mirror of
https://github.com/ivuorinen/f2b.git
synced 2026-01-26 11:24:00 +00:00
Ismo Vuorinen
70d1cb70fd
* Go rewrite * chore(cr): apply suggestions Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Signed-off-by: Ismo Vuorinen <ismo@ivuorinen.net> * 📝 CodeRabbit Chat: Add NoOpClient to fail2ban and initialize when skip flag is true * 📝 CodeRabbit Chat: Fix malformed if-else structure and add no-op client for skip-only commands * 📝 CodeRabbit Chat: Fix malformed if-else structure and add no-op client for skip-only commands * fix(main): correct no-op branch syntax (#10) * chore(gitignore): ignore env and binary files (#11) * chore(config): remove indent_size for go files (#12) * feat(cli): inject version via ldflags (#13) * fix(security): validate filter parameter to prevent path traversal (#15) * chore(repo): anchor ignore for build artifacts (#16) * chore(ci): use golangci-lint action (#17) * feat(fail2ban): expose GetLogDir (#19) * test(cmd): improve IP mock validation (#20) * chore(ci): update golanglint * fix(ci): golanglint * fix(ci): correct args indentation in pr-lint workflow (#21) * fix(ci): avoid duplicate releases (#22) * refactor(fail2ban): remove test check from OSRunner (#23) * refactor(fail2ban): make log and filter dirs configurable (#24) * fix(ci): create single release per tag (#14) Signed-off-by: Ismo Vuorinen <ismo@ivuorinen.net> * chore(dev): add codex setup script (#27) * chore(lint): enable staticcheck (#26) * chore(ci): verify golangci config (#28) * refactor(cmd): centralize env config (#29) * chore(dev): add pre-commit config (#30) * fix(ci): disable cgo in cross compile (#31) * fix(ci): fail on formatting issues (#32) * feat(cmd): add context to logs watch (#33) * chore: fixes, roadmap, claude.md, linting * chore: fixes, linting * fix(ci): gh actions update, fixes and tweaks * chore: use reviewdog actionlint * chore: use wow-rp-addons/actions-editorconfig-check * chore: combine agent instructions, add comments, fixes * chore: linting, fixes, go revive * chore(deps): update pre-commit hooks * chore: bump go to 1.21, pin workflows * fix: install tools in lint.yml * fix: sudo timeout * fix: service command injection * fix: memory exhaustion with large logs * fix: enhanced path traversal and file security vulns * fix: race conditions * fix: context support * chore: simplify fail2ban/ code * feat: major refactoring with GoReleaser integration and code consolidation - Add GoReleaser configuration for automated multi-platform releases - Support for Linux, macOS, Windows, and BSD builds - Docker images, Homebrew tap, and Linux packages (.deb, .rpm, .apk) - GitHub Actions workflow for release automation - Consolidate duplicate code and improve architecture - Extract common command helpers to cmd/helpers.go (~230 lines) - Remove duplicate MockClient implementation from tests (~250 lines) - Create context wrapper helpers in fail2ban/context_helpers.go - Standardize error messages in fail2ban/errors.go - Enhance validation and security - Add proper IP address validation with fail2ban.ValidateIP - Fix path traversal and command injection vulnerabilities - Improve thread-safety in MockClient with consistent ordering - Optimize documentation - Reduce CLAUDE.md from 190 to 81 lines (57% reduction) - Reduce TODO.md from 633 to 93 lines (85% reduction) - Move README.md to root directory with installation instructions - Improve test reliability - Fix race conditions and test flakiness - Add sorting to ensure deterministic test output - Enhance MockClient with configurable behavior * feat: comprehensive code quality improvements and documentation reorganization This commit represents a major overhaul of code quality, documentation structure, and development tooling: **Documentation & Structure:** - Move CODE_OF_CONDUCT.md from .github to root directory - Reorganize documentation with dedicated docs/ directory - Create comprehensive architecture, security, and testing documentation - Update all references and cross-links for new documentation structure **Code Quality & Linting:** - Add 120-character line length limit across all files via EditorConfig - Enable comprehensive linting with golines, lll, usetesting, gosec, and revive - Fix all 86 revive linter issues (unused parameters, missing export comments) - Resolve security issues (file permissions 0644 → 0600, gosec warnings) - Replace deprecated os.Setenv with t.Setenv in all tests - Configure golangci-lint with auto-fix capabilities and formatter integration **Development Tooling:** - Enhance pre-commit configuration with additional hooks and formatters - Update GoReleaser configuration with improved YAML formatting - Improve GitHub workflows and issue templates for CLI-specific context - Add comprehensive Makefile with proper dependency checking **Testing & Security:** - Standardize mock patterns and context wrapper implementations - Enhance error handling with centralized error constants - Improve concurrent access testing for thread safety * perf: implement major performance optimizations with comprehensive test coverage This commit introduces three significant performance improvements along with complete linting compliance and robust test coverage: **Performance Optimizations:** 1. **Time Parsing Cache (8.6x improvement)** - Add TimeParsingCache with sync.Map for caching parsed times - Implement object pooling for string builders to reduce allocations - Create optimized BanRecordParser with pooled string slices 2. **Gzip Detection Consolidation (55x improvement)** - Consolidate ~100 lines of duplicate gzip detection logic - Fast-path extension checking before magic byte detection - Unified GzipDetector with comprehensive file handling utilities 3. **Parallel Processing (2.5-5.0x improvement)** - Generic WorkerPool implementation for concurrent operations - Smart fallback to sequential processing for single operations - Context-aware cancellation support for long-running tasks - Applied to ban/unban operations across multiple jails **New Files Added:** - fail2ban/time_parser.go: Cached time parsing with global instances - fail2ban/ban_record_parser.go: Optimized ban record parsing - fail2ban/gzip_detection.go: Unified gzip handling utilities - fail2ban/parallel_processing.go: Generic parallel processing framework - cmd/parallel_operations.go: Command-level parallel operation support **Code Quality & Linting:** - Resolve all golangci-lint issues (0 remaining) - Add proper #nosec annotations for legitimate file operations - Implement sentinel errors replacing nil/nil anti-pattern - Fix context parameter handling and error checking **Comprehensive Test Coverage:** - 500+ lines of new tests with benchmarks validating all improvements - Concurrent access testing for thread safety - Edge case handling and error condition testing - Performance benchmarks demonstrating measured improvements **Modified Files:** - fail2ban/fail2ban.go: Integration with new optimized parsers - fail2ban/logs.go: Use consolidated gzip detection (-91 lines) - cmd/ban.go & cmd/unban.go: Add conditional parallel processing * test: comprehensive test infrastructure overhaul with real test data Major improvements to test code quality and organization: • Added comprehensive test data infrastructure with 6 anonymized log files • Extracted common test helpers reducing ~200 lines to ~50 reusable functions • Enhanced ban record parser tests with real production log patterns • Improved gzip detection tests with actual compressed test data • Added integration tests for full log processing and concurrent operations • Updated .gitignore to allow testdata log files while excluding others • Updated TODO.md to reflect completed test infrastructure improvements * fix: comprehensive security hardening and critical bug fixes Security Enhancements: - Add command injection protection with allowlist validation for all external commands - Add security documentation to gzip functions warning about path traversal risks - Complete TODO.md security audit - all critical vulnerabilities addressed Bug Fixes: - Fix negative index access vulnerability in parallel operations (prevent panic) - Fix parsing inconsistency between BannedIn and BannedInWithContext functions - Fix nil error handling in concurrent log reading tests - Fix benchmark error simulation to measure actual performance vs error paths Implementation Details: - Add ValidateCommand() with allowlist for fail2ban-client, fail2ban-regex, service, systemctl, sudo - Integrate command validation into all OSRunner methods before execution - Replace manual string parsing with ParseBracketedList() for consistency - Add bounds checking (index >= 0) to prevent negative array access - Replace nil error with descriptive error message in concurrent error channels - Update banFunc in benchmark to return success instead of permanent errors Test Coverage: - Add comprehensive security validation tests with injection attempt patterns - Add parallel operations safety tests with index validation - Add parsing consistency tests between context/non-context functions - Add error handling demonstration tests for concurrent operations - Add gzip function security requirement documentation tests * perf: implement ultra-optimized log and ban record parsing with significant performance gains Major performance improvements to core fail2ban processing with comprehensive benchmarking: Performance Achievements: • Ban record parsing: 15% faster, 39% less memory, 45% fewer allocations • Log processing: 27% faster, 64% less memory, 32% fewer allocations • Cache performance: 624x faster cache hits with zero allocations • String pooling: 4.7x improvement with zero memory allocations Core Optimizations: • Object pooling (sync.Pool) for string slices, scanner buffers, and line buffers • Comprehensive caching (sync.Map) for gzip detection, file info, and path patterns • Fast path optimizations with extension-based gzip detection • Byte-level operations to reduce string allocations in filtering • Ultra-optimized parsers with smart field parsing and efficient time handling New Files: • fail2ban/ban_record_parser_optimized.go - High-performance ban record parser • fail2ban/log_performance_optimized.go - Ultra-optimized log processor with caching • fail2ban/ban_record_parser_benchmark_test.go - Ban record parsing benchmarks • fail2ban/log_performance_benchmark_test.go - Log performance benchmarks • fail2ban/ban_record_parser_compatibility_test.go - Compatibility verification tests Updated: • fail2ban/fail2ban.go - Integration with ultra-optimized parsers • TODO.md - Marked performance optimization tasks as completed * fix(ci): install dev dependencies for pre-commit * refactor: streamline pre-commit config and extract test helpers - Replace local hooks with upstream pre-commit repositories for better maintainability - Add new hooks: shellcheck, shfmt, checkov for enhanced code quality - Extract common test helpers into dedicated test_helpers.go to reduce duplication - Add warning logs for unreadable log files in fail2ban and logs packages - Remove hard-coded GID checks in sudo.go for better cross-platform portability - Update golangci-lint installation method in Makefile * fix(security): path traversal, log file validation * feat: complete pre-release modernization with comprehensive testing - Remove all deprecated legacy functions and dead code paths - Add security hardening with sanitized error messages - Implement comprehensive performance benchmarks and security audit tests - Mark all pre-release modernization tasks as completed (10/10) - Update project documentation to reflect full completion status * fix(ci): linting, and update gosec install source * feat: implement comprehensive test framework with 60-70% code reduction Major test infrastructure modernization: - Create fluent CommandTestBuilder framework for streamlined test creation - Add MockClientBuilder pattern for advanced mock configuration - Standardize table test field naming (expectedOut→wantOutput, expectError→wantError) - Consolidate test code: 3,796 insertions, 3,104 deletions (net +692 lines with enhanced functionality) Framework achievements: - 168+ tests passing with zero regressions - 5 cmd test files fully migrated to new framework - 63 field name standardizations applied - Advanced mock patterns with fluent interface File organization improvements: - Rename all test files with consistent prefixes (cmd_*, fail2ban_*, main_*) - Split monolithic test files into focused, maintainable modules - Eliminate cmd_test.go (622 lines) and main_test.go (825 lines) - Create specialized test files for better organization Documentation enhancements: - Update docs/testing.md with complete framework documentation - Optimize TODO.md from 231→72 lines (69% token reduction) - Add comprehensive migration guides and best practices Test framework components: - command_test_framework.go: Core fluent interface implementation - MockClientBuilder: Advanced mock configuration with builder pattern - table_test_standards.go: Standardized field naming conventions - Enhanced test helpers with error checking consolidation * chore: fixes, .go-version, linting * fix(ci) editorconfig in .pre-commit-config.yaml * fix: too broad gitignore * chore: update fail2ban/fail2ban_path_security_test.go Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Signed-off-by: Ismo Vuorinen <ismo@ivuorinen.net> * chore: code review fixes * chore: code review fixes * fix: more code review fixes * fix: more code review fixes * feat: cleanup, fixes, testing * chore: minor config file updates - Add quotes to F2B_TIMEOUT value in .env.example for clarity - Remove testdata log exception from .gitignore (simplified) * feat: implement comprehensive monitoring with structured logging and metrics - Add structured logging with context propagation throughout codebase - Implement ContextualLogger with request tracking and operation timing - Add