fix display for injected value in body and url

SAP · Apr 4, 2024 · 20c557a · 20c557a
1 parent d3f41d6
commit 20c557a
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 24 deletions.
diff --git a/proxy/wasm/cloud-active-defense.wasm b/proxy/wasm/cloud-active-defense.wasm
diff --git a/proxy/wasm/detect/body.go b/proxy/wasm/detect/body.go
@@ -148,6 +148,12 @@ func (d *detectBody) detectDecoyInRequest() (error, *alert.AlertParam) {
         return fmt.Errorf("failed to retrieve postParam value of decoy:" , err.Error()), nil
       }
       alertInfos["injected"] = keyRm.ReplaceAllString(injected, "")
+    } else {
+      err, injected := shared.FindInjectedValue(*d.curFilter, d.body)
+      if err != nil {
+        fmt.Errorf("%v", err)
+      }
+      alertInfos["injected"] = injected
     }
 
     sendAlert := false
@@ -202,59 +208,54 @@ func (d *detectBody) detectDecoyInResponse() (error, *alert.AlertParam) {
     value = d.curFilter.Decoy.Value 
   }
   separator := d.curFilter.Decoy.Separator
-  if d.curFilter.Detect.Seek.In == "postParam" {
+  if separator == "" {
     separator = "="
   }
 
-  rECombinedstring, err := regexp.Compile(key+separator+value)
-  if err != nil {
-    return fmt.Errorf("decoy. Key+Separator+Value: \"%s\" is not a valid regex: %s", key+separator+value, err.Error()), nil
-  }
-  matchesCombined := rECombinedstring.FindAllStringIndex(d.body, -1)
-  //proxywasm.LogWarnf("length of match array with n=0: %v", len(matchesCombined)) //debug
-
-  rEKey, err := regexp.Compile(key+separator)
+  err, keyMatches, combinedMatches := shared.KeyCombinedMatch(d.curFilter, &d.body)
   if err != nil {
-    return fmt.Errorf("decoy.key: \"%s\" is not a valid regex: %s", separator, err.Error()), nil
+    proxywasm.LogErrorf("could not match: %v", err.Error())
   }
-  matchesKey := rEKey.FindAllStringIndex(d.body, -1)
-
   alertInfos := make(map[string]string, 0)
   alertInfos["decoy"] = key+separator+value
   alertInfos["verb"] = d.request.Headers[":method"]
   alertInfos["path"] = d.request.Headers[":path"]
 
+  err, injected := shared.FindInjectedValue(*d.curFilter, d.body)
+  if err != nil {
+    proxywasm.LogErrorf("could not find injected value: %v", err.Error())
+  }
+  alertInfos["injected"] = injected
   sendAlert := false
 
-  if d.curFilter.Detect.Alert.WhenSeen && key != "" {
-    if matchesKey != nil { // key+separator -> seen
+  if d.curFilter.Detect.Alert.WhenSeen {
+    if keyMatches { // key+separator -> seen
       alertInfos["alert"] += "KeySeen "
       sendAlert=true
     } 
   }
-  if d.curFilter.Detect.Alert.WhenComplete && key != "" && value != "" {
-    if matchesCombined != nil {
+  if d.curFilter.Detect.Alert.WhenComplete {
+    if combinedMatches {
       alertInfos["alert"] += "KeyValueComplete "
       sendAlert=true
     }
   }
   if d.curFilter.Detect.Alert.WhenModified {
-    for _, matchKey := range matchesKey {
+    /* for _, matchKey := range matchesKey {
       isFullMatch := false
       for _, matchCombined := range matchesCombined {
         if matchKey[0] == matchCombined[0] {
           isFullMatch = true //key+separator+value found -> not modified
           break
         }
-      }
-      if !isFullMatch && key != "" { // key+separator without value found -> modified
+      } */
+      if keyMatches && !combinedMatches { // key+separator without value found -> modified
         alertInfos["alert"] += "ValueModified "
         sendAlert=true
       }
-    }
   }
   if d.curFilter.Detect.Alert.WhenAbsent {
-    if matchesKey == nil { // key+separator not found -> absent
+    if keyMatches { // key+separator not found -> absent
       alertInfos["alert"] += "KeyAbsent "
       sendAlert=true
     }

diff --git a/proxy/wasm/detect/header.go b/proxy/wasm/detect/header.go
@@ -407,18 +407,18 @@ func (d *detectHeader) detectUrl(alertInfos *map[string]string) (error, bool) {
   if d.curFilter.Detect.Alert.WhenComplete {
     if combinedMatch {
       sendAlert = true
-      (*alertInfos)["alert"] = "KeyValueComplete "
+      (*alertInfos)["alert"] += "KeyValueComplete "
     }
   }
   if d.curFilter.Detect.Alert.WhenModified {
     if keyMatch && !combinedMatch {
       sendAlert = true
-      (*alertInfos)["alert"] = "ValueModified "
+      (*alertInfos)["alert"] += "ValueModified "
     }
   }
   if d.curFilter.Detect.Alert.WhenAbsent {
     if !keyMatch {
-      (*alertInfos)["alert"] = "KeySeen "
+      (*alertInfos)["alert"] += "KeySeen "
     }
   }
   return nil, sendAlert

diff --git a/proxy/wasm/shared/shared.go b/proxy/wasm/shared/shared.go
@@ -57,6 +57,9 @@ func KeyCombinedMatch(filter *config_parser.FilterType, query *string) (err erro
   err = nil
   separator := filter.Decoy.Separator
 
+  if separator == "" {
+		separator = "="
+	}
   key := filter.Decoy.DynamicKey 
   if key == "" {
     key = filter.Decoy.Key
@@ -88,3 +91,46 @@ func KeyCombinedMatch(filter *config_parser.FilterType, query *string) (err erro
   }
   return
 }
+
+func FindInjectedValue(filter config_parser.FilterType, query string) (err error, match string) {
+	key := filter.Decoy.DynamicKey
+	value := filter.Decoy.DynamicValue
+	separator := filter.Decoy.Separator
+	if separator == "" {
+		separator = "="
+	}
+	if key == "" {
+		key = filter.Decoy.Key
+	}
+	if value == "" {
+		value = filter.Decoy.Value
+	}
+	// Find injected value with dynamicKey
+	if value == "" {
+		rEKey, err := regexp.Compile(key)
+		if err != nil {
+			return fmt.Errorf("invalid regex: %v", err.Error()), ""
+		}
+		foundValue := rEKey.FindStringSubmatch(query)
+		if len(foundValue) > 1 {
+			return nil, foundValue[1]
+		} else if len(foundValue) == 0 {
+			return nil, ""
+		} else {
+			return nil, foundValue[0]
+		}
+	} else {
+		rEcombined, err := regexp.Compile(key + separator + value)
+		if err != nil {
+			return fmt.Errorf("invalid regex: %v", err.Error()), ""
+		}
+		foundValue := rEcombined.FindStringSubmatch(query)
+		if len(foundValue) > 1 {
+			return nil, foundValue[1]
+		} else if len(foundValue) == 0 {
+			return nil, ""
+		} else {
+			return nil, foundValue[0]
+		}
+	}
+}