├── .gitignore
├── .github
    ├── PULL_REQUEST_TEMPLATE.md
    ├── ISSUE_TEMPLATE.md
    └── CONTRIBUTING.md
├── .travis.yml
├── gowafp_test.go
├── LICENSE
├── README.md
└── gowafp.go


/.gitignore:
--------------------------------------------------------------------------------
1 | main.exe
2 | main
3 | misc/
4 | 


--------------------------------------------------------------------------------
/.github/PULL_REQUEST_TEMPLATE.md:
--------------------------------------------------------------------------------
1 | Please reference the issue number in your pull request.
2 | 


--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
1 | language: go
2 | go:
3 |     - 1.8
4 |     - 1.9
5 | before_install:
6 |     - go get github.com/microcosm-cc/bluemonday
7 |     - go get github.com/tomasen/fcgi_client
8 | script: go test
9 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE.md:
--------------------------------------------------------------------------------
1 | Replace this text with a brief description of what you hope to achieve by
2 | opening this issue. Don't worry about making it perfect :)
3 | 
4 | Please feel free to use lists, add code, screenshots, links, and anything else
5 | you think will assist us in understanding.
6 | 


--------------------------------------------------------------------------------
/.github/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contributing
 2 | 
 3 | All help is welcome! If you want to write tests, add features, or help in
 4 | another way, feel free to do so.
 5 | 
 6 | ## Issues
 7 | 
 8 | We'll use Issues to keep track of feature requests, bugs, and other ideas. Don't
 9 | be afraid to open a issue about anything, as long as it is somewhat related to
10 | this repo.
11 | 
12 | ## Pull Requests
13 | 
14 | If you create an issue, then want to contribute code, please open a pull request
15 | and mention the issue #. If you're adding a new code, please make sure it is
16 | tested, unless you need help with that part; then let us know.
17 | 


--------------------------------------------------------------------------------
/gowafp_test.go:
--------------------------------------------------------------------------------
 1 | package gowafp
 2 | 
 3 | import (
 4 | 	"net/http"
 5 | 	"testing"
 6 | )
 7 | 
 8 | func TestPossibleSqlInjection(t *testing.T) {
 9 | 	result := possibleSqlInjection("1'or'1'='1")
10 | 	if result != true {
11 | 		t.Error("Possible SQL Injection failed")
12 | 	}
13 | }
14 | 
15 | func TestPhpHandler(t *testing.T) {
16 | 	phpHandler := PhpHandler("/app/index.php", "tcp", "127.0.0.1:9000")
17 | 	_, ok := phpHandler.(http.Handler)
18 | 	if !ok {
19 | 		t.Error("Not a http handler")
20 | 	}
21 | }
22 | 
23 | func TestAnalyzeRequest(t *testing.T) {
24 | 	handler := AnalyzeRequest(PhpHandler("/app/index.php", "tcp", "127.0.0.1:9000"))
25 | 	_, ok := handler.(http.Handler)
26 | 	if !ok {
27 | 		t.Error("Not a http handler")
28 | 	}
29 | }
30 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2018 Levi Durfee
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # gowafp
 2 | 
 3 | [![Build Status](https://travis-ci.org/levidurfee/gowafp.svg?branch=master)](https://travis-ci.org/levidurfee/gowafp)
 4 | 
 5 | A Go WAF (Web Application Firewall) that sits between your webserver (nginx)
 6 | and your FastCGI application.
 7 | 
 8 | nginx <- (tcp) -> gowafp <- (FastCGI) -> PHP-FPM
 9 | 
10 | The goal of this package is to prevent any attacks from reaching the FastCGI
11 | application. It should block all
12 | [SQL injection](https://www.owasp.org/index.php/SQL_Injection)
13 | attempts and filter
14 | [XSS](https://www.owasp.org/index.php/Cross-site_Scripting_(XSS))
15 | attempts.
16 | Maybe down the road it could also handle
17 | [CSRF](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).
18 | 
19 | The Application and the Web Application Firewall should not be on different
20 | servers. While the services out there do a good job, they're expensive and
21 | slower. Of course, you could recompile your web server with some additional
22 | features, but that is harder to deploy while scaling.
23 | 
24 | ## usage
25 | 
26 | First, you need to have Go get the repo.
27 | 
28 | ```Shell
29 | go get github.com/levidurfee/gowafp
30 | ```
31 | 
32 | Below is simple `main.go` example.
33 | 
34 | ```Go
35 | package main
36 | 
37 | import (
38 | 	"github.com/levidurfee/gowafp"
39 | 	"log"
40 | 	"net/http"
41 | )
42 | 
43 | func main() {
44 | 	http.Handle("/", gowafp.AnalyzeRequest(gowafp.PhpHandler("/app/index.php", "tcp", "127.0.0.1:9000")))
45 | 
46 | 	log.Fatal(http.ListenAndServe(":8080", nil))
47 | }
48 | ```
49 | 
50 | Then build and run it.
51 | 
52 | ```Shell
53 | go build main.go
54 | ./main
55 | ```
56 | 