context values for operation, IP, jail, command, and request ID - Integrate with existing logrus logging infrastructure - Add request/response timing metrics collection - Create comprehensive Metrics system with atomic counters - Track command executions, ban/unban operations, and client operations - Implement latency distribution buckets for performance analysis - Add validation cache hit/miss tracking - Enhance ban/unban commands with structured logging - Add LogOperation wrapper for automatic timing and context - Log individual jail operations with success/failure status - Integrate metrics recording with ban/unban operations - Add new 'metrics' command to expose collected metrics - Support both plain text and JSON output formats - Display system metrics (uptime, memory, goroutines) - Show operation counts, failures, and average latencies - Include latency distribution histograms - Update test infrastructure - Add tests for metrics command - Fix test helper to support persistent flags - Ensure all tests pass with new logging This completes the high-priority performance monitoring and structured logging requirements from TODO.md, providing comprehensive operational visibility into the f2b application. * docs: update TODO.md to reflect completed monitoring work - Mark structured logging and timing metrics as completed - Update test coverage stats (cmd/ improved from 66.4% to 76.8%) - Add completed infrastructure section for today's work - Update current status date and add monitoring to health indicators * feat: complete TODO.md technical debt cleanup Complete all remaining TODO.md tasks with comprehensive implementation: ## 🎯 Validation Caching Implementation - Thread-safe validation cache with sync.RWMutex protection - MetricsRecorder interface to avoid circular dependencies - Cached validation for IP, jail, filter, and command validation - Integration with existing metrics system for cache hit/miss tracking - 100% test coverage for caching functionality ## 🔧 Constants Extraction - Fail2Ban status codes: Fail2BanStatusSuccess, Fail2BanStatusAlreadyProcessed - Command constants: Fail2BanClientCommand, Fail2BanRegexCommand, Fail2BanServerCommand - File permissions: DefaultFilePermissions (0600), DefaultDirectoryPermissions (0750) - Timeout limits: MaxCommandTimeout, MaxFileTimeout, MaxParallelTimeout - Updated all references throughout codebase to use named constants ## 📊 Test Coverage Improvement - Increased fail2ban package coverage from 62.0% to 70.3% (target: 70%+) - Added 6 new comprehensive test files with 200+ additional test cases - Coverage improvements across all major components: - Context helpers, validation cache, mock clients, OS runner methods - Error constructors, timing operations, cache statistics - Thread safety and concurrency testing ## 🛠️ Code Quality & Fixes - Fixed all linting issues (golangci-lint, revive, errcheck) - Resolved unused parameter warnings and error handling - Fixed timing-dependent test failures in worker pool cancellation - Enhanced thread safety in validation caching ## 📈 Final Metrics - Overall test coverage: 72.4% (up from ~65%) - fail2ban package: 70.3% (exceeds 70% target) - cmd package: 76.9% - Zero TODO/FIXME/HACK comments in production code - 100% linting compliance * fix: resolve test framework issues and update documentation - Remove unnecessary defer/recover block in comprehensive_framework_test.go - Fix compilation error in command_test_framework.go variable redeclaration - Update TODO.md to reflect all 12 completed code quality fixes - Clean up dead code and improve test maintainability - Fix linting issues: error handling, code complexity, security warnings - Break down complex test function to reduce cyclomatic complexity * fix: replace dangerous test commands with safe placeholders Replaces actual dangerous commands in test cases with safe placeholder patterns to prevent accidental execution while maintaining comprehensive security testing. - Replace 'rm -rf /', 'cat /etc/passwd' with 'DANGEROUS_RM_COMMAND', 'DANGEROUS_SYSTEM_CALL' - Update GetDangerousCommandPatterns() to recognize both old and new patterns - Enhance filter validation with command injection protection (semicolons, pipes, backticks, dollar signs) - Add package documentation comments for all packages (main, cmd, fail2ban) - Fix GoReleaser static linking configuration for cross-platform builds - Remove Docker platform restriction to enable multi-arch support - Apply code formatting and linting fixes All security validation tests continue to pass with the safe placeholders. * fix: resolve TestMixedConcurrentOperations race condition and command key mismatches The concurrency test was failing due to several issues: 1. **Command Key Mismatch**: Test setup used "sudo test arg" key but MockRunner looked for "test arg" because "test" command doesn't require sudo 2. **Invalid Commands**: Using "test" and "echo" commands that aren't in the fail2ban command allowlist, causing validation failures 3. **Race Conditions**: Multiple goroutines setting different MockRunners simultaneously, overwriting responses **Solution:** - Replace invalid test commands ("test", "echo") with valid fail2ban commands ("fail2ban-client status", "fail2ban-client -V") - Pre-configure shared MockRunner with all required response keys for both sudo and non-sudo execution paths - Improve test structure to reduce race conditions between setup and execution All tests now pass reliably, resolving the CI failure. * fix: address code quality issues and improve test coverage - Replace unsafe type assertion with comma-ok idiom in logging - Fix TestTestFilter to use created filter instead of nonexistent - Add warning logs for invalid log level configurations - Update TestVersionCommand to use consistent test framework pattern - Remove unused LoggerContextKey constant - Add version command support to test framework - Fix trailing whitespace in test files * feat: add timeout handling and multi-architecture Docker support * test: enhance path traversal security test coverage * chore: comprehensive documentation update and linting fixes Updated all documentation to reflect current capabilities including context-aware operations, multi-architecture Docker support, advanced security features, and performance monitoring. Removed unused functions and fixed all linting issues. * fix(lint): .goreleaser.yaml * feat: add markdown link checker and fix all linting issues - Add markdown-link-check to pre-commit hooks with comprehensive configuration - Fix GitHub workflow structure (sync-labels.yml) with proper job setup - Add JSON schemas to all configuration files for better IDE support - Update tool installation in Makefile for markdown-link-check dependency - Fix all revive linting issues (Boolean literals, defer in loop, if-else simplification, method naming) - Resolve broken relative link in CONTRIBUTING.md - Configure rate limiting and ignore patterns for GitHub URLs - Enhance CLAUDE.md with link checking documentation * fix(ci): sync-labels permissions * docs: comprehensive documentation update reflecting current project status - Updated TODO.md to show production-ready status with 21 commands - Enhanced README.md with enterprise-grade features and capabilities - Added performance monitoring and timeout configuration to FAQ - Updated CLAUDE.md with accurate project architecture overview - Fixed all line length issues to meet EditorConfig requirements - Added .mega-linter.yml configuration for enhanced linting * fix: address CodeRabbitAI review feedback - Split .goreleaser.yaml builds for static/dynamic linking by architecture - Update docs to accurately reflect 7 path traversal patterns (not 17) - Fix containsPathTraversal to allow valid absolute paths - Replace runnerCombinedRunWithSudoContext with RunnerCombinedOutputWithSudoContext - Fix ldflags to use uppercase Version variable name - Remove duplicate test coverage metrics in TODO.md - Fix .markdown-link-check.json schema violations - Add v8r JSON validator to pre-commit hooks * chore(ci): update workflows, switch v8r to check-jsonschema * fix: restrict static linking to amd64 only in .goreleaser.yaml - Move arm64 from static to dynamic build configuration - Static linking now only applies to linux/amd64 - Prevents build failures due to missing static libc on ARM64 - All architectures remain supported with appropriate linking * fix(ci): caching * fix(ci): python caching with pip, node with npm * fix(ci): no caching for node then * fix(ci): no requirements.txt, no cache * refactor: address code review feedback - Pin Alpine base image to v3.20 for reproducible builds - Remove redundant --platform flags in GoReleaser Docker configs - Fix unused parameters in concurrency test goroutines - Simplify string search helper using strings.Contains() - Remove redundant error checking logic in security tests --------- Signed-off-by: Ismo Vuorinen <ismo@ivuorinen.net> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
859 lines
24 KiB
Go
859 lines
24 KiB
Go
package fail2ban
|
|
|
|
import (
|
|
"context"
|
|
"flag"
|
|
"fmt"
|
|
"net"
|
|
"os"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
"unicode"
|
|
|
|
"github.com/hashicorp/go-version"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
// loggerInterface defines the logging interface we need
|
|
type loggerInterface interface {
|
|
WithField(key string, value interface{}) *logrus.Entry
|
|
WithFields(fields logrus.Fields) *logrus.Entry
|
|
WithError(err error) *logrus.Entry
|
|
Debug(args ...interface{})
|
|
Info(args ...interface{})
|
|
Warn(args ...interface{})
|
|
Error(args ...interface{})
|
|
Debugf(format string, args ...interface{})
|
|
Infof(format string, args ...interface{})
|
|
Warnf(format string, args ...interface{})
|
|
Errorf(format string, args ...interface{})
|
|
}
|
|
|
|
// logger holds the current logger instance - will be set by cmd package
|
|
var logger loggerInterface = logrus.StandardLogger()
|
|
|
|
// SetLogger allows the cmd package to set the logger instance
|
|
func SetLogger(l loggerInterface) {
|
|
logger = l
|
|
}
|
|
|
|
// getLogger returns the current logger instance
|
|
func getLogger() loggerInterface {
|
|
return logger
|
|
}
|
|
|
|
func init() {
|
|
// Configure logging for CI/test environments to reduce noise
|
|
configureCITestLogging()
|
|
}
|
|
|
|
// configureCITestLogging reduces log verbosity in CI and test environments
|
|
func configureCITestLogging() {
|
|
// Detect CI environments by checking common CI environment variables
|
|
ciEnvVars := []string{
|
|
"CI", "GITHUB_ACTIONS", "TRAVIS", "CIRCLECI", "JENKINS_URL",
|
|
"BUILDKITE", "TF_BUILD", "GITLAB_CI",
|
|
}
|
|
|
|
isCI := false
|
|
for _, envVar := range ciEnvVars {
|
|
if os.Getenv(envVar) != "" {
|
|
isCI = true
|
|
break
|
|
}
|
|
}
|
|
|
|
// Also check if we're in test mode
|
|
isTest := strings.Contains(os.Args[0], ".test") ||
|
|
os.Getenv("GO_TEST") == "true" ||
|
|
flag.Lookup("test.v") != nil
|
|
|
|
// If in CI or test environment, reduce logging noise unless explicitly overridden
|
|
// Note: This will be overridden by cmd.Logger once main() runs
|
|
if (isCI || isTest) && os.Getenv("F2B_LOG_LEVEL") == "" && os.Getenv("F2B_VERBOSE_TESTS") == "" {
|
|
logrus.SetLevel(logrus.ErrorLevel)
|
|
}
|
|
}
|
|
|
|
// Validation constants
|
|
const (
|
|
// MaxIPAddressLength is the maximum length for an IP address string (IPv6 with brackets and port)
|
|
MaxIPAddressLength = 45
|
|
// MaxJailNameLength is the maximum length for a jail name
|
|
MaxJailNameLength = 64
|
|
// MaxFilterNameLength is the maximum length for a filter name
|
|
MaxFilterNameLength = 255
|
|
// MaxArgumentLength is the maximum length for a command argument
|
|
MaxArgumentLength = 1024
|
|
)
|
|
|
|
// Time constants for duration calculations
|
|
const (
|
|
// SecondsPerMinute is the number of seconds in a minute
|
|
SecondsPerMinute = 60
|
|
// SecondsPerHour is the number of seconds in an hour
|
|
SecondsPerHour = 3600
|
|
// SecondsPerDay is the number of seconds in a day
|
|
SecondsPerDay = 86400
|
|
// DefaultBanDuration is the default fallback duration for bans when parsing fails
|
|
DefaultBanDuration = 24 * time.Hour
|
|
)
|
|
|
|
// Fail2Ban status codes
|
|
const (
|
|
// Fail2BanStatusSuccess indicates successful operation (ban/unban succeeded)
|
|
Fail2BanStatusSuccess = "0"
|
|
// Fail2BanStatusAlreadyProcessed indicates IP was already banned/unbanned
|
|
Fail2BanStatusAlreadyProcessed = "1"
|
|
)
|
|
|
|
// Fail2Ban command names
|
|
const (
|
|
// Fail2BanClientCommand is the standard fail2ban client command
|
|
Fail2BanClientCommand = "fail2ban-client"
|
|
// Fail2BanRegexCommand is the fail2ban regex testing command
|
|
Fail2BanRegexCommand = "fail2ban-regex"
|
|
// Fail2BanServerCommand is the fail2ban server command
|
|
Fail2BanServerCommand = "fail2ban-server"
|
|
)
|
|
|
|
// File permission constants
|
|
const (
|
|
// DefaultFilePermissions for log files and temporary files
|
|
DefaultFilePermissions = 0600
|
|
// DefaultDirectoryPermissions for created directories
|
|
DefaultDirectoryPermissions = 0750
|
|
)
|
|
|
|
// Timeout limit constants
|
|
const (
|
|
// MaxCommandTimeout is the maximum allowed timeout for commands
|
|
MaxCommandTimeout = 10 * time.Minute
|
|
// MaxFileTimeout is the maximum allowed timeout for file operations
|
|
MaxFileTimeout = 5 * time.Minute
|
|
// MaxParallelTimeout is the maximum allowed timeout for parallel operations
|
|
MaxParallelTimeout = 30 * time.Minute
|
|
)
|
|
|
|
// Context key types for structured logging
|
|
type contextKey string
|
|
|
|
const (
|
|
// ContextKeyRequestID is the context key for request IDs
|
|
ContextKeyRequestID contextKey = "request_id"
|
|
// ContextKeyOperation is the context key for operation names
|
|
ContextKeyOperation contextKey = "operation"
|
|
// ContextKeyJail is the context key for jail names
|
|
ContextKeyJail contextKey = "jail"
