mirror of
https://gitee.com/samwaf/SamWaf.git
synced 2025-12-06 06:58:54 +08:00
samwaf
@@ -22,25 +22,36 @@ func (waf *WafEngine) CheckAllowURL(r *http.Request, weblogbean innerbean.WebLog
|
||||
Title: "",
|
||||
Content: "",
|
||||
}
|
||||
|
||||
// 将请求URL转为小写,用于不区分大小写的比较
|
||||
lowerURL := strings.ToLower(weblogbean.URL)
|
||||
|
||||
//url白名单策略(局部)
|
||||
if hostTarget.UrlWhiteLists != nil {
|
||||
for i := 0; i < len(hostTarget.UrlWhiteLists); i++ {
|
||||
if (hostTarget.UrlWhiteLists[i].CompareType == "等于" && hostTarget.UrlWhiteLists[i].Url == weblogbean.URL) ||
|
||||
(hostTarget.UrlWhiteLists[i].CompareType == "前缀匹配" && strings.HasPrefix(weblogbean.URL, hostTarget.UrlWhiteLists[i].Url)) ||
|
||||
(hostTarget.UrlWhiteLists[i].CompareType == "后缀匹配" && strings.HasSuffix(weblogbean.URL, hostTarget.UrlWhiteLists[i].Url)) ||
|
||||
(hostTarget.UrlWhiteLists[i].CompareType == "包含匹配" && strings.Contains(weblogbean.URL, hostTarget.UrlWhiteLists[i].Url)) {
|
||||
// 将规则URL也转为小写
|
||||
lowerRuleURL := strings.ToLower(hostTarget.UrlWhiteLists[i].Url)
|
||||
|
||||
if (hostTarget.UrlWhiteLists[i].CompareType == "等于" && lowerRuleURL == lowerURL) ||
|
||||
(hostTarget.UrlWhiteLists[i].CompareType == "前缀匹配" && strings.HasPrefix(lowerURL, lowerRuleURL)) ||
|
||||
(hostTarget.UrlWhiteLists[i].CompareType == "后缀匹配" && strings.HasSuffix(lowerURL, lowerRuleURL)) ||
|
||||
(hostTarget.UrlWhiteLists[i].CompareType == "包含匹配" && strings.Contains(lowerURL, lowerRuleURL)) {
|
||||
result.JumpGuardResult = true
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
//url白名单策略(全局)
|
||||
if waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].Host.GUARD_STATUS == 1 && waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlWhiteLists != nil {
|
||||
for i := 0; i < len(waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlWhiteLists); i++ {
|
||||
if (waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlWhiteLists[i].CompareType == "等于" && waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlWhiteLists[i].Url == weblogbean.URL) ||
|
||||
(waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlWhiteLists[i].CompareType == "前缀匹配" && strings.HasPrefix(weblogbean.URL, waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlWhiteLists[i].Url)) ||
|
||||
(waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlWhiteLists[i].CompareType == "后缀匹配" && strings.HasSuffix(weblogbean.URL, waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlWhiteLists[i].Url)) ||
|
||||
(waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlWhiteLists[i].CompareType == "包含匹配" && strings.Contains(weblogbean.URL, waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlWhiteLists[i].Url)) {
|
||||
// 将全局规则URL也转为小写
|
||||
lowerGlobalRuleURL := strings.ToLower(waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlWhiteLists[i].Url)
|
||||
|
||||
if (waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlWhiteLists[i].CompareType == "等于" && lowerGlobalRuleURL == lowerURL) ||
|
||||
(waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlWhiteLists[i].CompareType == "前缀匹配" && strings.HasPrefix(lowerURL, lowerGlobalRuleURL)) ||
|
||||
(waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlWhiteLists[i].CompareType == "后缀匹配" && strings.HasSuffix(lowerURL, lowerGlobalRuleURL)) ||
|
||||
(waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlWhiteLists[i].CompareType == "包含匹配" && strings.Contains(lowerURL, lowerGlobalRuleURL)) {
|
||||
result.JumpGuardResult = true
|
||||
break
|
||||
}
|
||||
|
||||
207
wafenginecore/checkallowurl_test.go
Normal file
207
wafenginecore/checkallowurl_test.go
Normal file
@@ -0,0 +1,207 @@
|
||||
package wafenginecore
|
||||
|
||||
import (
|
||||
"SamWaf/common/zlog"
|
||||
"SamWaf/global"
|
||||
"SamWaf/innerbean"
|
||||
"SamWaf/model"
|
||||
"SamWaf/model/detection"
|
||||
"SamWaf/model/wafenginmodel"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestCheckAllowURL(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
//初始化日志
|
||||
zlog.InitZLog(global.GWAF_RELEASE)
|
||||
// 初始化 WAF 引擎
|
||||
waf := &WafEngine{
|
||||
HostTarget: make(map[string]*wafenginmodel.HostSafe),
|
||||
}
|
||||
|
||||
// 设置全局主机
|
||||
global.GWAF_GLOBAL_HOST_NAME = "全局网站"
|
||||
waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME] = &wafenginmodel.HostSafe{
|
||||
Host: model.Hosts{
|
||||
GUARD_STATUS: 1, // 启用防护
|
||||
},
|
||||
UrlWhiteLists: []model.URLAllowList{
|
||||
{
|
||||
CompareType: "等于",
|
||||
Url: "/public",
|
||||
},
|
||||
{
|
||||
CompareType: "前缀匹配",
|
||||
Url: "/static/",
|
||||
},
|
||||
{
|
||||
CompareType: "后缀匹配",
|
||||
Url: ".css",
|
||||
},
|
||||
{
|
||||
CompareType: "包含匹配",
|
||||
Url: "assets",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
// 创建本地主机配置
|
||||
localHost := &wafenginmodel.HostSafe{
|
||||
Host: model.Hosts{
|
||||
GUARD_STATUS: 1, // 启用防护
|
||||
},
|
||||
UrlWhiteLists: []model.URLAllowList{
|
||||
{
|
||||
CompareType: "等于",
|
||||
Url: "/local/public",
|
||||
},
|
||||
{
|
||||
CompareType: "前缀匹配",
|
||||
Url: "/local/static/",
|
||||
},
|
||||
{
|
||||
CompareType: "后缀匹配",
|
||||
Url: ".js",
|
||||
},
|
||||
{
|
||||
CompareType: "包含匹配",
|
||||
Url: "resources",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
// 测试用例
|
||||
testCases := []struct {
|
||||
name string
|
||||
url string
|
||||
expectedJumpGuard bool
|
||||
isGlobalRule bool
|
||||
}{
|
||||
// 本地规则测试 - 大小写匹配
|
||||
{
|
||||
name: "本地规则 - 等于匹配 (大小写相同)",
|
||||
url: "/local/public",
|
||||
expectedJumpGuard: true,
|
||||
isGlobalRule: false,
|
||||
},
|
||||
{
|
||||
name: "本地规则 - 等于匹配 (大小写不同)",
|
||||
url: "/LOCAL/PUBLIC",
|
||||
expectedJumpGuard: true,
|
||||
isGlobalRule: false,
|
||||
},
|
||||
{
|
||||
name: "本地规则 - 前缀匹配 (大小写不同)",
|
||||
url: "/LOCAL/STATIC/image.png",
|
||||
expectedJumpGuard: true,
|
||||
isGlobalRule: false,
|
||||
},
|
||||
{
|
||||
name: "本地规则 - 后缀匹配 (大小写不同)",
|
||||
url: "/script.JS",
|
||||
expectedJumpGuard: true,
|
||||
isGlobalRule: false,
|
||||
},
|
||||
{
|
||||
name: "本地规则 - 包含匹配 (大小写不同)",
|
||||