--------------------------------------------------------------------------------
/gowafp.go:
--------------------------------------------------------------------------------
 1 | package gowafp
 2 | 
 3 | import (
 4 | 	"github.com/microcosm-cc/bluemonday"
 5 | 	"github.com/tomasen/fcgi_client"
 6 | 	"io/ioutil"
 7 | 	"log"
 8 | 	"net/http"
 9 | 	"regexp"
10 | 	"strings"
11 | )
12 | 
13 | // AnalyzeRequest will filter any attempt at XSS and analyze the request for
14 | // other attacks.
15 | func AnalyzeRequest(next http.Handler) http.Handler {
16 | 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
17 | 		p := bluemonday.UGCPolicy()
18 | 		r.ParseForm()
19 | 		for k, v := range r.Form {
20 | 			unSanitized := strings.Join(v, "")            // @TODO check this
21 | 			r.Form[k] = []string{p.Sanitize(unSanitized)} // @TODO check this
22 | 			if possibleSqlInjection(unSanitized) {
23 | 				return
24 | 			}
25 | 			// @TODO check if the input had malicious code and log it
26 | 		}
27 | 		next.ServeHTTP(w, r)
28 | 	})
29 | }
30 | 
31 | // PhpHandler is a net/http Handler that starts the process for passing
32 | // the request to PHP-FPM.
33 | func PhpHandler(script string, protocol string, address string) http.Handler {
34 | 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
35 | 		env := make(map[string]string)
36 | 		env["SCRIPT_FILENAME"] = script
37 | 
38 | 		fcgi, err := fcgiclient.Dial(protocol, address)
39 | 		defer fcgi.Close()
40 | 
41 | 		if err != nil {
42 | 			log.Println("err:", err)
43 | 		}
44 | 
45 | 		if r.Method == "POST" {
46 | 			phpPost(env, fcgi, w, r)
47 | 
48 | 			return
49 | 		}
50 | 
51 | 		phpGet(env, fcgi, w)
52 | 	})
53 | }
54 | 
55 | // phpPost is called when the user submits a POST request to the website.
56 | func phpPost(env map[string]string, f *fcgiclient.FCGIClient, w http.ResponseWriter, r *http.Request) {
57 | 	r.ParseForm()
58 | 	resp, err := f.PostForm(env, r.Form)
59 | 	if err != nil {
60 | 		log.Println("Post Err:", err)
61 | 	}
62 | 	phpProcessResponse(resp, w)
63 | }
64 | 
65 | // phpGet is called when a user visits any page and submits a GET request to the
66 | // website.
67 | func phpGet(env map[string]string, f *fcgiclient.FCGIClient, w http.ResponseWriter) {
68 | 	resp, err := f.Get(env)
69 | 	if err != nil {
70 | 		log.Println("Get Err:", err)
71 | 	}
72 | 	phpProcessResponse(resp, w)
73 | }
74 | 
75 | // phpProcessResponse is used by phpPost and phpGet to write the response back
76 | // to the user's browser.
77 | func phpProcessResponse(resp *http.Response, w http.ResponseWriter) {
78 | 	content, err := ioutil.ReadAll(resp.Body)
79 | 	if err != nil {
80 | 		log.Println("err:", err)
81 | 	}
82 | 
83 | 	w.Write(content)
84 | }
85 | 
86 | func possibleSqlInjection(value string) bool {
87 | 	r, _ := regexp.Compile(`\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))`)
88 | 	return r.MatchString(value)
89 | }
90 | 


--------------------------------------------------------------------------------