gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-14704 用户自定义域中带有特殊字符策略无法生效

Browse Source 
TSG-14703 扫描ip和app_id后策略没有执行
This commit is contained in:
fengweihao
2023-04-13 14:34:34 +08:00
parent 77927208f9
commit 915dd00731
3 changed files with 100 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
common/src/tfe_resource.cpp
View File

@@ -60,57 +60,57 @@ static struct maat *create_maat_feather(const char *instance_name, const char *p
maat_options_set_caller_thread_number(opts, max_thread); maat_options_set_caller_thread_number(opts, max_thread);
switch (input_mode) switch (input_mode)
{ {
case MAAT_INPUT_JSON: case MAAT_INPUT_JSON:
if (!strlen(json_cfg_file)) if (!strlen(json_cfg_file))
{ {
TFE_LOG_ERROR(logger, "Invalid json_cfg_file, MAAT init failed."); TFE_LOG_ERROR(logger, "Invalid json_cfg_file, MAAT init failed.");
goto error_out; goto error_out;
} }
maat_options_set_json_file(opts, json_cfg_file); maat_options_set_json_file(opts, json_cfg_file);
break; break;
case MAAT_INPUT_REDIS: case MAAT_INPUT_REDIS:
if (!strlen(redis_server)) if (!strlen(redis_server))
{ {
TFE_LOG_ERROR(logger, "Invalid maat_redis_server, MAAT init failed."); TFE_LOG_ERROR(logger, "Invalid maat_redis_server, MAAT init failed.");
goto error_out; goto error_out;
} }
ret = sscanf(redis_port_range, "%d-%d", &redis_port_begin, &redis_port_end); ret = sscanf(redis_port_range, "%d-%d", &redis_port_begin, &redis_port_end);
if (ret == 1) if (ret == 1)
{ {
redis_port_select = redis_port_begin; redis_port_select = redis_port_begin;
} }
else if (ret == 2) else if (ret == 2)
{ {
srand(time(NULL)); srand(time(NULL));
redis_port_select = redis_port_begin + rand() % (redis_port_end - redis_port_begin); redis_port_select = redis_port_begin + rand() % (redis_port_end - redis_port_begin);
} }
else else
{ {
TFE_LOG_ERROR(logger, "Invalid redis port range %s, MAAT init failed.", redis_port_range); TFE_LOG_ERROR(logger, "Invalid redis port range %s, MAAT init failed.", redis_port_range);
goto error_out; goto error_out;
} }
maat_options_set_redis(opts, redis_server, redis_port_select, redis_db_idx); maat_options_set_redis(opts, redis_server, redis_port_select, redis_db_idx);
break; break;
case MAAT_INPUT_FILE: case MAAT_INPUT_FILE:
if (!strlen(ful_cfg_dir)) if (!strlen(ful_cfg_dir))
{ {
TFE_LOG_ERROR(logger, "Invalid ful_cfg_dir, MAAT init failed."); TFE_LOG_ERROR(logger, "Invalid ful_cfg_dir, MAAT init failed.");
goto error_out; goto error_out;
} }
if (!strlen(inc_cfg_dir)) if (!strlen(inc_cfg_dir))
{ {
TFE_LOG_ERROR(logger, "Invalid inc_cfg_dir, MAAT init failed."); TFE_LOG_ERROR(logger, "Invalid inc_cfg_dir, MAAT init failed.");
goto error_out; goto error_out;
} }
maat_options_set_iris(opts, ful_cfg_dir, inc_cfg_dir); maat_options_set_iris(opts, ful_cfg_dir, inc_cfg_dir);
break; break;
default: default:
TFE_LOG_ERROR(logger, "Invalid MAAT Input Mode: %d.", input_mode); TFE_LOG_ERROR(logger, "Invalid MAAT Input Mode: %d.", input_mode);
goto error_out; goto error_out;
break; break;
} }
maat_options_set_foreign_cont_dir(opts, "./pangu_files"); maat_options_set_foreign_cont_dir(opts, "./pangu_files");
if (maat_stat_on) if (maat_stat_on)

