[waf]POST验证通过后跳转到表单提交前的页面

Author: iwind

teatesting/server.go

@@ -120,7 +120,7 @@ func StartTestServer() {
 
 		}).
 		Get("/cookie", func(req *http.Request, resp http.ResponseWriter) {
-			resp.Header().Add("Set-Cookie", "Asset_UserId=1; expires=Sun, 05-May-2019 14:42:21 GMT; path=/", )
+			resp.Header().Add("Set-Cookie", "Asset_UserId=1; expires=Sun, 05-May-2019 14:42:21 GMT; path=/")
 			_, _ = resp.Write([]byte("set cookie"))
 		}).
 		GetPost("/json", func(req *http.Request, resp http.ResponseWriter) {
@@ -146,6 +146,14 @@ func StartTestServer() {
 				_, _ = resp.Write(data)
 			}
 		}).
+		Post("/post", func(req *http.Request, resp http.ResponseWriter) {
+			data, err := httputil.DumpRequest(req, true)
+			if err != nil {
+				_, _ = resp.Write([]byte(err.Error()))
+				return
+			}
+			_, _ = resp.Write(data)
+		}).
 		Put("/put", func(req *http.Request, resp http.ResponseWriter) {
 			data, err := httputil.DumpRequest(req, true)
 			if err != nil {
@@ -174,6 +182,12 @@ func StartTestServer() {
 </head>
 <body>
 <strong>THIS IS HTML BODY</strong>
+
+<form action="/post" method="post">
+	<input type="text" name="name"/>
+	<button type="submit">Submit</button>
+</form>
+
 </body>
 </html>
 `))

teawaf/action_captcha.go

@@ -1,15 +1,11 @@
 package teawaf
 
 import (
-	"bytes"
-	"encoding/base64"
-	"fmt"
 	"github.com/TeaWeb/code/teawaf/requests"
-	"github.com/dchest/captcha"
-	"github.com/iwind/TeaGo/logs"
 	"github.com/iwind/TeaGo/types"
 	stringutil "github.com/iwind/TeaGo/utils/string"
 	"net/http"
+	"net/url"
 	"time"
 )
 
@@ -33,56 +29,11 @@ func (this *CaptchaAction) Perform(waf *WAF, request *requests.Request, writer h
 		}
 	}
 
-	// verify
-	if request.Method == http.MethodPost {
-		captchaId := request.FormValue("TEAWEB_WAF_CAPTCHA_ID")
-		if len(captchaId) > 0 {
-			captchaCode := request.FormValue("TEAWEB_WAF_CAPTCHA_CODE")
-			if captcha.VerifyString(captchaId, captchaCode) {
-				// set cookie
-				timestamp := fmt.Sprintf("%d", time.Now().Unix()+CaptchaSeconds)
-				m := stringutil.Md5(captchaSalt + timestamp)
-				http.SetCookie(writer, &http.Cookie{
-					Name:   "TEAWEB_WAF_CAPTCHA",
-					Value:  m + timestamp,
-					MaxAge: CaptchaSeconds,
-					Path:   "/", // all of dirs
-				})
-
-				http.Redirect(writer, request.Raw(), request.URL.String(), http.StatusTemporaryRedirect)
-
-				return false
-			}
-		}
-	}
-
-	// show captcha
-	captchaId := captcha.NewLen(6)
-	buf := bytes.NewBuffer([]byte{})
-	err = captcha.WriteImage(buf, captchaId, 200, 100)
-	if err != nil {
-		logs.Error(err)
-		return true
+	refURL := request.URL.String()
+	if len(request.Referer()) > 0 {
+		refURL = request.Referer()
 	}
+	http.Redirect(writer, request.Raw(), "/WAFCAPTCHA?url="+url.QueryEscape(refURL), http.StatusTemporaryRedirect)
 
