-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathgowafp.go
89 lines (76 loc) · 2.27 KB
/
gowafp.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
package gowafp
import (
"github.com/microcosm-cc/bluemonday"
"github.com/tomasen/fcgi_client"
"io/ioutil"
"log"
"net/http"
"regexp"
"strings"
)
// AnalyzeRequest will filter any attempt at XSS and analyze the request for
// other attacks.
func AnalyzeRequest(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
p := bluemonday.UGCPolicy()
r.ParseForm()
for k, v := range r.Form {
unSanitized := strings.Join(v, "") // @TODO check this
r.Form[k] = []string{p.Sanitize(unSanitized)} // @TODO check this
if possibleSqlInjection(unSanitized) {
return
}
// @TODO check if the input had malicious code and log it
}
next.ServeHTTP(w, r)
})
}
// PhpHandler is a net/http Handler that starts the process for passing
// the request to PHP-FPM.
func PhpHandler(script string, protocol string, address string) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
env := make(map[string]string)
env["SCRIPT_FILENAME"] = script
fcgi, err := fcgiclient.Dial(protocol, address)
defer fcgi.Close()
if err != nil {
log.Println("err:", err)
}
if r.Method == "POST" {
phpPost(env, fcgi, w, r)
return
}
phpGet(env, fcgi, w)
})
}
// phpPost is called when the user submits a POST request to the website.
func phpPost(env map[string]string, f *fcgiclient.FCGIClient, w http.ResponseWriter, r *http.Request) {
r.ParseForm()
resp, err := f.PostForm(env, r.Form)
if err != nil {
log.Println("Post Err:", err)
}
phpProcessResponse(resp, w)
}
// phpGet is called when a user visits any page and submits a GET request to the
// website.
func phpGet(env map[string]string, f *fcgiclient.FCGIClient, w http.ResponseWriter) {
resp, err := f.Get(env)
if err != nil {
log.Println("Get Err:", err)
}
phpProcessResponse(resp, w)
}
// phpProcessResponse is used by phpPost and phpGet to write the response back
// to the user's browser.
func phpProcessResponse(resp *http.Response, w http.ResponseWriter) {
content, err := ioutil.ReadAll(resp.Body)
if err != nil {
log.Println("err:", err)
}
w.Write(content)
}
func possibleSqlInjection(value string) bool {
r, _ := regexp.Compile(`\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))`)
return r.MatchString(value)
}