Merge branch 'master' into anilm3/events-address-and-exists-operator

cmake/objects.cmake

@@ -46,6 +46,7 @@ set(LIBDDWAF_SOURCE
  ${libddwaf_SOURCE_DIR}/src/parser/scanner_parser.cpp
  ${libddwaf_SOURCE_DIR}/src/parser/exclusion_parser.cpp
  ${libddwaf_SOURCE_DIR}/src/processor/extract_schema.cpp
+ ${libddwaf_SOURCE_DIR}/src/processor/fingerprint.cpp
  ${libddwaf_SOURCE_DIR}/src/condition/lfi_detector.cpp
  ${libddwaf_SOURCE_DIR}/src/condition/sqli_detector.cpp
  ${libddwaf_SOURCE_DIR}/src/condition/ssrf_detector.cpp

src/builder/processor_builder.cpp

@@ -8,6 +8,7 @@
 
 #include "builder/processor_builder.hpp"
 #include "processor/extract_schema.hpp"
+#include "processor/fingerprint.hpp"
 
 namespace ddwaf {
 
@@ -42,6 +43,14 @@ template <> struct typed_processor_builder<extract_schema> {
  }
 };
 
+template <> struct typed_processor_builder<http_endpoint_fingerprint> {
+ std::shared_ptr<base_processor> build(const auto &spec)
+ {
+ return std::make_shared<http_endpoint_fingerprint>(
+ spec.id, spec.expr, spec.mappings, spec.evaluate, spec.output);
+ }
+};
+
 template <typename T, typename Spec, typename Scanners>
 concept has_build_with_scanners =
  requires(typed_processor_builder<T> b, Spec spec, Scanners scanners) {
@@ -70,6 +79,8 @@ template <typename T>
  switch (type) {
  case processor_type::extract_schema:
  return build_with_type<extract_schema>(*this, scanners);
+ case processor_type::http_endpoint_fingerprint:
+ return build_with_type<http_endpoint_fingerprint>(*this, scanners);
  default:
  break;
  }

src/builder/processor_builder.hpp

@@ -19,10 +19,10 @@ namespace ddwaf {
 enum class processor_type : unsigned {
  extract_schema,
  // Reserved
- http_fingerprint,
+ http_endpoint_fingerprint,
+ http_network_fingerprint,
+ http_header_fingerprint,
  session_fingerprint,
- network_fingerprint,
- header_fingerprint,
 };
 
 struct processor_builder {

src/obfuscator.hpp

@@ -29,7 +29,7 @@ class obfuscator {
  static constexpr std::string_view redaction_msg{"<Redacted>"};
 
  static constexpr std::string_view default_key_regex_str{
- R"((?i)(?:p(?:ass)?w(?:or)?d|pass(?:[_-]?phrase)?|secret(?:[_-]?key)?|(?:(?:api|private|public|access)[_-]?)key)|(?:(?:auth|access|id|refresh)[_-]?)?token|consumer[_-]?(?:id|key|secret)|sign(?:ed|ature)|bearer|authorization|jsessionid|phpsessid|asp\.net[_-]sessionid|sid|jwt)"};
+ R"((?i)pass|pw(?:or)?d|secret|(?:api|private|public|access)[_-]?key|token|consumer[_-]?(?:id|key|secret)|sign(?:ed|ature)|bearer|authorization|jsessionid|phpsessid|asp\.net[_-]sessionid|sid|jwt)"};
 
 protected:
  std::unique_ptr<re2::RE2> key_regex{nullptr};

src/parser/processor_parser.cpp

@@ -8,13 +8,15 @@
 #include "parser/common.hpp"
 #include "parser/parser.hpp"
 #include "processor/base.hpp"
+#include "processor/extract_schema.hpp"
+#include "processor/fingerprint.hpp"
 #include <vector>
 
 namespace ddwaf::parser::v2 {
 
 namespace {
 std::vector<processor_mapping> parse_processor_mappings(
- const parameter::vector &root, address_container &addresses)
+ const parameter::vector &root, address_container &addresses, const auto &param_names)
 {
  if (root.empty()) {
  throw ddwaf::parsing_error("empty mappings");
@@ -24,22 +26,26 @@ std::vector<processor_mapping> parse_processor_mappings(
  for (const auto &node : root) {
  auto mapping = static_cast<parameter::map>(node);
 
- // TODO support n:1 mappings and key paths
- auto inputs = at<parameter::vector>(mapping, "inputs");
- if (inputs.empty()) {
- throw ddwaf::parsing_error("empty processor input mapping");
- }
+ std::vector<processor_parameter> parameters;
+ for (const auto &param : param_names) {
+ // TODO support n:1 mappings and key paths
+ auto inputs = at<parameter::vector>(mapping, param);
+ if (inputs.empty()) {
+ throw ddwaf::parsing_error("empty processor input mapping");
+ }
 
- auto input = static_cast<parameter::map>(inputs[0]);
- auto input_address = at<std::string>(input, "address");
- auto output = at<std::string>(mapping, "output");
+ auto input = static_cast<parameter::map>(inputs[0]);
+ auto input_address = at<std::string>(input, "address");
 
- addresses.optional.emplace(input_address);
+  addresses.optional.emplace(input_address);
 
+ parameters.emplace_back(processor_parameter{
+ {processor_target{get_target_index(input_address), std::move(input_address), {}}}});
+ }
+
+ auto output = at<std::string>(mapping, "output");
  mappings.emplace_back(processor_mapping{
- {processor_parameter{
- {processor_target{get_target_index(input_address), std::move(input_address), {}}}}},
- {get_target_index(output), std::move(output), {}}});
+ std::move(parameters), {get_target_index(output), std::move(output), {}}});
  }
 
  return mappings;
@@ -71,6 +77,20 @@ processor_container parse_processors(
  auto generator_id = at<std::string>(node, "generator");
  if (generator_id == "extract_schema") {
  type = processor_type::extract_schema;
+ } else if (generator_id == "http_endpoint_fingerprint") {
+ type = processor_type::http_endpoint_fingerprint;
+ } else if (generator_id == "http_network_fingerprint") {
+ type = processor_type::http_network_fingerprint;
+ // Skip for now
+ continue;
+ } else if (generator_id == "http_header_fingerprint") {
+ type = processor_type::http_header_fingerprint;
+ // Skip for now
+ continue;
+ } else if (generator_id == "session_fingerprint") {
+ type = processor_type::session_fingerprint;
+ // Skip for now
+ continue;
  } else {
  DDWAF_WARN("Unknown generator: {}", generator_id);
  info.add_failed(id, "unknown generator '" + generator_id + "'");
@@ -82,7 +102,14 @@ processor_container parse_processors(
 
  auto params = at<parameter::map>(node, "parameters");
  auto mappings_vec = at<parameter::vector>(params, "mappings");
- auto mappings = parse_processor_mappings(mappings_vec, addresses);
+ std::vector<processor_mapping> mappings;
+ if (type == processor_type::extract_schema) {
+ mappings =
+ parse_processor_mappings(mappings_vec, addresses, extract_schema::param_names);
+ } else {
+ mappings = parse_processor_mappings(
+ mappings_vec, addresses, http_endpoint_fingerprint::param_names);
+ }
 
  std::vector<reference_spec> scanners;
  auto scanners_ref_array = at<parameter::vector>(params, "scanners", {});