Fixed: parameter false check for specific matching types.

dave83649 · dave83649 · commit 7599c7aa0633 · 2023-02-03T16:26:27.000+01:00
Fixed: padding in readme.md for JSON rules.
Added: additional firewall rule in examples.
diff --git a/README.md b/README.md
@@ -100,8 +100,8 @@ Check if an array ($_POST['usernames'][]) contains any values from given array.
         "match":{
             "type":"array_in_array",
             "value":[
-            "test",
-            "admin"
+                "test",
+                "admin"
             ]
         }
     }
@@ -116,7 +116,7 @@ Check if a value ($_GET['user']) is not in an array
         "match":{
             "type":"not_in_array",
             "value":[
-            "admin"
+                "admin"
             ]
         }
     }
@@ -203,8 +203,8 @@ Check if $_POST['payload'] contains a base64(json()) encoded payload with user_r
             "type":"array_key_value",
             "key":"user_role",
             "match":{
-            "type":"equals",
-            "value":"administrator"
+                "type":"equals",
+                "value":"administrator"
             }
         }
     }
@@ -218,24 +218,24 @@ Check if $_GET['action'] or $_POST['action'] contains a value part of an array o
         "parameter":"rules",
         "rules":[
             {
-            "parameter":"get.action",
-            "match":{
-                "type":"in_array",
-                "value":[
-                    "restaurant_system_customize_button",
-                    "restaurant_system_insert_dialog"
-                ]
-            }
+                "parameter":"get.action",
+                "match":{
+                    "type":"in_array",
+                    "value":[
+                        "restaurant_system_customize_button",
+                        "restaurant_system_insert_dialog"
+                    ]
+                }
             },
             {
-            "parameter":"post.action",
-            "match":{
-                "type":"in_array",
-                "value":[
-                    "restaurant_system_customize_button",
-                    "restaurant_system_insert_dialog"
-                ]
-            }
+                "parameter":"post.action",
+                "match":{
+                    "type":"in_array",
+                    "value":[
+                        "restaurant_system_customize_button",
+                        "restaurant_system_insert_dialog"
+                    ]
+                }
             }
         ],
         "inclusive":true
@@ -260,7 +260,7 @@ Note that the server.ip parameter is a special computed property and retrieves t
         "match":{
             "type":"in_array",
             "value":[
-            "127.0.0.1"
+                "127.0.0.1"
             ]
         }
     }
@@ -291,10 +291,33 @@ Check if an uploaded file ($_FILES['img']) contains the PHP opening tag in the c
         "match":{
             "type":"file_contains",
             "match":{
-            "type":"contains",
-            "value":"<?php"
+                "type":"contains",
+                "value":"<?php"
             }
         }
     }
 ]
+```
+
+Check if the swp_debug parameter is set to load_options and the current user is not an administrator.
+https://patchstack.com/database/vulnerability/social-warfare/wordpress-social-warfare-plugin-3-5-2-unauthenticated-remote-code-execution-rce-vulnerability
+```json
+[
+    {
+        "parameter":"get.swp_debug",
+        "match":{
+            "type":"equals",
+            "value":"load_options"
+        },
+        "inclusive":true
+    },
+    {
+        "parameter":false,
+        "match":{
+            "type":"current_user_cannot",
+            "value":"administrator"
+        },
+        "inclusive":true
+    }
+]
 ```
diff --git a/src/Processor.php b/src/Processor.php
@@ -132,7 +132,7 @@ public function launch($mustExit = true)
             return true;
         }
 
-        // Determine if we have a valid configuration passed.
+        // Determine if the firewall and whitelist rules were parsed properly.
         if (!is_array($this->firewallRules) || !is_array($this->whitelistRules)) {
             return true;
         }
@@ -220,7 +220,7 @@ public function executeFirewall($rules)
 
             // Extract the value of the paramater that we want.
             $value = $this->request->getParameterValue($rule['parameter']);
-            if (is_null($value)) {
+            if (is_null($value) && $rule['parameter'] !== false) {
                 continue;
             }
 
diff --git a/tests/data/Rules.json b/tests/data/Rules.json
@@ -126,5 +126,13 @@
         "cat":"TEST",
         "type":"BLOCK",
         "type_params":null
+    },
+    {
+        "id":17,
+        "title":"Block Social Warfare Vulnerability",
+        "rules":[{"parameter":"get.swp_debug","match":{"type":"equals","value":"load_options"},"inclusive":true},{"parameter":false,"match":{"type":"current_user_cannot","value":"administrator"},"inclusive":true}],
+        "cat":"TEST",
+        "type":"BLOCK",
+        "type_params":null
     }
 ]

Original file line number	Diff line number	Diff line change
`@@ -132,7 +132,7 @@ public function launch($mustExit = true)`
`132`	`132`	`return true;`
`133`	`133`	`}`
`134`	`134`
`135`		`- // Determine if we have a valid configuration passed.`
	`135`	`+ // Determine if the firewall and whitelist rules were parsed properly.`
`136`	`136`	`if (!is_array($this->firewallRules) \|\| !is_array($this->whitelistRules)) {`
`137`	`137`	`return true;`
`138`	`138`	`}`
`@@ -220,7 +220,7 @@ public function executeFirewall($rules)`
`220`	`220`
`221`	`221`	`// Extract the value of the paramater that we want.`
`222`	`222`	`$value = $this->request->getParameterValue($rule['parameter']);`
`223`		`- if (is_null($value)) {`
	`223`	`+ if (is_null($value) && $rule['parameter'] !== false) {`
`224`	`224`	`continue;`
`225`	`225`	`}`
`226`	`226`
Original file line number	Diff line number	Diff line change
`@@ -126,5 +126,13 @@`
`126`	`126`	`"cat":"TEST",`
`127`	`127`	`"type":"BLOCK",`
`128`	`128`	`"type_params":null`
	`129`	`+ },`
	`130`	`+ {`
	`131`	`+ "id":17,`
	`132`	`+ "title":"Block Social Warfare Vulnerability",`
	`133`	`+ "rules":[{"parameter":"get.swp_debug","match":{"type":"equals","value":"load_options"},"inclusive":true},{"parameter":false,"match":{"type":"current_user_cannot","value":"administrator"},"inclusive":true}],`
	`134`	`+ "cat":"TEST",`
	`135`	`+ "type":"BLOCK",`
	`136`	`+ "type_params":null`
`129`	`137`	`}`
`130`	`138`	`]`