TSG-14704 用户自定义域中带有特殊字符策略无法生效v4.8.4-20230413

TSG-14703 扫描ip和app_id后策略没有执行
author: fengweihao <[email protected]> 2023-04-13 14:34:34 +0800
committer: fengweihao <[email protected]> 2023-04-13 14:34:34 +0800
commit: 915dd007316b0121e4275b4b9586049795fe7d81 (patch)
tree: 7045c8e2b745e49346c6a82f8cb8d16d70f07e4b
parent: 77927208f98eee56eb2a3f55e3304c7cabc5fe98 (diff)
3 files changed, 103 insertions, 60 deletions
diff --git a/common/src/tfe_resource.cpp b/common/src/tfe_resource.cpp
index 54c35a1..356827e 100644
--- a/common/src/tfe_resource.cpp
+++ b/common/src/tfe_resource.cpp
@@ -60,57 +60,57 @@ static struct maat *create_maat_feather(const char *instance_name, const char *p
 	maat_options_set_caller_thread_number(opts, max_thread);
     switch (input_mode)
     {
-    case MAAT_INPUT_JSON:
-        if (!strlen(json_cfg_file))
-        {
-            TFE_LOG_ERROR(logger, "Invalid json_cfg_file, MAAT init failed.");
-            goto error_out;
-        }
-		maat_options_set_json_file(opts, json_cfg_file);
-        break;
-    case MAAT_INPUT_REDIS:
-        if (!strlen(redis_server))
-        {
-            TFE_LOG_ERROR(logger, "Invalid maat_redis_server, MAAT init failed.");
-            goto error_out;
-        }
-
-        ret = sscanf(redis_port_range, "%d-%d", &redis_port_begin, &redis_port_end);
-        if (ret == 1)
-        {
-            redis_port_select = redis_port_begin;
-        }
-        else if (ret == 2)
-        {
-            srand(time(NULL));
-            redis_port_select = redis_port_begin + rand() % (redis_port_end - redis_port_begin);
-        }
-        else
-        {
-            TFE_LOG_ERROR(logger, "Invalid redis port range %s, MAAT init failed.", redis_port_range);
-
-            goto error_out;
-        }
-		maat_options_set_redis(opts, redis_server, redis_port_select, redis_db_idx);
-        break;
-    case MAAT_INPUT_FILE:
-        if (!strlen(ful_cfg_dir))
-        {
-            TFE_LOG_ERROR(logger, "Invalid ful_cfg_dir, MAAT init failed.");
-            goto error_out;
-        }
-
-        if (!strlen(inc_cfg_dir))
-        {
-            TFE_LOG_ERROR(logger, "Invalid inc_cfg_dir, MAAT init failed.");
-            goto error_out;
-        }
-		maat_options_set_iris(opts, ful_cfg_dir, inc_cfg_dir);
-        break;
-    default:
-        TFE_LOG_ERROR(logger, "Invalid MAAT Input Mode: %d.", input_mode);
-        goto error_out;
-        break;
+	    case MAAT_INPUT_JSON:
+	        if (!strlen(json_cfg_file))
+	        {
+	            TFE_LOG_ERROR(logger, "Invalid json_cfg_file, MAAT init failed.");
+	            goto error_out;
+	        }
+			maat_options_set_json_file(opts, json_cfg_file);
+	        break;
+	    case MAAT_INPUT_REDIS:
+	        if (!strlen(redis_server))
+	        {
+	            TFE_LOG_ERROR(logger, "Invalid maat_redis_server, MAAT init failed.");
+	            goto error_out;
+	        }
+
+	        ret = sscanf(redis_port_range, "%d-%d", &redis_port_begin, &redis_port_end);
+	        if (ret == 1)
+	        {
+	            redis_port_select = redis_port_begin;
+	        }
+	        else if (ret == 2)
+	        {
+	            srand(time(NULL));
+	            redis_port_select = redis_port_begin + rand() % (redis_port_end - redis_port_begin);
+	        }
+	        else
+	        {
+	            TFE_LOG_ERROR(logger, "Invalid redis port range %s, MAAT init failed.", redis_port_range);
+
+	            goto error_out;
+	        }
+			maat_options_set_redis(opts, redis_server, redis_port_select, redis_db_idx);
+	        break;
+	    case MAAT_INPUT_FILE:
+	        if (!strlen(ful_cfg_dir))
+	        {
+	            TFE_LOG_ERROR(logger, "Invalid ful_cfg_dir, MAAT init failed.");
+	            goto error_out;
+	        }
+
+	        if (!strlen(inc_cfg_dir))
+	        {
+	            TFE_LOG_ERROR(logger, "Invalid inc_cfg_dir, MAAT init failed.");
+	            goto error_out;
+	        }
+			maat_options_set_iris(opts, ful_cfg_dir, inc_cfg_dir);
+	        break;
+	    default:
+	        TFE_LOG_ERROR(logger, "Invalid MAAT Input Mode: %d.", input_mode);
+	        goto error_out;
+	        break;
     }
 	maat_options_set_foreign_cont_dir(opts, "./pangu_files");
 	if (maat_stat_on)
diff --git a/plugin/business/doh/src/doh.cpp b/plugin/business/doh/src/doh.cpp
index ac5b601..5d0e79e 100644
--- a/plugin/business/doh/src/doh.cpp
+++ b/plugin/business/doh/src/doh.cpp
@@ -319,14 +319,14 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
 	if (sapp_addr.addrtype == ADDR_TYPE_IPV4)
 	{
 		scan_ret = maat_scan_ipv4(g_doh_conf->maat, g_doh_conf->tables[TYPE_SRC_ADDR].id,sapp_addr.v4->saddr,
-								  sapp_addr.v4->source, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
+								  sapp_addr.v4->source, 6, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
 								  &n_hit_result, ctx->scan_mid);
 		if (n_hit_result == MAAT_SCAN_HIT)
 		{
 			hit_cnt += n_hit_result;
 		}
 		scan_ret = maat_scan_ipv4(g_doh_conf->maat, g_doh_conf->tables[TYPE_DST_ADDR].id,sapp_addr.v4->daddr,
-								  sapp_addr.v4->dest, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
+								  sapp_addr.v4->dest, 6, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
 								  &n_hit_result, ctx->scan_mid);
 