|
|
// ContextKeyIP is the context key for IP addresses
|
|
ContextKeyIP contextKey = "ip"
|
|
)
|
|
|
|
// Validation helpers
|
|
|
|
// ValidateIP validates an IP address string and returns an error if invalid
|
|
func ValidateIP(ip string) error {
|
|
if ip == "" {
|
|
return ErrIPRequiredError
|
|
}
|
|
// Check for valid IPv4 or IPv6 address
|
|
parsed := net.ParseIP(ip)
|
|
if parsed == nil {
|
|
// Don't include potentially malicious input in error message
|
|
if containsCommandInjectionPatterns(ip) || len(ip) > MaxIPAddressLength {
|
|
return fmt.Errorf("invalid IP address format")
|
|
}
|
|
return NewInvalidIPError(ip)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// ValidateJail validates a jail name and returns an error if invalid
|
|
func ValidateJail(jail string) error {
|
|
if jail == "" {
|
|
return ErrJailRequiredError
|
|
}
|
|
// Jail names should be reasonable length
|
|
if len(jail) > MaxJailNameLength {
|
|
// Don't include potentially malicious input in error message
|
|
if containsCommandInjectionPatterns(jail) {
|
|
return fmt.Errorf("invalid jail name format")
|
|
}
|
|
return NewInvalidJailError(jail + " (too long)")
|
|
}
|
|
// First character should be alphanumeric
|
|
if len(jail) > 0 {
|
|
first := rune(jail[0])
|
|
if !unicode.IsLetter(first) && !unicode.IsDigit(first) {
|
|
// Don't include potentially malicious input in error message
|
|
if containsCommandInjectionPatterns(jail) {
|
|
return fmt.Errorf("invalid jail name format")
|
|
}
|
|
return NewInvalidJailError(jail + " (invalid format)")
|
|
}
|
|
}
|
|
// Rest can be alphanumeric, dash, underscore, or dot
|
|
for _, r := range jail {
|
|
if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' && r != '.' {
|
|
// Don't include potentially malicious input in error message
|
|
if containsCommandInjectionPatterns(jail) {
|
|
return fmt.Errorf("invalid jail name format")
|
|
}
|
|
return NewInvalidJailError(jail + " (invalid character)")
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// ValidateFilter validates a filter name and returns an error if invalid
|
|
func ValidateFilter(filter string) error {
|
|
if filter == "" {
|
|
return ErrFilterRequiredError
|
|
}
|
|
|
|
// Check length limits to prevent buffer overflow attacks
|
|
if len(filter) > MaxFilterNameLength {
|
|
return NewInvalidFilterError(filter + " (too long)")
|
|
}
|
|
|
|
// Check for null bytes
|
|
if strings.Contains(filter, "\x00") {
|
|
return NewInvalidFilterError(filter + " (contains null bytes)")
|
|
}
|
|
|
|
// Enhanced path traversal detection
|
|
if ContainsPathTraversal(filter) {
|
|
return NewInvalidFilterError(filter + " (path traversal)")
|
|
}
|
|
|
|
// Check for command injection patterns (defense in depth)
|
|
if containsCommandInjectionPatterns(filter) {
|
|
return NewInvalidFilterError(filter + " (injection patterns)")
|
|
}
|
|
|
|
// Character validation - only allow safe characters
|
|
for _, r := range filter {
|
|
if !isValidFilterChar(r) {
|
|
return NewInvalidFilterError(filter + " (invalid characters)")
|
|
}
|
|
}
|
|
|
|
// Additional validation: ensure filter doesn't start/end with dangerous patterns
|
|
if strings.HasPrefix(filter, ".") || strings.HasSuffix(filter, ".") {
|
|
// Allow single extension like ".conf" but not ".." or "..."
|
|
if strings.Contains(filter, "..") {
|
|
return NewInvalidFilterError(filter + " (invalid dot patterns)")
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// ValidateJailExists checks if a jail exists in the given list
|
|
func ValidateJailExists(jail string, jails []string) error {
|
|
for _, j := range jails {
|
|
if j == jail {
|
|
return nil
|
|
}
|
|
}
|
|
return NewJailNotFoundError(jail)
|
|
}
|
|
|
|
// Command execution helpers
|
|
|
|
// Parsing helpers
|
|
|
|
// ParseJailList parses the jail list output from fail2ban-client status
|
|
func ParseJailList(output string) ([]string, error) {
|
|
// Optimized: Find "Jail list:" position directly instead of splitting all lines
|
|
jailListPos := strings.Index(output, "Jail list:")
|
|
if jailListPos == -1 {
|
|
return nil, fmt.Errorf("failed to parse jails")
|
|
}
|
|
|
|
// Find the start of the jail list content (after "Jail list:")
|
|
colonPos := strings.Index(output[jailListPos:], ":")
|
|
if colonPos == -1 {
|
|
return nil, fmt.Errorf("failed to parse jails")
|
|
}
|
|
|
|
// Find the end of the line
|
|
start := jailListPos + colonPos + 1
|
|
end := strings.Index(output[start:], "\n")
|
|
if end == -1 {
|
|
end = len(output) - start
|
|
}
|
|
|
|
jailList := strings.TrimSpace(output[start : start+end])
|
|
if jailList == "" {
|
|
return []string{}, nil // Return empty list for no jails
|
|
}
|
|
|
|
// Optimized: Use byte replacement instead of string replacement for single character
|
|
if strings.Contains(jailList, ",") {
|
|
jailList = strings.ReplaceAll(jailList, ",", " ")
|
|
}
|
|
|
|
return strings.Fields(jailList), nil
|
|
}
|
|
|
|
// ParseBracketedList parses bracketed output like "[jail1, jail2]"
|
|
func ParseBracketedList(output string) []string {
|
|
// Optimized: Manual bracket removal instead of Trim to avoid checking both ends
|
|
s := output
|
|
if len(s) >= 2 && s[0] == '[' && s[len(s)-1] == ']' {
|
|
s = s[1 : len(s)-1]
|
|
}
|
|
if s == "" {
|
|
return []string{}
|
|
}
|
|
|
|
// Optimized: Remove quotes first, then split to avoid multiple string operations
|
|
if strings.Contains(s, "\"") {
|
|
s = strings.ReplaceAll(s, "\"", "")
|
|
}
|
|
|
|
parts := strings.Split(s, ",")
|
|
|
|
// Optimized: Trim in-place to avoid additional allocations
|
|
for i, part := range parts {
|
|
parts[i] = strings.TrimSpace(part)
|
|
}
|
|
|
|
return parts
|
|
}
|
|
|
|
// Utility helpers
|
|
|
|
// CompareVersions compares two version strings
|
|
func CompareVersions(v1, v2 string) int {
|
|
version1, err1 := version.NewVersion(v1)
|
|
version2, err2 := version.NewVersion(v2)
|
|
|
|
// If either version is invalid, fall back to string comparison
|
|
if err1 != nil || err2 != nil {
|
|
return strings.Compare(v1, v2)
|
|
}
|
|
|
|
return version1.Compare(version2)
|
|
}
|
|
|
|
// FormatDuration formats seconds into a human-readable duration string
|
|
func FormatDuration(sec int64) string {
|
|
days := sec / SecondsPerDay
|
|
h := (sec % SecondsPerDay) / SecondsPerHour
|
|
m := (sec % SecondsPerHour) / SecondsPerMinute
|
|
s := sec % SecondsPerMinute
|
|
return fmt.Sprintf("%02d:%02d:%02d:%02d", days, h, m, s)
|
|
}
|
|
|
|
// IsTestEnvironment returns true if running in a test environment
|
|
func IsTestEnvironment() bool {
|
|
for _, arg := range os.Args {
|
|
if strings.HasPrefix(arg, "-test.") {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// ContainsPathTraversal checks for various path traversal patterns
|
|
func ContainsPathTraversal(input string) bool {
|
|
// Path separators and traversal patterns
|
|
if strings.ContainsAny(input, "/\\") {
|
|
return true
|
|
}
|
|
|
|
// Various representations of ".."