url: "/get-RESOURCES-data",
|
||||
expectedJumpGuard: true,
|
||||
isGlobalRule: false,
|
||||
},
|
||||
|
||||
// 全局规则测试
|
||||
{
|
||||
name: "全局规则 - 等于匹配 (大小写不同)",
|
||||
url: "/PUBLIC",
|
||||
expectedJumpGuard: true,
|
||||
isGlobalRule: true,
|
||||
},
|
||||
{
|
||||
name: "全局规则 - 前缀匹配 (大小写不同)",
|
||||
url: "/STATIC/style.css",
|
||||
expectedJumpGuard: true,
|
||||
isGlobalRule: true,
|
||||
},
|
||||
{
|
||||
name: "全局规则 - 后缀匹配 (大小写不同)",
|
||||
url: "/style.CSS",
|
||||
expectedJumpGuard: true,
|
||||
isGlobalRule: true,
|
||||
},
|
||||
{
|
||||
name: "全局规则 - 包含匹配 (大小写不同)",
|
||||
url: "/get-ASSETS-data",
|
||||
expectedJumpGuard: true,
|
||||
isGlobalRule: true,
|
||||
},
|
||||
|
||||
// 不匹配的测试
|
||||
{
|
||||
name: "不匹配任何规则",
|
||||
url: "/restricted/page",
|
||||
expectedJumpGuard: false,
|
||||
isGlobalRule: false,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
tc := tc // 防止闭包问题
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
// 创建请求和WebLog
|
||||
req, _ := http.NewRequest("GET", "http://example.com"+tc.url, nil)
|
||||
weblog := innerbean.WebLog{
|
||||
URL: tc.url,
|
||||
}
|
||||
|
||||
// 创建空的表单值
|
||||
formValues := url.Values{}
|
||||
|
||||
// 调用测试函数
|
||||
var result detection.Result
|
||||
if tc.isGlobalRule {
|
||||
// 测试全局规则 - 使用空的本地主机配置,确保只测试全局规则
|
||||
emptyLocalHost := &wafenginmodel.HostSafe{
|
||||
Host: model.Hosts{
|
||||
GUARD_STATUS: 1,
|
||||
},
|
||||
// 不设置任何URL白名单
|
||||
}
|
||||
result = waf.CheckAllowURL(req, weblog, formValues, emptyLocalHost, waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME])
|
||||
} else {
|
||||
// 测试本地规则 - 使用禁用的全局主机配置,确保只测试本地规则
|
||||
disabledGlobalHost := &wafenginmodel.HostSafe{
|
||||
Host: model.Hosts{
|
||||
GUARD_STATUS: 0, // 禁用全局防护
|
||||
},
|
||||
}
|
||||
result = waf.CheckAllowURL(req, weblog, formValues, localHost, disabledGlobalHost)
|
||||
}
|
||||
|
||||
// 验证结果
|
||||
if result.JumpGuardResult != tc.expectedJumpGuard {
|
||||
t.Errorf("期望跳过防护状态为 %v,但得到 %v", tc.expectedJumpGuard, result.JumpGuardResult)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
// 添加组合测试 - 同时测试本地规则和全局规则
|
||||
t.Run("组合测试 - 本地规则和全局规则", func(t *testing.T) {
|
||||
// 创建一个既匹配本地规则又匹配全局规则的URL
|
||||
url := "/local/static/assets/style.css"
|
||||
req, _ := http.NewRequest("GET", "http://example.com"+url, nil)
|
||||
weblog := innerbean.WebLog{
|
||||
URL: url,
|
||||
}
|
||||
|
||||
// 调用测试函数
|
||||
result := waf.CheckAllowURL(req, weblog, nil, localHost, waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME])
|
||||
|
||||
// 验证结果 - 应该匹配本地规则或全局规则,导致跳过防护
|
||||
if !result.JumpGuardResult {
|
||||
t.Errorf("期望跳过防护状态为 true,但得到 false")
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -22,13 +22,20 @@ func (waf *WafEngine) CheckDenyURL(r *http.Request, weblogbean *innerbean.WebLog
|
||||
Title: "",
|
||||
Content: "",
|
||||
}
|
||||
//url黑名单策略-(局部) (待优化性能)
|
||||
|
||||
// 将请求URL转为小写,用于不区分大小写的比较
|
||||
lowerURL := strings.ToLower(weblogbean.URL)
|
||||
|
||||
//url黑名单策略-(局部)
|
||||
if hostTarget.UrlBlockLists != nil {