 		if(scan_ret == MAAT_SCAN_HIT)
@@ -337,14 +337,14 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
 	if (sapp_addr.addrtype == ADDR_TYPE_IPV6)
 	{
 		scan_ret = maat_scan_ipv6(g_doh_conf->maat, g_doh_conf->tables[TYPE_SRC_ADDR].id, sapp_addr.v6->saddr,
-								 sapp_addr.v6->source, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
+								 sapp_addr.v6->source, 6, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
 								 &n_hit_result, ctx->scan_mid);
 		if (scan_ret == MAAT_SCAN_HIT)
 		{
 			hit_cnt += n_hit_result;
 		}
 		scan_ret = maat_scan_ipv6(g_doh_conf->maat,g_doh_conf->tables[TYPE_DST_ADDR].id, sapp_addr.v6->daddr,
-								 sapp_addr.v6->dest, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
+								 sapp_addr.v6->dest, 6, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
 								 &n_hit_result, ctx->scan_mid);
 		if (scan_ret == MAAT_SCAN_HIT)
 		{
diff --git a/plugin/business/tsg-http/src/tsg_http.cpp b/plugin/business/tsg-http/src/tsg_http.cpp
index 572d419..dac1f35 100644
--- a/plugin/business/tsg-http/src/tsg_http.cpp
+++ b/plugin/business/tsg-http/src/tsg_http.cpp
@@ -387,6 +387,43 @@ void octal_utf8_escapes(char *input)
 	return;
 }
 