|
|
dangerousPatterns := []string{
|
|
"..",
|
|
"%2e%2e", // URL encoded ..
|
|
"%2f", // URL encoded /
|
|
"%5c", // URL encoded \
|
|
"\u002e\u002e", // Unicode ..
|
|
"\uff0e\uff0e", // Full-width Unicode ..
|
|
}
|
|
|
|
inputLower := strings.ToLower(input)
|
|
for _, pattern := range dangerousPatterns {
|
|
if strings.Contains(inputLower, strings.ToLower(pattern)) {
|
|
return true
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
// ValidateCommand validates that a command is in the allowlist for security
|
|
func ValidateCommand(command string) error {
|
|
// Allowlist of commands that f2b is permitted to execute
|
|
allowedCommands := map[string]bool{
|
|
Fail2BanClientCommand: true,
|
|
Fail2BanRegexCommand: true,
|
|
Fail2BanServerCommand: true,
|
|
"service": true,
|
|
"systemctl": true,
|
|
"sudo": true, // Only when used internally
|
|
}
|
|
|
|
if command == "" {
|
|
return NewInvalidCommandError("command cannot be empty")
|
|
}
|
|
|
|
// Check for null bytes (command injection attempt)
|
|
if strings.ContainsRune(command, '\x00') {
|
|
// Don't include potentially malicious input in error message
|
|
return fmt.Errorf("invalid command format")
|
|
}
|
|
|
|
// Check for path traversal in command name
|
|
if ContainsPathTraversal(command) {
|
|
// Don't include potentially malicious input in error message
|
|
// Check for common dangerous patterns that shouldn't be in command names
|
|
dangerousPatterns := GetDangerousCommandPatterns()
|
|
cmdLower := strings.ToLower(command)
|
|
for _, pattern := range dangerousPatterns {
|
|
if strings.Contains(cmdLower, strings.ToLower(pattern)) {
|
|
return fmt.Errorf("invalid command format")
|
|
}
|
|
}
|
|
return NewInvalidCommandError(command + " (path traversal)")
|
|
}
|
|
|
|
// Additional security checks for command injection patterns
|
|
if containsCommandInjectionPatterns(command) {
|
|
// Don't include potentially malicious input in error message
|
|
return fmt.Errorf("invalid command format")
|
|
}
|
|
|
|
// Validate against allowlist
|
|
if !allowedCommands[command] {
|
|
return NewCommandNotAllowedError(command)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// ValidateArguments validates command arguments for security
|
|
func ValidateArguments(args []string) error {
|
|
for i, arg := range args {
|
|
if err := validateSingleArgument(arg, i); err != nil {
|
|
return fmt.Errorf("argument %d invalid: %w", i, err)
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// validateSingleArgument validates a single command argument
|
|
func validateSingleArgument(arg string, _ int) error {
|
|
// Check for null bytes
|
|
if strings.ContainsRune(arg, '\x00') {
|
|
return NewInvalidArgumentError(arg + " (contains null byte)")
|
|
}
|
|
|
|
// Check length to prevent buffer overflow
|
|
if len(arg) > MaxArgumentLength {
|
|
return NewInvalidArgumentError(fmt.Sprintf("%s (too long: %d chars)", arg, len(arg)))
|
|
}
|
|
|
|
// Check for command injection patterns
|
|
if containsCommandInjectionPatterns(arg) {
|
|
return NewInvalidArgumentError(arg + " (injection patterns)")
|
|
}
|
|
|
|
// For IP arguments, validate IP format
|
|
if isLikelyIPArgument(arg) {
|
|
if err := CachedValidateIP(arg); err != nil {
|
|
return fmt.Errorf("invalid IP format: %w", err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// containsCommandInjectionPatterns detects common command injection patterns
|
|
func containsCommandInjectionPatterns(input string) bool {
|
|
// Optimized: Check single characters first (fastest)
|
|
for _, r := range input {
|
|
switch r {
|
|
case ';', '&', '|', '`', '$', '<', '>', '\n', '\r', '\t':
|
|
return true
|
|
}
|
|
}
|
|
|
|
// Optimized: Convert to lower case only once and check multi-character patterns
|
|
inputLower := strings.ToLower(input)
|
|
|
|
// Multi-character patterns - be specific to avoid false positives
|
|
multiCharPatterns := []string{
|
|
"$(", "${", "&&", "||", ">>", "<<",
|
|
"exec ", "system(", "eval(",
|
|
}
|
|
|
|
for _, pattern := range multiCharPatterns {
|
|
if strings.Contains(inputLower, pattern) {
|
|
return true
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
// isLikelyIPArgument heuristically determines if an argument looks like an IP address
|
|
func isLikelyIPArgument(arg string) bool {
|
|
// Simple heuristic: contains dots and digits
|
|
return strings.Contains(arg, ".") && strings.ContainsAny(arg, "0123456789")
|
|
}
|
|
|
|
// Internal helper functions
|
|
|
|
// isValidFilterChar checks if a character is allowed in filter names
|
|
func isValidFilterChar(r rune) bool {
|
|
// Allow letters, digits, and safe punctuation
|
|
return unicode.IsLetter(r) ||
|
|
unicode.IsDigit(r) ||
|
|
r == '-' ||
|
|
r == '_' ||
|
|
r == '.' ||
|
|
r == '@' || // Allow @ for email-like patterns
|
|
r == '+' || // Allow + for variations
|
|
r == '~' // Allow ~ for common naming
|
|
}
|
|
|
|
// Context helpers for structured logging
|
|
|
|
// WithRequestID adds a request ID to the context
|
|
func WithRequestID(ctx context.Context, requestID string) context.Context {
|
|
return context.WithValue(ctx, ContextKeyRequestID, requestID)
|
|
}
|
|
|
|
// WithOperation adds an operation name to the context
|
|
