-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathutils.go
340 lines (301 loc) · 10.6 KB
/
utils.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
package modulego
import (
"bytes"
"fmt"
"io"
"net"
"net/http"
"net/url"
"regexp"
"sort"
"strconv"
"strings"
"time"
)
// getMicroTime returns the current unix timestamp in microseconds
// This function needs to implement the time.UnixMicro function when Tyk will support the go version >= 1.18
func getMicroTime() string {
return strconv.FormatInt(time.Now().UnixNano()/1000, 10)
}
// getIP returns the IP of the emitter from the RemoteAddr field of the request.
func getIP(r *http.Request) (string, error) {
ip, _, err := net.SplitHostPort(r.RemoteAddr)
return ip, err
}
// getHeaderList returns the list of header's keys separated by commas
func getHeaderList(r *http.Request) string {
headerNames := make([]string, 0, len(r.Header))
for headerName := range r.Header {
headerNames = append(headerNames, headerName)
}
return strings.Join(headerNames, ",")
}
// getURL returns the path and the query parameters (if present) of the request
func getURL(r *http.Request) string {
if r.URL.RawQuery != "" {
return r.URL.Path + "?" + r.URL.RawQuery
} else {
return r.URL.Path
}
}
// cut implementation from the official package (see https://cs.opensource.google/go/go/+/master:src/strings/strings.go;l=1278)
func cut(s, sep string) (before, after string, found bool) {
if i := strings.Index(s, sep); i >= 0 {
return s[:i], s[i+len(sep):], true
}
return s, "", false
}
// getURI returns the URI without the query parameters nor the Fragments.
// This function needs to implement the strings.Cut function when Tyk will support the go version >= 1.18
func getURI(r *http.Request) string {
var finalPath string
pathWithoutQueryParams, _, _ := cut(r.URL.Path, "?")
finalPath, _, _ = cut(pathWithoutQueryParams, "#")
finalUri := r.URL.Host + finalPath
return finalUri
}
// ApiFields describes the fields expected for the [ProtectionAPIRequestPayload]
type ApiFields string
const (
Accept ApiFields = "Accept"
AcceptCharset ApiFields = "AcceptCharset"
AcceptEncoding ApiFields = "AcceptEncoding"
AcceptLanguage ApiFields = "AcceptLanguage"
CacheControl ApiFields = "CacheControl"
ClientID ApiFields = "ClientID"
Connection ApiFields = "Connection"
ContentType ApiFields = "ContentType"
From ApiFields = "From"
GraphQLOperationCount ApiFields = "GraphQLOperationCount"
GraphQLOperationName ApiFields = "GraphQLOperationName"
GraphQLOperationType ApiFields = "GraphQLOperationType"
HeadersList ApiFields = "HeadersList"
Host ApiFields = "Host"
Origin ApiFields = "Origin"
Pragma ApiFields = "Pragma"
Referer ApiFields = "Referer"
Request ApiFields = "Request"
SecCHDeviceMemory ApiFields = "SecCHDeviceMemory"
SecCHUA ApiFields = "SecCHUA"
SecCHUAArch ApiFields = "SecCHUAArch"
SecCHUAFullVersionList ApiFields = "SecCHUAFullVersionList"
SecCHUAMobile ApiFields = "SecCHUAMobile"
SecCHUAModel ApiFields = "SecCHUAModel"
SecCHUAPlatform ApiFields = "SecCHUAPlatform"
SecFetchUser ApiFields = "SecFetchUser"
SecFetchDest ApiFields = "SecFetchDest"
SecFetchMode ApiFields = "SecFetchMode"
SecFetchSite ApiFields = "SecFetchSite"
ServerHostname ApiFields = "ServerHostname"
ServerName ApiFields = "ServerName"
TrueClientIP ApiFields = "TrueClientIP"
UserAgent ApiFields = "UserAgent"
Via ApiFields = "Via"
XForwardedForIP ApiFields = "XForwardedForIP"
XRealIP ApiFields = "XRealIP"
XRequestedWith ApiFields = "XRequestedWith"
)
// getTruncationSize returns the maximal size allowed for a given [ApiFields]
func getTruncationSize(key ApiFields) int {
switch key {
case SecCHDeviceMemory, SecCHUAMobile, SecFetchUser:
return 8
case SecCHUAArch:
return 16
case SecCHUAPlatform, SecFetchDest, SecFetchMode:
return 32
case ContentType, SecFetchSite:
return 64
case CacheControl, ClientID, XRequestedWith, AcceptCharset, AcceptEncoding, Pragma, Connection, From, SecCHUA, SecCHUAModel, TrueClientIP, XRealIP, GraphQLOperationName:
return 128
case AcceptLanguage, SecCHUAFullVersionList, Via:
return 256
case HeadersList, Origin, ServerHostname, ServerName, Accept, Host:
return 512
case XForwardedForIP:
return -512
case UserAgent:
return 768
case Referer:
return 1024
case Request:
return 2048
}
return 0
}
// truncateValue returns the truncated value of the given key.
