the maximum read size of the body read by the block filter | |||
There was a problem hiding this comment.
I would say:
MaxMatcherBufferSize sets the maximum read buffer size of the block filter defaults to 2MiB in case of a zero value
|
👍 |
Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
Make test pass when err is expected Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Return the int output of the reader if the error was block otherwise it implies failing in reading. Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Support having chunks of data for the same request. Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Passing valid request without reading extra nil chunks of data. Blocking non valid requests without going into infinite loops. Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Move block entrypoint with with a global flag in config to control max body size. Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Change string to []bytes for better memory utilization on the long term. Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
Update docs & godocs. Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
MustafaSaber
force-pushed
the
feature/body-filtering-v2
branch
from
4db42ca
to
4eecf33
Compare
|
👍 |
|
|
||
| // Close closes the undelrying reader if it implements io.Closer. | ||
| // Not safe for concurrent usage and it's reentrant. | ||
| func (m *matcher) Close() error { |
There was a problem hiding this comment.
We could use sync.Once to only run this once. see also: https://github.com/zalando/skipper/blob/master/filters/shedder/admission.go#L324-L329
Signed-off-by: Mustafa Abdelrahman <mustafa.abdelrahman@zalando.de>
|
👍 |
1 similar comment
|
👍 |
Intro
Body filter is a used to block requests based on body content
Implementation can be tested with proxy
./bin/skipper -address=:9999 -inline-routes='r: * -> block("foo") -> "http://127.0.0.1:9090";'