8
plugin/business/doh/src/doh.cpp
View File

@@ -319,14 +319,14 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
if (sapp_addr.addrtype == ADDR_TYPE_IPV4) if (sapp_addr.addrtype == ADDR_TYPE_IPV4)
{ {
scan_ret = maat_scan_ipv4(g_doh_conf->maat, g_doh_conf->tables[TYPE_SRC_ADDR].id,sapp_addr.v4->saddr, scan_ret = maat_scan_ipv4(g_doh_conf->maat, g_doh_conf->tables[TYPE_SRC_ADDR].id,sapp_addr.v4->saddr,
sapp_addr.v4->source, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, sapp_addr.v4->source, 6, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
&n_hit_result, ctx->scan_mid); &n_hit_result, ctx->scan_mid);
if (n_hit_result == MAAT_SCAN_HIT) if (n_hit_result == MAAT_SCAN_HIT)
{ {
hit_cnt += n_hit_result; hit_cnt += n_hit_result;
} }
scan_ret = maat_scan_ipv4(g_doh_conf->maat, g_doh_conf->tables[TYPE_DST_ADDR].id,sapp_addr.v4->daddr, scan_ret = maat_scan_ipv4(g_doh_conf->maat, g_doh_conf->tables[TYPE_DST_ADDR].id,sapp_addr.v4->daddr,
sapp_addr.v4->dest, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, sapp_addr.v4->dest, 6, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
&n_hit_result, ctx->scan_mid); &n_hit_result, ctx->scan_mid);
if(scan_ret == MAAT_SCAN_HIT) if(scan_ret == MAAT_SCAN_HIT)
@@ -337,14 +337,14 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
if (sapp_addr.addrtype == ADDR_TYPE_IPV6) if (sapp_addr.addrtype == ADDR_TYPE_IPV6)
{ {
scan_ret = maat_scan_ipv6(g_doh_conf->maat, g_doh_conf->tables[TYPE_SRC_ADDR].id, sapp_addr.v6->saddr, scan_ret = maat_scan_ipv6(g_doh_conf->maat, g_doh_conf->tables[TYPE_SRC_ADDR].id, sapp_addr.v6->saddr,
sapp_addr.v6->source, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, sapp_addr.v6->source, 6, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
&n_hit_result, ctx->scan_mid); &n_hit_result, ctx->scan_mid);
if (scan_ret == MAAT_SCAN_HIT) if (scan_ret == MAAT_SCAN_HIT)
{ {
hit_cnt += n_hit_result; hit_cnt += n_hit_result;
} }
scan_ret = maat_scan_ipv6(g_doh_conf->maat,g_doh_conf->tables[TYPE_DST_ADDR].id, sapp_addr.v6->daddr, scan_ret = maat_scan_ipv6(g_doh_conf->maat,g_doh_conf->tables[TYPE_DST_ADDR].id, sapp_addr.v6->daddr,
sapp_addr.v6->dest, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, sapp_addr.v6->dest, 6, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
&n_hit_result, ctx->scan_mid); &n_hit_result, ctx->scan_mid);
if (scan_ret == MAAT_SCAN_HIT) if (scan_ret == MAAT_SCAN_HIT)
{ {