// If the value does not need to be truncated, it remains unchanged.
func truncateValue(key ApiFields, value string) string {
if value == "" {
return ""
}
limit := getTruncationSize(key)
if limit < 0 && len(value) > (-1*limit) {
limit *= -1
value = value[len(value)-limit:]
} else if limit > 0 && len(value) > limit {
value = value[:limit]
}
return value
}
// isGraphQLRequest indicates if the incoming request is a GraphQL request.
func isGraphQLRequest(r *http.Request) bool {
return r.Header.Get("Content-Type") == "application/json" && r.Method == "POST" && r.ContentLength > 0 && strings.Contains(r.URL.Path, "graphql")
}
// readBodyWithoutConsuming extracts the GraphQL query from the body.
// When the body has been fully read, it is restored to the original request.
func readBodyWithoutConsuming(r *http.Request, maximumBodySize int) ([]byte, error) {
readSize := 1024
regexp := regexp.MustCompile(`"query"\s*:\s*("(?:query|mutation|subscription)?\s*(?:[A-Za-z_][A-Za-z0-9_]*)?\s*[{(].*)`)
limitedReader := &io.LimitedReader{
R: r.Body,
N: int64(maximumBodySize),
}
matchBuffer := make([]byte, 0, 2*readSize)
buffer := make([]byte, readSize)
var beginBody bytes.Buffer
var matchedBytes []byte
found := false
for {
n, err := limitedReader.Read(buffer)
if n > 0 {
beginBody.Write(buffer[:n])
if !found {
matchBuffer = append(matchBuffer, buffer[:n]...)
if len(matchBuffer) >= 2*readSize {
matchBuffer = matchBuffer[len(matchBuffer)-(2*readSize):]
}
matches := regexp.FindSubmatch(matchBuffer)
if len(matches) > 1 {
matchedBytes = matches[1]
found = true
}
}
}
if err == io.EOF {
break
}
if err != nil {
return nil, err
}
}
restBody, err := io.ReadAll(r.Body)
if err != nil {
return nil, err
}
r.Body = io.NopCloser(io.MultiReader(bytes.NewReader(beginBody.Bytes()), bytes.NewReader(restBody)))
return matchedBytes, nil
}
// parseGraphQLQuery returns a [GraphQLData] structure with information extracted from the body.