func WithOperation(ctx context.Context, operation string) context.Context {
|
|
return context.WithValue(ctx, ContextKeyOperation, operation)
|
|
}
|
|
|
|
// WithJail adds a jail name to the context
|
|
func WithJail(ctx context.Context, jail string) context.Context {
|
|
return context.WithValue(ctx, ContextKeyJail, jail)
|
|
}
|
|
|
|
// WithIP adds an IP address to the context
|
|
func WithIP(ctx context.Context, ip string) context.Context {
|
|
return context.WithValue(ctx, ContextKeyIP, ip)
|
|
}
|
|
|
|
// LoggerFromContext creates a logrus Entry with fields from context
|
|
func LoggerFromContext(ctx context.Context) *logrus.Entry {
|
|
fields := logrus.Fields{}
|
|
|
|
if requestID, ok := ctx.Value(ContextKeyRequestID).(string); ok && requestID != "" {
|
|
fields["request_id"] = requestID
|
|
}
|
|
|
|
if operation, ok := ctx.Value(ContextKeyOperation).(string); ok && operation != "" {
|
|
fields["operation"] = operation
|
|
}
|
|
|
|
if jail, ok := ctx.Value(ContextKeyJail).(string); ok && jail != "" {
|
|
fields["jail"] = jail
|
|
}
|
|
|
|
if ip, ok := ctx.Value(ContextKeyIP).(string); ok && ip != "" {
|
|
fields["ip"] = ip
|
|
}
|
|
|
|
return getLogger().WithFields(fields)
|
|
}
|
|
|
|
// GenerateRequestID generates a simple request ID for tracing
|
|
func GenerateRequestID() string {
|
|
return fmt.Sprintf("req_%d", time.Now().UnixNano())
|
|
}
|
|
|
|
// Timing infrastructure for performance monitoring
|
|
|
|
// TimedOperation represents a timed operation with metadata
|
|
type TimedOperation struct {
|
|
Name string
|
|
Command string
|
|
Args []string
|
|
StartTime time.Time
|
|
}
|
|
|
|
// NewTimedOperation creates a new timed operation and starts timing
|
|
func NewTimedOperation(name, command string, args ...string) *TimedOperation {
|
|
return &TimedOperation{
|
|
Name: name,
|
|
Command: command,
|
|
Args: args,
|
|
StartTime: time.Now(),
|
|
}
|
|
}
|
|
|
|
// Finish completes the timed operation and logs the duration with context
|
|
func (t *TimedOperation) Finish(err error) {
|
|
duration := time.Since(t.StartTime)
|
|
|
|
fields := logrus.Fields{
|
|
"operation": t.Name,
|
|
"command": t.Command,
|
|
"duration": duration,
|
|
"args": strings.Join(t.Args, " "),
|
|
}
|
|
|
|
if err != nil {
|
|
getLogger().WithFields(fields).WithField("error", err.Error()).Warnf("Operation failed after %v", duration)
|
|
} else {
|
|
if duration > time.Second {
|
|
// Log slow operations as warnings for visibility
|
|
getLogger().WithFields(fields).Warnf("Slow operation completed in %v", duration)
|
|
} else {
|
|
// Log fast operations at debug level to reduce noise
|
|
getLogger().WithFields(fields).Debugf("Operation completed in %v", duration)
|
|
}
|
|
}
|
|
}
|
|
|
|
// FinishWithContext completes the timed operation and logs the duration with context
|
|
func (t *TimedOperation) FinishWithContext(ctx context.Context, err error) {
|
|
duration := time.Since(t.StartTime)
|
|
|
|
// Get logger with context fields
|
|
logger := LoggerFromContext(ctx)
|
|
|
|
// Add timing-specific fields
|
|
fields := logrus.Fields{
|
|
"operation": t.Name,
|
|
"command": t.Command,
|
|
"duration": duration,
|
|
"args": strings.Join(t.Args, " "),
|
|
}
|
|
logger = logger.WithFields(fields)
|
|
|
|
if err != nil {
|
|
logger.WithField("error", err.Error()).Warnf("Operation failed after %v", duration)
|
|
} else {
|
|
if duration > time.Second {
|
|
// Log slow operations as warnings for visibility
|
|
logger.Warnf("Slow operation completed in %v", duration)
|
|
} else {
|
|
// Log fast operations at debug level to reduce noise
|
|
logger.Debugf("Operation completed in %v", duration)
|
|
}
|
|
}
|
|
}
|
|
|
|
// Validation caching for performance optimization
|
|
|
|
// ValidationCache provides thread-safe caching for validation results
|
|
type ValidationCache struct {
|
|
mu sync.RWMutex
|
|
cache map[string]error
|
|
}
|
|
|
|
// NewValidationCache creates a new validation cache
|
|
func NewValidationCache() *ValidationCache {
|
|
return &ValidationCache{
|
|
cache: make(map[string]error),
|
|
}
|
|
}
|
|
|
|
// Get retrieves a cached validation result
|
|
func (vc *ValidationCache) Get(key string) (bool, error) {
|
|
vc.mu.RLock()
|
|
defer vc.mu.RUnlock()
|
|
result, exists := vc.cache[key]
|
|
return exists, result
|
|
}
|
|
|
|
// Set stores a validation result in the cache
|
|
func (vc *ValidationCache) Set(key string, err error) {
|
|
vc.mu.Lock()
|
|
defer vc.mu.Unlock()
|
|
vc.cache[key] = err
|
|
}
|
|
|
|
// Clear removes all cached entries
|
|
func (vc *ValidationCache) Clear() {
|
|
vc.mu.Lock()
|
|
defer vc.mu.Unlock()
|
|
vc.cache = make(map[string]error)
|
|
}
|
|
|
|
// Size returns the number of cached entries
|
|
func (vc *ValidationCache) Size() int {
|
|
vc.mu.RLock()
|
|
defer vc.mu.RUnlock()
|
|
return len(vc.cache)
|
|
}
|
|
|
|
// MetricsRecorder interface for recording validation metrics
|
|
type MetricsRecorder interface {
|
|
RecordValidationCacheHit()
|
|
RecordValidationCacheMiss()
|
|
}
|
|
|
|
// Global validation caches for frequently used validators
|
|
var (
|
|
ipValidationCache = NewValidationCache()
|
|
jailValidationCache = NewValidationCache()
|
|
filterValidationCache = NewValidationCache()
|
|
commandValidationCache = NewValidationCache()