53
plugin/business/tsg-http/src/tsg_http.cpp
View File

@@ -387,6 +387,43 @@ void octal_utf8_escapes(char *input)
return; return;
} }
char* str_unescape(char* s)
{
int i=0,j=0;
int len=strlen(s);
for(i=0,j=0;i<len;i++)
{
if(s[i]=='\\')
{
switch(s[i+1])
{
case '&':
s[j]='&';
break;
case 'b':
s[j]=' ';
break;
case '\\':
s[j]='\\';
break;
default:
s[j]=s[i];
i--;
break;
}
i++;
j++;
}
else
{
s[j]=s[i];
j++;
}
}
s[j]='\0';
return s;
}
void policy_action_param_new(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) void policy_action_param_new(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
{ {
int ret=0; int ret=0;
@@ -405,6 +442,8 @@ void policy_action_param_new(const char *table_name, int table_id, const char* k
} }
*ad=NULL; *ad=NULL;
str_unescape(srv_def_large);
int serv_def_len=strlen(srv_def_large); int serv_def_len=strlen(srv_def_large);
if((unsigned int)serv_def_len<strlen("{}")+1) if((unsigned int)serv_def_len<strlen("{}")+1)
{ {
@@ -1531,6 +1570,10 @@ static enum proxy_action decide_ctrl_action(long long *results, size_t n_hit,
{ {
*param=(struct policy_action_param*)ex_data; *param=(struct policy_action_param*)ex_data;
} }
if(hit_rules)
{
FREE(&hit_rules);
}
return PX_ACTION_WHITELIST; return PX_ACTION_WHITELIST;
} }
@@ -3103,14 +3146,14 @@ void proxy_on_http_begin(const struct tfe_stream * stream,
if (sapp_addr.addrtype == ADDR_TYPE_IPV4) if (sapp_addr.addrtype == ADDR_TYPE_IPV4)
{ {
scan_ret = maat_scan_ipv4(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_SOURCE_ADDR], scan_ret = maat_scan_ipv4(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_SOURCE_ADDR],
sapp_addr.v4->saddr, sapp_addr.v4->source, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, sapp_addr.v4->saddr, sapp_addr.v4->source, 6, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
&n_hit_result, ctx->scan_mid); &n_hit_result, ctx->scan_mid);
if (n_hit_result == MAAT_SCAN_HIT) if (scan_ret == MAAT_SCAN_HIT)
{ {
hit_cnt += n_hit_result; hit_cnt += n_hit_result;
} }
scan_ret = maat_scan_ipv4(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_DESTINATION_ADDR], scan_ret = maat_scan_ipv4(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_DESTINATION_ADDR],
sapp_addr.v4->daddr, sapp_addr.v4->dest, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, sapp_addr.v4->daddr, sapp_addr.v4->dest, 6, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
&n_hit_result, ctx->scan_mid); &n_hit_result, ctx->scan_mid);
if(scan_ret == MAAT_SCAN_HIT) if(scan_ret == MAAT_SCAN_HIT)
@@ -3121,14 +3164,14 @@ void proxy_on_http_begin(const struct tfe_stream * stream,
if (sapp_addr.addrtype == ADDR_TYPE_IPV6) if (sapp_addr.addrtype == ADDR_TYPE_IPV6)
{ {
scan_ret = maat_scan_ipv6(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_SOURCE_ADDR], scan_ret = maat_scan_ipv6(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_SOURCE_ADDR],
sapp_addr.v6->saddr, sapp_addr.v6->source, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, sapp_addr.v6->saddr, sapp_addr.v6->source, 6, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
&n_hit_result, ctx->scan_mid); &n_hit_result, ctx->scan_mid);
if (scan_ret == MAAT_SCAN_HIT) if (scan_ret == MAAT_SCAN_HIT)
{ {
hit_cnt += n_hit_result; hit_cnt += n_hit_result;
} }
scan_ret = maat_scan_ipv6(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_DESTINATION_ADDR], scan_ret = maat_scan_ipv6(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_DESTINATION_ADDR],
sapp_addr.v6->daddr, sapp_addr.v6->dest, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, sapp_addr.v6->daddr, sapp_addr.v6->dest, 6, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
&n_hit_result, ctx->scan_mid); &n_hit_result, ctx->scan_mid);
if (scan_ret == MAAT_SCAN_HIT) if (scan_ret == MAAT_SCAN_HIT)
{ {