anderson-ufrj
commited on
Commit
·
772635a
1
Parent(s):
8b80916
fix(security): re-enable and enhance suspicious pattern detection
Browse files- Re-enable pattern validation that was temporarily disabled
- Add comprehensive patterns for XSS, SQL injection, command injection
- Add patterns for XXE, LDAP injection, and path traversal attacks
- Implement whitelist for exempt paths (docs, health, metrics)
- Improve pattern matching with more specific regex patterns
- src/api/middleware/security.py +74 -19
src/api/middleware/security.py
CHANGED
|
@@ -63,22 +63,76 @@ class SecurityConfig:
|
|
| 63 |
|
| 64 |
# Suspicious patterns
|
| 65 |
SUSPICIOUS_PATTERNS = [
|
| 66 |
-
|
| 67 |
-
r"
|
|
|
|
| 68 |
r"on\w+\s*=", # Event handlers
|
| 69 |
-
r"
|
| 70 |
-
r"
|
| 71 |
-
r"
|
| 72 |
-
r"
|
| 73 |
-
r"
|
| 74 |
-
|
| 75 |
-
|
| 76 |
-
r"
|
| 77 |
-
r"
|
| 78 |
-
r"
|
| 79 |
-
r"
|
| 80 |
-
r"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 81 |
]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 82 |
|
| 83 |
|
| 84 |
class IPBlockList:
|
|
@@ -262,11 +316,12 @@ class RequestValidator:
|
|
| 262 |
if request.url.query:
|
| 263 |
path_and_query += "?" + request.url.query
|
| 264 |
|
| 265 |
-
# Check
|
| 266 |
-
|
| 267 |
-
|
| 268 |
-
|
| 269 |
-
|
|
|
|
| 270 |
|
| 271 |
# Check for double encoding
|
| 272 |
if "%25" in path_and_query:
|
|
|
|
| 63 |
|
| 64 |
# Suspicious patterns
|
| 65 |
SUSPICIOUS_PATTERNS = [
|
| 66 |
+
# XSS patterns
|
| 67 |
+
r"<script[^>]*>.*?</script>", # XSS script tags
|
| 68 |
+
r"javascript:", # XSS javascript protocol
|
| 69 |
r"on\w+\s*=", # Event handlers
|
| 70 |
+
r"<iframe[^>]*>", # Iframe injection
|
| 71 |
+
r"<object[^>]*>", # Object injection
|
| 72 |
+
r"<embed[^>]*>", # Embed injection
|
| 73 |
+
r"vbscript:", # VBScript protocol
|
| 74 |
+
r"data:.*base64", # Data URI with base64
|
| 75 |
+
|
| 76 |
+
# SQL injection patterns
|
| 77 |
+
r"union\s+select", # SQL union select
|
| 78 |
+
r"union\s+all\s+select", # SQL union all select
|
| 79 |
+
r"drop\s+table", # SQL drop table
|
| 80 |
+
r"drop\s+database", # SQL drop database
|
| 81 |
+
r"insert\s+into", # SQL insert
|
| 82 |
+
r"delete\s+from", # SQL delete
|
| 83 |
+
r"update\s+\w+\s+set", # SQL update
|
| 84 |
+
r"select\s+.*\s+from", # SQL select
|
| 85 |
+
r"or\s+1\s*=\s*1", # SQL boolean injection
|
| 86 |
+
r"or\s+'1'\s*=\s*'1'", # SQL boolean injection quoted
|
| 87 |
+
r";\s*--", # SQL comment injection
|
| 88 |
+
r"xp_cmdshell", # SQL Server command execution
|
| 89 |
+
r"exec\s+sp_", # SQL Server stored procedures
|
| 90 |
+
|
| 91 |
+
# Command injection patterns
|
| 92 |
+
r"exec\s*\(", # Command execution
|
| 93 |
+
r"system\s*\(", # System command
|
| 94 |
+
r"eval\s*\(", # Code evaluation
|
| 95 |
+
r"`[^`]+`", # Backtick command substitution
|
| 96 |
+
r"\$\([^)]+\)", # Command substitution
|
| 97 |
+
r"&&", # Command chaining
|
| 98 |
+
r"\|\|", # Command chaining
|
| 99 |
+
r";\s*\w+", # Command separator
|
| 100 |
+
r"\|", # Pipe character
|
| 101 |
+
|
| 102 |
+
# Path traversal patterns
|
| 103 |
+
r"\.\./", # Unix path traversal
|
| 104 |
+
r"\.\.\\", # Windows path traversal
|
| 105 |
+
r"/etc/passwd", # Common target file
|
| 106 |
+
r"c:\\windows", # Windows system path
|
| 107 |
+
r"/proc/self", # Linux proc access
|
| 108 |
+
|
| 109 |
+
# File inclusion patterns
|
| 110 |
+
r"file://", # Local file protocol
|
| 111 |
+
r"ftp://", # FTP protocol
|
| 112 |
+
r"gopher://", # Gopher protocol
|
| 113 |
+
r"dict://", # Dict protocol
|
| 114 |
+
r"php://", # PHP wrappers
|
| 115 |
+
r"data://", # Data protocol
|
| 116 |
+
|
| 117 |
+
# XXE patterns
|
| 118 |
+
r"<!ENTITY", # XML entity
|
| 119 |
+
r"SYSTEM\s+[\"']", # System entity
|
| 120 |
+
|
| 121 |
+
# LDAP injection
|
| 122 |
+
r"\(\w+\s*=\s*\*\)", # LDAP wildcard
|
| 123 |
+
r"\(\w+\s*=\s*\)", # LDAP empty
|
| 124 |
]
|
| 125 |
+
|
| 126 |
+
# Endpoints that are exempt from suspicious pattern checks
|
| 127 |
+
PATTERN_CHECK_EXEMPT_PATHS = {
|
| 128 |
+
"/docs",
|
| 129 |
+
"/redoc",
|
| 130 |
+
"/openapi.json",
|
| 131 |
+
"/api/v1/debug",
|
| 132 |
+
"/api/v1/agents/status",
|
| 133 |
+
"/health",
|
| 134 |
+
"/metrics"
|
| 135 |
+
}
|
| 136 |
|
| 137 |
|
| 138 |
class IPBlockList:
|
|
|
|
| 316 |
if request.url.query:
|
| 317 |
path_and_query += "?" + request.url.query
|
| 318 |
|
| 319 |
+
# Check if path is exempt from pattern checking
|
| 320 |
+
if request.url.path not in SecurityConfig.PATTERN_CHECK_EXEMPT_PATHS:
|
| 321 |
+
# Check for suspicious patterns in path and query only
|
| 322 |
+
for pattern in self.suspicious_patterns:
|
| 323 |
+
if pattern.search(path_and_query):
|
| 324 |
+
return False, "Suspicious pattern in URL"
|
| 325 |
|
| 326 |
# Check for double encoding
|
| 327 |
if "%25" in path_and_query:
|