|
|
|
|
// metricsRecorder is set by the cmd package to avoid circular dependencies
|
|
metricsRecorder MetricsRecorder
|
|
metricsRecorderMu sync.RWMutex
|
|
)
|
|
|
|
// SetMetricsRecorder sets the metrics recorder for validation cache tracking
|
|
func SetMetricsRecorder(recorder MetricsRecorder) {
|
|
metricsRecorderMu.Lock()
|
|
defer metricsRecorderMu.Unlock()
|
|
metricsRecorder = recorder
|
|
}
|
|
|
|
// getMetricsRecorder returns the current metrics recorder
|
|
func getMetricsRecorder() MetricsRecorder {
|
|
metricsRecorderMu.RLock()
|
|
defer metricsRecorderMu.RUnlock()
|
|
return metricsRecorder
|
|
}
|
|
|
|
// CachedValidateIP validates an IP address with caching
|
|
func CachedValidateIP(ip string) error {
|
|
cacheKey := "ip:" + ip
|
|
if exists, result := ipValidationCache.Get(cacheKey); exists {
|
|
// Record cache hit in metrics
|
|
if recorder := getMetricsRecorder(); recorder != nil {
|
|
recorder.RecordValidationCacheHit()
|
|
}
|
|
return result
|
|
}
|
|
|
|
// Record cache miss in metrics
|
|
if recorder := getMetricsRecorder(); recorder != nil {
|
|
recorder.RecordValidationCacheMiss()
|
|
}
|
|
|
|
err := ValidateIP(ip)
|
|
ipValidationCache.Set(cacheKey, err)
|
|
return err
|
|
}
|
|
|
|
// CachedValidateJail validates a jail name with caching
|
|
func CachedValidateJail(jail string) error {
|
|
cacheKey := "jail:" + jail
|
|
if exists, result := jailValidationCache.Get(cacheKey); exists {
|
|
// Record cache hit in metrics
|
|
if recorder := getMetricsRecorder(); recorder != nil {
|
|
recorder.RecordValidationCacheHit()
|
|
}
|
|
return result
|
|
}
|
|
|
|
// Record cache miss in metrics
|
|
if recorder := getMetricsRecorder(); recorder != nil {
|
|
recorder.RecordValidationCacheMiss()
|
|
}
|
|
|
|
err := ValidateJail(jail)
|
|
jailValidationCache.Set(cacheKey, err)
|
|
return err
|
|
}
|
|
|
|
// CachedValidateFilter validates a filter name with caching
|
|
func CachedValidateFilter(filter string) error {
|
|
cacheKey := "filter:" + filter
|
|
if exists, result := filterValidationCache.Get(cacheKey); exists {
|
|
// Record cache hit in metrics
|
|
if recorder := getMetricsRecorder(); recorder != nil {
|
|
recorder.RecordValidationCacheHit()
|
|
}
|
|
return result
|
|
}
|
|
|
|
// Record cache miss in metrics
|
|
if recorder := getMetricsRecorder(); recorder != nil {
|
|
recorder.RecordValidationCacheMiss()
|
|
}
|
|
|
|
err := ValidateFilter(filter)
|
|
filterValidationCache.Set(cacheKey, err)
|
|
return err
|
|
}
|
|
|
|
// CachedValidateCommand validates a command with caching
|
|
func CachedValidateCommand(command string) error {
|
|
cacheKey := "command:" + command
|
|
if exists, result := commandValidationCache.Get(cacheKey); exists {
|
|
// Record cache hit in metrics
|
|
if recorder := getMetricsRecorder(); recorder != nil {
|
|
recorder.RecordValidationCacheHit()
|
|
}
|
|
return result
|
|
}
|
|
|
|
// Record cache miss in metrics
|
|
if recorder := getMetricsRecorder(); recorder != nil {
|
|
recorder.RecordValidationCacheMiss()
|
|
}
|
|
|
|
err := ValidateCommand(command)
|
|
commandValidationCache.Set(cacheKey, err)
|
|
return err
|
|
}
|
|
|
|
// ClearValidationCaches clears all validation caches
|
|
func ClearValidationCaches() {
|
|
ipValidationCache.Clear()
|
|
jailValidationCache.Clear()
|
|
filterValidationCache.Clear()
|
|
commandValidationCache.Clear()
|
|
}
|
|
|
|
// GetValidationCacheStats returns cache statistics
|
|
func GetValidationCacheStats() map[string]int {
|
|
return map[string]int{
|
|
"ip_cache_size": ipValidationCache.Size(),
|
|
"jail_cache_size": jailValidationCache.Size(),
|
|
"filter_cache_size": filterValidationCache.Size(),
|
|
"command_cache_size": commandValidationCache.Size(),
|
|
}
|
|
}
|
|
|
|
// Path helper functions for centralized path validation
|
|
|
|
// GetLogAllowedPaths returns allowed paths for log directories
|
|
func GetLogAllowedPaths() []string {
|
|
paths := []string{"/var/log", "/opt", "/usr/local", "/home"}
|
|
return appendDevPathsIfAllowed(paths)
|
|
}
|
|
|
|
// GetFilterAllowedPaths returns allowed paths for filter directories
|
|
func GetFilterAllowedPaths() []string {
|
|
paths := []string{"/etc/fail2ban", "/usr/local/etc/fail2ban", "/opt/fail2ban", "/home"}
|
|
return appendDevPathsIfAllowed(paths)
|
|
}
|
|
|
|
// appendDevPathsIfAllowed adds development paths if ALLOW_DEV_PATHS is set
|
|
func appendDevPathsIfAllowed(paths []string) []string {
|
|
if os.Getenv("ALLOW_DEV_PATHS") != "" {
|
|
return append(paths, "/tmp", "/var/folders") // macOS temp dirs
|
|
}
|
|
return paths
|
|
}
|
|
|
|
// GetDangerousCommandPatterns returns patterns that indicate dangerous commands or injections
|
|
func GetDangerousCommandPatterns() []string {
|
|
return []string{
|
|
"rm -rf", "dangerous_rm_command", "dangerous_system_call",
|
|
"drop table", "'; cat", "/etc/", "DANGEROUS_RM_COMMAND",
|
|
"DANGEROUS_SYSTEM_CALL", "DANGEROUS_COMMAND", "DANGEROUS_PWD_COMMAND",
|
|
"DANGEROUS_LIST_COMMAND", "DANGEROUS_READ_COMMAND", "DANGEROUS_OUTPUT_FILE",
|
|
"DANGEROUS_INPUT_FILE", "DANGEROUS_EXEC_COMMAND", "DANGEROUS_WGET_COMMAND",
|
|
"DANGEROUS_CURL_COMMAND", "DANGEROUS_EXEC_FUNCTION", "DANGEROUS_SYSTEM_FUNCTION",
|
|
"DANGEROUS_EVAL_FUNCTION",
|
|
}
|
|
}
|