+char* str_unescape(char* s)
+{
+	int i=0,j=0;
+	int len=strlen(s);
+	for(i=0,j=0;i<len;i++)
+	{
+		if(s[i]=='\\')
+		{
+			switch(s[i+1])
+			{
+				case '&':
+					s[j]='&';
+					break;
+				case 'b':
+					s[j]=' ';
+					break;
+				case '\\':
+					s[j]='\\';
+					break;
+				default:
+					s[j]=s[i];
+					i--;
+					break;
+			}
+			i++;
+			j++;
+		}
+		else
+		{
+			s[j]=s[i];
+			j++;
+		}
+	}
+	s[j]='\0';
+	return s;
+}
+
 void policy_action_param_new(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
 {
 	int ret=0;
@@ -405,6 +442,8 @@ void policy_action_param_new(const char *table_name, int table_id, const char* k
 	}
 
 	*ad=NULL;
+
+	str_unescape(srv_def_large);
 	int serv_def_len=strlen(srv_def_large);
 	if((unsigned int)serv_def_len<strlen("{}")+1)
 	{
@@ -1531,6 +1570,10 @@ static enum proxy_action decide_ctrl_action(long long *results, size_t n_hit,
 		{
 			*param=(struct policy_action_param*)ex_data;
 		}
+		if(hit_rules)
+		{
+			FREE(&hit_rules);
+		}
 		return PX_ACTION_WHITELIST;
 	}
 
@@ -3103,14 +3146,14 @@ void proxy_on_http_begin(const struct tfe_stream * stream,
 	if (sapp_addr.addrtype == ADDR_TYPE_IPV4)
 	{
 		scan_ret = maat_scan_ipv4(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_SOURCE_ADDR],
-								  sapp_addr.v4->saddr, sapp_addr.v4->source, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
+								  sapp_addr.v4->saddr, sapp_addr.v4->source, 6, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
 								  &n_hit_result, ctx->scan_mid);
-		if (n_hit_result == MAAT_SCAN_HIT)
+		if (scan_ret == MAAT_SCAN_HIT)
 		{
 			hit_cnt += n_hit_result;
 		}
 		scan_ret = maat_scan_ipv4(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_DESTINATION_ADDR],
-								  sapp_addr.v4->daddr, sapp_addr.v4->dest, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
+								  sapp_addr.v4->daddr, sapp_addr.v4->dest, 6, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
 								  &n_hit_result, ctx->scan_mid);
 
 		if(scan_ret == MAAT_SCAN_HIT)
@@ -3121,14 +3164,14 @@ void proxy_on_http_begin(const struct tfe_stream * stream,
 	if (sapp_addr.addrtype == ADDR_TYPE_IPV6)
 	{
 		scan_ret = maat_scan_ipv6(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_SOURCE_ADDR],
-								 sapp_addr.v6->saddr, sapp_addr.v6->source, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
+								 sapp_addr.v6->saddr, sapp_addr.v6->source, 6, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
 								 &n_hit_result, ctx->scan_mid);
 		if (scan_ret == MAAT_SCAN_HIT)
 		{
 			hit_cnt += n_hit_result;
 		}
 		scan_ret = maat_scan_ipv6(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_DESTINATION_ADDR],
-								 sapp_addr.v6->daddr, sapp_addr.v6->dest, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
+								 sapp_addr.v6->daddr, sapp_addr.v6->dest, 6, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
 								 &n_hit_result, ctx->scan_mid);
 		if (scan_ret == MAAT_SCAN_HIT)
 		{
author	fengweihao <[email protected]>	2023-04-13 14:34:34 +0800
committer	fengweihao <[email protected]>	2023-04-13 14:34:34 +0800
commit	915dd007316b0121e4275b4b9586049795fe7d81 (patch)
tree	7045c8e2b745e49346c6a82f8cb8d16d70f07e4b
parent	77927208f98eee56eb2a3f55e3304c7cabc5fe98 (diff)