|
||||
for i := 0; i < len(hostTarget.UrlBlockLists); i++ {
|
||||
if (hostTarget.UrlBlockLists[i].CompareType == "等于" && hostTarget.UrlBlockLists[i].Url == weblogbean.URL) ||
|
||||
(hostTarget.UrlBlockLists[i].CompareType == "前缀匹配" && strings.HasPrefix(weblogbean.URL, hostTarget.UrlBlockLists[i].Url)) ||
|
||||
(hostTarget.UrlBlockLists[i].CompareType == "后缀匹配" && strings.HasSuffix(weblogbean.URL, hostTarget.UrlBlockLists[i].Url)) ||
|
||||
(hostTarget.UrlBlockLists[i].CompareType == "包含匹配" && strings.Contains(weblogbean.URL, hostTarget.UrlBlockLists[i].Url)) {
|
||||
// 将规则URL也转为小写
|
||||
lowerRuleURL := strings.ToLower(hostTarget.UrlBlockLists[i].Url)
|
||||
|
||||
if (hostTarget.UrlBlockLists[i].CompareType == "等于" && lowerRuleURL == lowerURL) ||
|
||||
(hostTarget.UrlBlockLists[i].CompareType == "前缀匹配" && strings.HasPrefix(lowerURL, lowerRuleURL)) ||
|
||||
(hostTarget.UrlBlockLists[i].CompareType == "后缀匹配" && strings.HasSuffix(lowerURL, lowerRuleURL)) ||
|
||||
(hostTarget.UrlBlockLists[i].CompareType == "包含匹配" && strings.Contains(lowerURL, lowerRuleURL)) {
|
||||
weblogbean.RISK_LEVEL = 1
|
||||
result.IsBlock = true
|
||||
result.Title = "URL黑名单"
|
||||
@@ -37,13 +44,17 @@ func (waf *WafEngine) CheckDenyURL(r *http.Request, weblogbean *innerbean.WebLog
|
||||
}
|
||||
}
|
||||
}
|
||||
//url黑名单策略-(全局) (待优化性能)
|
||||
|
||||
//url黑名单策略-(全局)
|
||||
if waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].Host.GUARD_STATUS == 1 && waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlBlockLists != nil {
|
||||
for i := 0; i < len(waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlBlockLists); i++ {
|
||||
if (waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlBlockLists[i].CompareType == "等于" && waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlBlockLists[i].Url == weblogbean.URL) ||
|
||||
(waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlBlockLists[i].CompareType == "前缀匹配" && strings.HasPrefix(weblogbean.URL, waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlBlockLists[i].Url)) ||
|
||||
(waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlBlockLists[i].CompareType == "后缀匹配" && strings.HasSuffix(weblogbean.URL, waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlBlockLists[i].Url)) ||
|
||||
(waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlBlockLists[i].CompareType == "包含匹配" && strings.Contains(weblogbean.URL, waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlBlockLists[i].Url)) {
|
||||
// 将全局规则URL也转为小写
|
||||
lowerGlobalRuleURL := strings.ToLower(waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlBlockLists[i].Url)
|
||||
|
||||
if (waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlBlockLists[i].CompareType == "等于" && lowerGlobalRuleURL == lowerURL) ||
|
||||
(waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlBlockLists[i].CompareType == "前缀匹配" && strings.HasPrefix(lowerURL, lowerGlobalRuleURL)) ||
|
||||
(waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlBlockLists[i].CompareType == "后缀匹配" && strings.HasSuffix(lowerURL, lowerGlobalRuleURL)) ||
