Added: ability to match against wildcards in parameter name.

dave83649 · dave83649 · commit 2363cb9fac16 · 2023-05-26T15:40:29.000+02:00
Added: test for ctype_special and wildcard parameter name matching.
diff --git a/src/Processor.php b/src/Processor.php
@@ -147,11 +147,14 @@ public function launch($mustExit = true)
             return true;
         }
 
-        // Determine if the current request is whitelisted or not (role based).
+        // Determine if the current request is whitelisted or not.
         $isWhitelisted = !$this->mustUsePluginCall && $this->extension->canBypass();
 
-        // Merge the rules together. First iterate through the whitelist rules.
+        // Merge the rules together. First iterate through the whitelist rules because
+        // we want to whitelist the request if there's a whitelist rule match.
         $rules = array_merge($this->whitelistRules, $this->firewallRules);
+
+        // Iterate through all the firewall rules.
         foreach ($rules as $rule) {
             // Should never happen.
             if (!isset($rule['rules']) || empty($rule['rules'])) {
@@ -230,36 +233,44 @@ public function executeFirewall($rules)
             }
 
             // Extract the value of the paramater that we want.
-            $value = $this->request->getParameterValue($rule['parameter']);
-            if (is_null($value) && $rule['parameter'] !== false && $rule['parameter'] != 'rules') {
+            $values = $this->request->getParameterValues($rule['parameter']);
+            if (is_null($values) && $rule['parameter'] !== false && $rule['parameter'] != 'rules') {
                 continue;
             }
 
-            // Apply mutations, if any.
-            if (isset($rule['mutations']) && is_array($rule['mutations'])) {
-                $value = $this->request->applyMutation($rule['mutations'], $value);
-                if (is_null($value)) {
-                    continue;
-                }
+            // For special parameter values we just set the array to a single null value.
+            if ($rule['parameter'] === false || $rule['parameter'] == 'rules') {
+                $values = [null];
             }
 
-            // Perform the matching.
-            if (isset($rule['match']) && is_array($rule['match']) || isset($rule['rules'])) {
-
-                // Do we have to process child-rules?
-                if (isset($rule['rules'])) {
-                    $match = $this->executeFirewall($rule['rules']);
-                } else {
-                    $match = $this->matchParameterValue($rule['match'], $value);
+            // For all field matches, we want to execute the rule against it.
+            foreach ($values as $value) {
+                // Apply mutations, if any.
+                if (isset($rule['mutations']) && is_array($rule['mutations'])) {
+                    $value = $this->request->applyMutation($rule['mutations'], $value);
+                    if (is_null($value)) {
+                        continue;
+                    }
                 }
 
-                // Is the rule a match?
-                if ($match) {
-                    // In case there are multiple rules, they may require chained AND conditions.
-                    if ($inclusiveCount <= 1 || !isset($rule['inclusive']) || $rule['inclusive'] !== true) {
-                        return true;
+                // Perform the matching.
+                if (isset($rule['match']) && is_array($rule['match']) || isset($rule['rules'])) {
+
+                    // Do we have to process child-rules?
+                    if (isset($rule['rules'])) {
+                        $match = $this->executeFirewall($rule['rules']);
                     } else {
-                        $inclusiveHits++;
+                        $match = $this->matchParameterValue($rule['match'], $value);
+                    }
+
+                    // Is the rule a match?
+                    if ($match) {
+                        // In case there are multiple rules, they may require chained AND conditions.
+                        if ($inclusiveCount <= 1 || !isset($rule['inclusive']) || $rule['inclusive'] !== true) {
+                            return true;
+                        } else {
+                            $inclusiveHits++;
+                        }
                     }
                 }
             }
@@ -387,8 +398,13 @@ public function matchParameterValue($match, $value)
 
         // If a specific parameter key matches a sub-match condition.
         if ($matchType == 'array_key_value' && isset($match['key'], $match['match'])) {
-            $value = $this->request->getParameterValue($match['key'], $value);
-            return $this->matchParameterValue($match['match'], $value);
+            $values = $this->request->getParameterValues($match['key'], $value);
+            foreach ($values as $value) {
+                if ($this->matchParameterValue($match['match'], $value)) {
+                    return true;
+                }
+            }
+            return false;
         }
 
         // If the user provided value does not match the current hostname.
diff --git a/src/Request.php b/src/Request.php
@@ -37,9 +37,9 @@ public function __construct($options, ExtensionInterface $extension)
      * 
      * @param mixed $parameter
      * @param array $data
-     * @return mixed|null
+     * @return mixed
      */
-    public function getParameterValue($parameter, $data = [])
+    public function getParameterValues($parameter, $data = [])
     {
         // For when a rule contains sub-rules.
         if (empty($parameter) || ctype_digit($parameter)) {
@@ -60,7 +60,7 @@ public function getParameterValue($parameter, $data = [])
                     'post' => $_POST,
                     'get' => $_GET,
                     'url' => isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : '',
-                    'raw' => ['raw' => $this->getParameterValue('raw')]
+                    'raw' => ['raw' => $this->getParameterValues('raw')]
                 ];
                 break;
             case 'post':
@@ -109,7 +109,7 @@ public function getParameterValue($parameter, $data = [])
 