func parseGraphQLQuery(body string) *GraphQLData {
gqlData := &GraphQLData{
Count: 0,
Type: Query,
Name: "",
}
regex := regexp.MustCompile(`(?m)(?P<operationType>query|mutation|subscription)\s*(?P<operationName>[A-Za-z_][A-Za-z0-9_]*)?\s*[({@]`)
matches := regex.FindAllStringSubmatch(body, -1)
matchLength := len(matches)
if matchLength > 0 {
gqlData.Count = matchLength
firstMatch := matches[0]
operationTypeIndex := regex.SubexpIndex("operationType")
operationNameIndex := regex.SubexpIndex("operationName")
if operationTypeIndex != -1 && operationTypeIndex < len(firstMatch) {
gqlData.Type = OperationType(firstMatch[operationTypeIndex])
}
if operationNameIndex != -1 && operationNameIndex < len(firstMatch) {
gqlData.Name = firstMatch[operationNameIndex]
}
} else {
shorthandSyntaxRegex := regexp.MustCompile(`"(?:query|mutation|subscription)?\s*(?:[A-Za-z_][A-Za-z0-9_]*)?\s*[{]`)
shorthandMatches := shorthandSyntaxRegex.FindStringSubmatch(body)
gqlData.Count = len(shorthandMatches)
}
return gqlData
}
// getGraphQLData reads the body to extract the GraphQL query and parse it.
// An error is returned if
// - an error happened during the lecture of the body
// - the GraphQL query was not found
func getGraphQLData(r *http.Request, maximumBodySize int) (*GraphQLData, error) {
body, err := readBodyWithoutConsuming(r, maximumBodySize)
if err != nil {
return nil, fmt.Errorf("error while reading request body: %w", err)
}
if body == nil {
return nil, fmt.Errorf("query not found in the request body")
}
bodyStr := string(body)
return parseGraphQLQuery(bodyStr), nil
}
// getProtocol returns the protocol of the request.
// It uses the `X-Forwarded-Proto` header value if the value is correct (i.e. `http` or `https`).
// It checks the TLS field of the request afterwards.
func getProtocol(r *http.Request) string {
proto := "http"
xForwardedProto := r.Header.Get("X-Forwarded-Proto")
if strings.EqualFold(xForwardedProto, "http") || strings.EqualFold(xForwardedProto, "https") {
proto = xForwardedProto
} else if r.TLS != nil {
proto = "https"
}
return proto
}
// sortQueryParams returns the sorted query parameter's list.
func sortQueryParams(u *url.URL) string {
queryParams := u.Query()
sortedQuery := url.Values{}
for key, values := range queryParams {
sort.Strings(values)
sortedQuery[key] = values
}
u.RawQuery = queryParams.Encode()
u.Fragment = ""
return u.String()
}
// isMatchingReferrer checks that URL of the request is equal to the value of the `Referer` header.
// The `dd_referrer` query parameter is omitted from the request's URL.
func isMatchingReferrer(r *http.Request) (bool, error) {
fullURL := fmt.Sprintf("%s://%s%s", getProtocol(r), r.Host, getURL(r))
parsedUrl, err := url.Parse(fullURL)
if err != nil {
return false, fmt.Errorf("fail to parse request URL: %w", err)
}
queryParams := parsedUrl.Query()
queryParams.Del("dd_referrer")
parsedUrl.RawQuery = queryParams.Encode()
referer := r.Header.Get("Referer")
if referer == "" {
return false, nil
}
decodedReferer, err := url.QueryUnescape(referer)
if err != nil {
return false, fmt.Errorf("fail to decode referer header: %w", err)
}
parsedReferer, err := url.Parse(decodedReferer)
if err != nil {
return false, fmt.Errorf("fail to parse referer header: %w", err)
}
return sortQueryParams(parsedUrl) == sortQueryParams(parsedReferer), nil
}
// restoreReferrer replaces the value of the `Referer` header with the value of the `dd_referrer` query parameter.
// If the `dd_referrer` value is empty, the `Referer` header is deleted from the request.
func restoreReferrer(r *http.Request) error {
queryParams := r.URL.Query()
if queryParams.Has("dd_referrer") {
ddReferrer := queryParams.Get("dd_referrer")
if ddReferrer == "" {
r.Header.Del("Referer")
} else {
decodedReferrer, err := url.QueryUnescape(ddReferrer)
if err != nil {
return fmt.Errorf("fail to decoded dd_referrer query value: %w", err)
}
r.Header.Set("Referer", decodedReferrer)
}
queryParams.Del("dd_referrer")
r.URL.RawQuery = queryParams.Encode()
}
return nil
}