|
||||
(waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME].UrlBlockLists[i].CompareType == "包含匹配" && strings.Contains(lowerURL, lowerGlobalRuleURL)) {
|
||||
weblogbean.RISK_LEVEL = 1
|
||||
result.IsBlock = true
|
||||
result.Title = "【全局】URL黑名单"
|
||||
|
||||
226
wafenginecore/checkdenyurl_test.go
Normal file
226
wafenginecore/checkdenyurl_test.go
Normal file
@@ -0,0 +1,226 @@
|
||||
package wafenginecore
|
||||
|
||||
import (
|
||||
"SamWaf/common/zlog"
|
||||
"SamWaf/global"
|
||||
"SamWaf/innerbean"
|
||||
"SamWaf/model"
|
||||
"SamWaf/model/detection"
|
||||
"SamWaf/model/wafenginmodel"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestCheckDenyURL(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
//初始化日志
|
||||
zlog.InitZLog(global.GWAF_RELEASE)
|
||||
// 初始化 WAF 引擎
|
||||
waf := &WafEngine{
|
||||
HostTarget: make(map[string]*wafenginmodel.HostSafe),
|
||||
}
|
||||
|
||||
// 设置全局主机
|
||||
global.GWAF_GLOBAL_HOST_NAME = "全局网站"
|
||||
waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME] = &wafenginmodel.HostSafe{
|
||||
Host: model.Hosts{
|
||||
GUARD_STATUS: 1, // 启用防护
|
||||
},
|
||||
UrlBlockLists: []model.URLBlockList{
|
||||
{
|
||||
CompareType: "等于",
|
||||
Url: "/admin",
|
||||
},
|
||||
{
|
||||
CompareType: "前缀匹配",
|
||||
Url: "/api/v1",
|
||||
},
|
||||
{
|
||||
CompareType: "后缀匹配",
|
||||
Url: ".php",
|
||||
},
|
||||
{
|
||||
CompareType: "包含匹配",
|
||||
Url: "password",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
// 创建本地主机配置
|
||||
localHost := &wafenginmodel.HostSafe{
|
||||
Host: model.Hosts{
|
||||
GUARD_STATUS: 1, // 启用防护
|
||||
},
|
||||
UrlBlockLists: []model.URLBlockList{
|
||||
{
|
||||
CompareType: "等于",
|
||||
Url: "/local/admin",
|
||||
},
|
||||
{
|
||||
CompareType: "前缀匹配",
|
||||
Url: "/local/api",
|
||||
},
|
||||
{
|
||||
CompareType: "后缀匹配",
|
||||
Url: ".aspx",
|
||||
},
|
||||
{
|
||||
CompareType: "包含匹配",
|
||||
Url: "secret",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
// 测试用例
|
||||
testCases := []struct {
|
||||
name string
|
||||
url string
|
||||
expectedBlock bool
|
||||
expectedTitle string
|
||||
isGlobalRule bool
|
||||
}{
|
||||
// 本地规则测试 - 大小写匹配
|
||||
{
|
||||
name: "本地规则 - 等于匹配 (大小写相同)",
|
||||
url: "/local/admin",
|
||||
expectedBlock: true,
|
||||
expectedTitle: "URL黑名单",
|
||||
isGlobalRule: false,
|
||||
},
|
||||
{
|
||||
name: "本地规则 - 等于匹配 (大小写不同)",
|
||||
url: "/LOCAL/ADMIN",
|
||||
expectedBlock: true,
|
||||
expectedTitle: "URL黑名单",
|
||||
isGlobalRule: false,
|
||||
},
|
||||
{
|
||||
name: "本地规则 - 前缀匹配 (大小写不同)",
|
||||
url: "/LOCAL/API/users",
|
||||
expectedBlock: true,
|
||||
expectedTitle: "URL黑名单",
|
||||
isGlobalRule: false,
|
||||
},
|
||||
{
|
||||
name: "本地规则 - 后缀匹配 (大小写不同)",
|
||||
url: "/page.ASPX",
|
||||
expectedBlock: true,
|
||||
expectedTitle: "URL黑名单",
|
||||
isGlobalRule: false,
|
||||
},
|
||||
{
|
||||
name: "本地规则 - 包含匹配 (大小写不同)",
|
||||
url: "/get-SECRET-data",
|
||||
expectedBlock: true,