-	_, _ = writer.Write([]byte(`<!DOCTYPE html>
-<html>
-<head>
-	<title>Verify Yourself</title>
-</head>
-<body>
-<form method="POST">
-	<input type="hidden" name="TEAWEB_WAF_CAPTCHA_ID" value="` + captchaId + `"/>
-	<img src="data:image/png;base64, ` + base64.StdEncoding.EncodeToString(buf.Bytes()) + `"/>
-	<div>
-		<p>Input verify code above:</p>
-		<input type="text" name="TEAWEB_WAF_CAPTCHA_CODE" maxlength="6" size="18" autocomplete="off" z-index="1" style="font-size:16px;line-height:24px; letter-spacing: 15px; padding-left: 4px"/>
-	</div>
-	<div>
-		<button type="submit" style="line-height:24px;margin-top:10px">Verify Yourself</button>
-	</div>
-</form>
-</body>
-</html>`))
 	return false
 }

teawaf/captcha_validator.go

@@ -0,0 +1,84 @@
+package teawaf
+
+import (
+	"bytes"
+	"encoding/base64"
+	"fmt"
+	"github.com/TeaWeb/code/teawaf/requests"
+	"github.com/dchest/captcha"
+	"github.com/iwind/TeaGo/logs"
+	stringutil "github.com/iwind/TeaGo/utils/string"
+	"net/http"
+	"time"
+)
+
+var captchaValidator = &CaptchaValidator{}
+
+type CaptchaValidator struct {
+}
+
+func (this *CaptchaValidator) Run(request *requests.Request, writer http.ResponseWriter) {
+	if request.Method == http.MethodPost && len(request.FormValue("TEAWEB_WAF_CAPTCHA_ID")) > 0 {
+		this.validate(request, writer)
+	} else {
+		this.show(request, writer)
+	}
+}
+
+func (this *CaptchaValidator) show(request *requests.Request, writer http.ResponseWriter) {
+	// show captcha
+	captchaId := captcha.NewLen(6)
+	buf := bytes.NewBuffer([]byte{})
+	err := captcha.WriteImage(buf, captchaId, 200, 100)
+	if err != nil {
+		logs.Error(err)
+		return
+	}
+
+	_, _ = writer.Write([]byte(`<!DOCTYPE html>
+<html>
+<head>
+	<title>Verify Yourself</title>
+</head>
+<body>
+<form method="POST">
+	<input type="hidden" name="TEAWEB_WAF_CAPTCHA_ID" value="` + captchaId + `"/>
+	<img src="data:image/png;base64, ` + base64.StdEncoding.EncodeToString(buf.Bytes()) + `"/>` + `
+	<div>
+		<p>Input verify code above:</p>
+		<input type="text" name="TEAWEB_WAF_CAPTCHA_CODE" maxlength="6" size="18" autocomplete="off" z-index="1" style="font-size:16px;line-height:24px; letter-spacing: 15px; padding-left: 4px"/>
+	</div>
+	<div>
+		<button type="submit" onclick="window.location = '/webhook'" style="line-height:24px;margin-top:10px">Verify Yourself</button>
+	</div>
+</form>
+</body>
+</html>`))
+}
+
+func (this *CaptchaValidator) validate(request *requests.Request, writer http.ResponseWriter) (allow bool) {
+	captchaId := request.FormValue("TEAWEB_WAF_CAPTCHA_ID")
+	if len(captchaId) > 0 {
+		captchaCode := request.FormValue("TEAWEB_WAF_CAPTCHA_CODE")
+		if captcha.VerifyString(captchaId, captchaCode) {
+			// set cookie
+			timestamp := fmt.Sprintf("%d", time.Now().Unix()+CaptchaSeconds)
+			m := stringutil.Md5(captchaSalt + timestamp)
+			http.SetCookie(writer, &http.Cookie{
+				Name:   "TEAWEB_WAF_CAPTCHA",
+				Value:  m + timestamp,
+				MaxAge: CaptchaSeconds,
+				Path:   "/", // all of dirs
+			})
+
+			rawURL := request.URL.Query().Get("url")
+			http.Redirect(writer, request.Raw(), rawURL, http.StatusSeeOther)
+
+			return false
+		} else {
+			http.Redirect(writer, request.Raw(), request.URL.String(), http.StatusSeeOther)
+		}
+	}
+
+	return true
+}

teawaf/waf.go

@@ -256,7 +256,16 @@ func (this *WAF) MatchRequest(rawReq *http.Request, writer http.ResponseWriter)
 	if !this.hasInboundRules {
 		return true, nil, nil, nil
 	}
+
 	req := requests.NewRequest(rawReq)
+
+	// validate captcha
+	if rawReq.URL.Path == "/WAFCAPTCHA" {
+		captchaValidator.Run(req, writer)
+		return
+	}
+
+	// match rules
 	for _, group := range this.Inbound {
 		if !group.On {
 			continue