mirror of
https://github.com/ivuorinen/f2b.git
synced 2026-03-16 04:01:12 +00:00
92 lines
3.3 KiB
Go
92 lines
3.3 KiB
Go
// Package fail2ban provides security utility functions for input validation and threat detection.
|
|
// This module handles path traversal detection, dangerous command pattern identification,
|
|
// and other security-related checks to prevent injection attacks and unauthorized access.
|
|
package fail2ban
|
|
|
|
import (
|
|
"path/filepath"
|
|
"strings"
|
|
)
|
|
|
|
// ContainsPathTraversal validates paths using stdlib filepath canonicalization.
|
|
// Returns true if the path contains traversal attempts (e.g., .., absolute paths, encoded traversals, etc.)
|
|
func ContainsPathTraversal(input string) bool {
|
|
// Check for URL-encoded or Unicode-encoded traversal attempts
|
|
// These are suspicious in path/command contexts and should be rejected
|
|
inputLower := strings.ToLower(input)
|
|
suspiciousPatterns := []string{
|
|
"%2e%2e", // URL encoded ..
|
|
"%2f", // URL encoded /
|
|
"%5c", // URL encoded \
|
|
"\x00", // Null byte
|
|
}
|
|
for _, pattern := range suspiciousPatterns {
|
|
if strings.Contains(inputLower, pattern) {
|
|
return true
|
|
}
|
|
}
|
|
|
|
// Use filepath.IsLocal (Go 1.20+) to check if path is local and safe
|
|
// Returns false for paths that:
|
|
// - Are absolute (start with /)
|
|
// - Contain .. that escape the current directory
|
|
// - Are empty
|
|
// - Contain invalid characters
|
|
if !filepath.IsLocal(input) {
|
|
return true
|
|
}
|
|
|
|
// Additional check: Clean the path and verify it doesn't start with ..
|
|
// This catches cases where IsLocal might pass but the path still tries to escape
|
|
cleaned := filepath.Clean(input)
|
|
if strings.HasPrefix(cleaned, ".."+string(filepath.Separator)) || cleaned == ".." {
|
|
return true
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
// GetDangerousCommandPatterns returns patterns for log sanitization and threat detection.
|
|
//
|
|
// Purpose: This list is used for:
|
|
// - Sanitizing/masking dangerous patterns in logs to prevent sensitive data leakage
|
|
// - Detecting suspicious patterns in command outputs for monitoring/alerting
|
|
//
|
|
// NOT for: Input validation or injection prevention (use proper validation instead)
|
|
//
|
|
// The returned patterns include both production patterns (real attack signatures)
|
|
// and test sentinels (used exclusively in test fixtures for validation).
|
|
func GetDangerousCommandPatterns() []string {
|
|
// Test sentinels: Markers used exclusively in test fixtures
|
|
// These help verify pattern detection logic in tests
|
|
testSentinels := []string{
|
|
"DANGEROUS_RM_COMMAND",
|
|
"DANGEROUS_SYSTEM_CALL",
|
|
"DANGEROUS_COMMAND",
|
|
"DANGEROUS_PWD_COMMAND",
|
|
"DANGEROUS_LIST_COMMAND",
|
|
"DANGEROUS_READ_COMMAND",
|
|
"DANGEROUS_OUTPUT_FILE",
|
|
"DANGEROUS_INPUT_FILE",
|
|
"DANGEROUS_EXEC_COMMAND",
|
|
"DANGEROUS_WGET_COMMAND",
|
|
"DANGEROUS_CURL_COMMAND",
|
|
"DANGEROUS_EXEC_FUNCTION",
|
|
"DANGEROUS_SYSTEM_FUNCTION",
|
|
"DANGEROUS_EVAL_FUNCTION",
|
|
}
|
|
|
|
// Production patterns: Real command injection and SQL injection signatures
|
|
productionPatterns := []string{
|
|
"rm -rf", // Destructive file operations
|
|
"drop table", // SQL injection attempts
|
|
"'; cat", // Command injection with file reads
|
|
"/etc/passwd", "/etc/shadow", // Specific sensitive file access
|
|
}
|
|
|
|
// Combine both lists for backward compatibility; preallocate to avoid reallocation
|
|
combined := make([]string, 0, len(productionPatterns)+len(testSentinels))
|
|
combined = append(combined, productionPatterns...)
|
|
return append(combined, testSentinels...)
|
|
}
|