feat: add block common exploits middleware

internal/middleware/block-common-exploits.go

@@ -0,0 +1,85 @@
+/*
+ * Copyright 2024 Jonas Kaninda
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package middleware
+
+import (
+	"encoding/json"
+	"fmt"
+	"github.com/jkaninda/goma-gateway/pkg/logger"
+	"net/http"
+	"regexp"
+)
+
+// BlockExploitsMiddleware Middleware to block common exploits
+func BlockExploitsMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Patterns to detect SQL injection attempts
+		sqlInjectionPattern := regexp.MustCompile(sqlPatterns)
+
+		// Pattern to detect path traversal attempts
+		pathTraversalPattern := regexp.MustCompile(traversalPatterns)
+
+		// Pattern to detect simple XSS attempts
+		xssPattern := regexp.MustCompile(xssPatterns)
+
+		// Check query strings
+		if sqlInjectionPattern.MatchString(r.URL.RawQuery) ||
+			pathTraversalPattern.MatchString(r.URL.Path) ||
+			xssPattern.MatchString(r.URL.RawQuery) {
+			logger.Error("%s: %s Forbidden - Potential exploit detected", getRealIP(r), r.URL.Path)
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusForbidden)
+			err := json.NewEncoder(w).Encode(ProxyResponseError{
+				Success: false,
+				Code:    http.StatusForbidden,
+				Message: fmt.Sprintf("Forbidden - Potential exploit detected"),
+			})
+			if err != nil {
+				return
+			}
+			return
+		}
+
+		// Check form data (for POST requests)
+		if r.Method == http.MethodPost {
+			if err := r.ParseForm(); err == nil {
+				for _, values := range r.Form {
+					for _, value := range values {
+						if sqlInjectionPattern.MatchString(value) || xssPattern.MatchString(value) {
+							logger.Error("%s: %s Forbidden - Potential exploit detected", getRealIP(r), r.URL.Path)
+							w.Header().Set("Content-Type", "application/json")
+							w.WriteHeader(http.StatusForbidden)
+							err := json.NewEncoder(w).Encode(ProxyResponseError{
+								Success: false,
+								Code:    http.StatusForbidden,
+								Message: fmt.Sprintf("Forbidden - Potential exploit detected"),
+							})
+							if err != nil {
+								return
+							}
+							return
+						}
+					}
+				}
+			}
+		}
+
+		// Pass to the next handler if no exploit patterns were detected
+		next.ServeHTTP(w, r)
+	})
+}

internal/middleware/middleware.go

@@ -34,7 +34,7 @@ func (jwtAuth JwtAuth) AuthMiddleware(next http.Handler) http.Handler {
 			if r.Header.Get(header) == "" {
 				logger.Error("Proxy error, missing %s header", header)
 				w.Header().Set("Content-Type", "application/json")
-				//Update Origin Cors Headers
+				//check allowed origin
 				if allowedOrigin(jwtAuth.Origins, r.Header.Get("Origin")) {
 					w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
 				}

internal/middleware/var.go

@@ -0,0 +1,23 @@
+/*
+ * Copyright 2024 Jonas Kaninda
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package middleware
+
+// sqlPatterns contains SQL injections patters
+const sqlPatterns = `(?i)(union|select|drop|insert|delete|update|create|alter|exec|;|--)`
+const traversalPatterns = `\.\./`
+const xssPatterns = `(?i)<script|onerror|onload`

internal/route.go

@@ -40,7 +40,11 @@ func (gatewayServer GatewayServer) Initialize() *mux.Router {
 	// Health check
 	r.HandleFunc("/health/live", heath.HealthReadyHandler).Methods("GET")
 	r.HandleFunc("/readyz", heath.HealthReadyHandler).Methods("GET")
-
+	// Enable common exploits
+	if gateway.BlockCommonExploits {
+		logger.Info("Block common exploits enabled")
+		r.Use(middleware.BlockExploitsMiddleware)
+	}
 	if gateway.RateLimiter != 0 {
 		//rateLimiter := middleware.NewRateLimiter(gateway.RateLimiter, time.Minute)
 		limiter := middleware.NewRateLimiterWindow(gateway.RateLimiter, time.Minute, gateway.Cors.Origins) //  requests per minute

internal/types.go

@@ -143,10 +143,12 @@ type Gateway struct {
 	ReadTimeout int `yaml:"readTimeout" env:"GOMA_READ_TIMEOUT, overwrite"`
 	// IdleTimeout defines proxy idle timeout
 	IdleTimeout int `yaml:"idleTimeout" env:"GOMA_IDLE_TIMEOUT, overwrite"`
-	// RateLimiter Defines number of request peer minute
-	RateLimiter int    `yaml:"rateLimiter" env:"GOMA_RATE_LIMITER, overwrite"`
-	AccessLog   string `yaml:"accessLog" env:"GOMA_ACCESS_LOG, overwrite"`
-	ErrorLog    string `yaml:"errorLog" env:"GOMA_ERROR_LOG=, overwrite"`
+	// RateLimiter Defines the number of request peer minutes
+	RateLimiter int `yaml:"rateLimiter" env:"GOMA_RATE_LIMITER, overwrite"`
+	// BlockCommonExploits enable, disable block common exploits
+	BlockCommonExploits bool   `yaml:"blockCommonExploits"`
+	AccessLog           string `yaml:"accessLog" env:"GOMA_ACCESS_LOG, overwrite"`
+	ErrorLog            string `yaml:"errorLog" env:"GOMA_ERROR_LOG=, overwrite"`
 	// DisableHealthCheckStatus enable and disable routes health check
 	DisableHealthCheckStatus bool `yaml:"disableHealthCheckStatus"`
 	// DisableRouteHealthCheckError allows enabling and disabling backend healthcheck errors