|
||||
expectedTitle: "URL黑名单",
|
||||
isGlobalRule: false,
|
||||
},
|
||||
|
||||
// 全局规则测试
|
||||
{
|
||||
name: "全局规则 - 等于匹配 (大小写不同)",
|
||||
url: "/ADMIN",
|
||||
expectedBlock: true,
|
||||
expectedTitle: "【全局】URL黑名单",
|
||||
isGlobalRule: true,
|
||||
},
|
||||
{
|
||||
name: "全局规则 - 前缀匹配 (大小写不同)",
|
||||
url: "/API/v1/users",
|
||||
expectedBlock: true,
|
||||
expectedTitle: "【全局】URL黑名单",
|
||||
isGlobalRule: true,
|
||||
},
|
||||
{
|
||||
name: "全局规则 - 后缀匹配 (大小写不同)",
|
||||
url: "/script.PHP",
|
||||
expectedBlock: true,
|
||||
expectedTitle: "【全局】URL黑名单",
|
||||
isGlobalRule: true,
|
||||
},
|
||||
{
|
||||
name: "全局规则 - 包含匹配 (大小写不同)",
|
||||
url: "/reset-PASSWORD",
|
||||
expectedBlock: true,
|
||||
expectedTitle: "【全局】URL黑名单",
|
||||
isGlobalRule: true,
|
||||
},
|
||||
|
||||
// 不匹配的测试
|
||||
{
|
||||
name: "不匹配任何规则",
|
||||
url: "/normal/page",
|
||||
expectedBlock: false,
|
||||
expectedTitle: "",
|
||||
isGlobalRule: false,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
tc := tc // 防止闭包问题
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
// 创建请求和WebLog
|
||||
req, _ := http.NewRequest("GET", "http://example.com"+tc.url, nil)
|
||||
weblog := &innerbean.WebLog{
|
||||
URL: tc.url,
|
||||
}
|
||||
|
||||
// 创建空的表单值
|
||||
formValues := url.Values{}
|
||||
|
||||
// 调用测试函数
|
||||
var result detection.Result
|
||||
if tc.isGlobalRule {
|
||||
// 测试全局规则 - 使用空的本地主机配置,确保只测试全局规则
|
||||
emptyLocalHost := &wafenginmodel.HostSafe{
|
||||
Host: model.Hosts{
|
||||
GUARD_STATUS: 1,
|
||||
},
|
||||
// 不设置任何URL黑名单
|
||||
}
|
||||
result = waf.CheckDenyURL(req, weblog, formValues, emptyLocalHost, waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME])
|
||||
} else {
|
||||
// 测试本地规则 - 使用禁用的全局主机配置,确保只测试本地规则
|
||||
disabledGlobalHost := &wafenginmodel.HostSafe{
|
||||
Host: model.Hosts{
|
||||
GUARD_STATUS: 0, // 禁用全局防护
|
||||
},
|
||||
}
|
||||
result = waf.CheckDenyURL(req, weblog, formValues, localHost, disabledGlobalHost)
|
||||
}
|
||||
|
||||
// 验证结果
|
||||
if result.IsBlock != tc.expectedBlock {
|
||||
t.Errorf("期望阻止状态为 %v,但得到 %v", tc.expectedBlock, result.IsBlock)
|
||||
}
|
||||
|
||||
if tc.expectedBlock && result.Title != tc.expectedTitle {
|
||||
t.Errorf("期望标题为 %s,但得到 %s", tc.expectedTitle, result.Title)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
// 添加组合测试 - 同时测试本地规则和全局规则
|
||||
t.Run("组合测试 - 本地规则和全局规则", func(t *testing.T) {
|
||||
// 创建一个既匹配本地规则又匹配全局规则的URL
|
||||
url := "/local/api/password"
|
||||
req, _ := http.NewRequest("GET", "http://example.com"+url, nil)
|
||||
weblog := &innerbean.WebLog{
|
||||
URL: url,
|
||||
}
|
||||
|
||||
// 调用测试函数
|
||||
result := waf.CheckDenyURL(req, weblog, nil, localHost, waf.HostTarget[global.GWAF_GLOBAL_HOST_NAME])
|
||||
|
||||
// 验证结果 - 应该匹配本地规则(因为本地规则优先)
|
||||
if !result.IsBlock {
|
||||
t.Errorf("期望阻止状态为 true,但得到 false")
|
||||
}
|
||||
|
||||
if result.Title != "URL黑名单" {
|
||||
t.Errorf("期望标题为 URL黑名单,但得到 %s", result.Title)
|
||||
}
|
||||
})
|
||||
}
|
||||
Reference in New Issue
Block a user