                 // If it's not an array, no need to continue.
                 if (!is_array($data)) {
-                    return $data;
+                    return [$data];
                 }
             default:
                 break;
@@ -122,12 +122,20 @@ public function getParameterValue($parameter, $data = [])
 
         // Special condition for the IP address.
         if ($type === 'server' && $t[0] === 'ip') {
-            return $this->extension->getIpAddress();
+            return [$this->extension->getIpAddress()];
+        }
+
+        // For wildcard matching we handle it a bit differently.
+        // We want to extract all wildcard matches and pass them as an array so we
+        // can execute a firewall rule against all the fields that match.
+        if (strpos($parameter, '*') !== false) {
+            $values = $this->getValuesByWildcard($data, $parameter);
+            return count($values) == 0 ? null : $values;
         }
 
         // Just one parameter we have to match against.
         if (count($t) === 1) {
-            return isset($data[$t[0]]) ? $data[$t[0]] : null;
+            return isset($data[$t[0]]) ? [$data[$t[0]]] : null;
         }
 
         // For multidimensional arrays.
@@ -141,7 +149,7 @@ public function getParameterValue($parameter, $data = [])
             $end = $end[ $var ];
         }
 
-        return $skip ? null : $end;
+        return $skip ? null : [$end];
     }
 
    /**
@@ -219,6 +227,52 @@ public function applyMutation($mutations, $value)
         return $value;
     }
 
+    /**
+     * Given an array, get all parameters which match a certain wildcard.
+     * 
+     * @param array $data
+     * @param string $parameter
+     * @return array
+     */
+    public function getValuesByWildcard($data, $parameter)
+    {
+        // First we want to get the furthest possible down.
+        $t = explode('.', $parameter);
+        array_shift($t);
+        $end  = $data;
+        $wildcard = '';
+        foreach ( $t as $var ) {
+            
+            // We hit the wildcard.
+            if (strpos($var, '*') !== false) {
+                $wildcard = str_replace('*', '', $var);
+                break;
+            }
+            
+            // We're not at the end and there's no wildcard.
+            if (!isset( $end[ $var ] ) && strpos($var, '*') === false) {
+                return [];
+            }
+
+            $end = $end[ $var ];
+        }
+        
+        // No need to continue if there is nothing to match.
+        if (!is_array($end) || count($end) == 0) {
+            return [];
+        }
+
+        // Based on the data that is left, find the wildcard matches.
+        $return = [];
+        foreach ($end as $key => $value) {
+            if (stripos($key, $wildcard) !== false) {
+                $return[] = $value;
+            }
+        }
+        
+        return $return;
+    }
+
     /**
      * Given an array, multi-dimensional or not, extract all of its values.
      * 
diff --git a/tests/FirewallTest.php b/tests/FirewallTest.php
@@ -245,5 +245,57 @@ public function testRules()
         );
         $this->assertFalse($this->processor->launch(false));
         $this->alterPayload();
+
+        // Determine if a POST parameter is not a ctype_alnum.
+        $this->setUpFirewallProcessor([$this->rules[17]]);
+        $this->alterPayload(
+            ['POST' => [
+            'value' => 'something_-0-9 '
+            ]]
+        );
+        $this->assertTrue($this->processor->launch(false));
+        $this->alterPayload();
+
+        $this->setUpFirewallProcessor([$this->rules[17]]);
+        $this->alterPayload(
+            ['POST' => [
+            'value' => 'sleep(5), id'
+            ]]
+        );
+        $this->assertFalse($this->processor->launch(false));
+        $this->alterPayload();
+//post.user.role.type*
+        // Determine if a POST parameter (using wildcard) contains a certain character.
+        $this->setUpFirewallProcessor([$this->rules[18]]);
+        $this->alterPayload(
+            ['POST' => [
+            'user' => [
+                'test' => 'test',
+                'role' => [
+                    'test' => 'test',
+                    'type1' => 'subscriber',
+                    'type2' => 'editor'
+                ]
+            ]
+            ]]
+        );
+        $this->assertTrue($this->processor->launch(false));
+        $this->alterPayload();
+
+        $this->setUpFirewallProcessor([$this->rules[18]]);
+        $this->alterPayload(
+            ['POST' => [
+            'user' => [
+                'test' => 'test',
+                'role' => [
+                    'test' => 'test',
+                    'type1' => 'editor',
+                    'type5' => 'administrator'
+                ]
+            ]
+            ]]
+        );
+        $this->assertFalse($this->processor->launch(false));
+        $this->alterPayload();
     }
 }
diff --git a/tests/data/Rules.json b/tests/data/Rules.json
@@ -134,5 +134,21 @@
         "cat":"TEST",
         "type":"BLOCK",
         "type_params":null
+    },
+    {
+        "id":18,
+        "title":"Determine if a POST parameter is a ctype_special.",
+        "rules":[{"parameter":"post.value","match":{"type":"ctype_special","value":false}}],
+        "cat":"TEST",
+        "type":"BLOCK",
+        "type_params":null
+    },
+    {
+        "id":19,
+        "title":"Determine if a POST parameter (using wildcard) contains a certain character.",
+        "rules":[{"parameter":"post.user.role.type*","match":{"type":"contains","value":"administrator"}}],
+        "cat":"TEST",
+        "type":"BLOCK",
+        "type_params":null
     }
 ]
