Skip to content

Commit 463dee2

Browse files
author
arshan.dabirsiaghi
committed
- fixed bug that prevented the block status code from being set (ESAPIWAF.java and RedirectAction.java)
- fixed a comment to be, well, understandable - fixed RestrictUserAgentTest to have proper expectations - removed a bean-shell-rule from waf-policy.xml (test file) that screwed up other tests
1 parent bb2b085 commit 463dee2

5 files changed

Lines changed: 46 additions & 20 deletions

File tree

src/main/java/org/owasp/esapi/waf/ESAPIWebApplicationFirewallFilter.java

Lines changed: 31 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -248,6 +248,11 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
248248
if ( action.isActionNecessary() ) {
249249

250250
if ( action instanceof BlockAction ) {
251+
if ( response != null ) {
252+
response.setStatus(appGuardConfig.getDefaultResponseCode());
253+
} else {
254+
httpResponse.setStatus(appGuardConfig.getDefaultResponseCode());
255+
}
251256
return;
252257

253258
} else if ( action instanceof RedirectAction ) {
@@ -258,8 +263,13 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
258263

259264
switch ( AppGuardianConfiguration.DEFAULT_FAIL_ACTION) {
260265
case AppGuardianConfiguration.BLOCK:
266+
if ( response != null ) {
267+
response.setStatus(appGuardConfig.getDefaultResponseCode());
268+
} else {
269+
httpResponse.setStatus(appGuardConfig.getDefaultResponseCode());
270+
}
261271
return;
262-
272+
263273
case AppGuardianConfiguration.REDIRECT:
264274
sendRedirect(response, httpResponse);
265275
return;
@@ -299,6 +309,11 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
299309
if ( action.isActionNecessary() ) {
300310

301311
if ( action instanceof BlockAction ) {
312+
if ( response != null ) {
313+
response.setStatus(appGuardConfig.getDefaultResponseCode());
314+
} else {
315+
httpResponse.setStatus(appGuardConfig.getDefaultResponseCode());
316+
}
302317
return;
303318

304319
} else if ( action instanceof RedirectAction ) {
@@ -309,6 +324,11 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
309324

310325
switch ( AppGuardianConfiguration.DEFAULT_FAIL_ACTION) {
311326
case AppGuardianConfiguration.BLOCK:
327+
if ( response != null ) {
328+
response.setStatus(appGuardConfig.getDefaultResponseCode());
329+
} else {
330+
httpResponse.setStatus(appGuardConfig.getDefaultResponseCode());
331+
}
312332
return;
313333

314334
case AppGuardianConfiguration.REDIRECT:
@@ -346,6 +366,11 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
346366
if ( action.isActionNecessary() ) {
347367

348368
if ( action instanceof BlockAction ) {
369+
if ( response != null ) {
370+
response.setStatus(appGuardConfig.getDefaultResponseCode());
371+
} else {
372+
httpResponse.setStatus(appGuardConfig.getDefaultResponseCode());
373+
}
349374
return;
350375

351376
} else if ( action instanceof RedirectAction ) {
@@ -356,6 +381,11 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
356381

357382
switch ( AppGuardianConfiguration.DEFAULT_FAIL_ACTION) {
358383
case AppGuardianConfiguration.BLOCK:
384+
if ( response != null ) {
385+
response.setStatus(appGuardConfig.getDefaultResponseCode());
386+
} else {
387+
httpResponse.setStatus(appGuardConfig.getDefaultResponseCode());
388+
}
359389
return;
360390

361391
case AppGuardianConfiguration.REDIRECT:

src/main/java/org/owasp/esapi/waf/actions/RedirectAction.java

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -35,15 +35,5 @@ public String getRedirectURL() {
3535
return this.url;
3636
}
3737

38-
public boolean failedRule() {
39-
40-
return false;
41-
}
42-
43-
public boolean isActionNecessary() {
44-
45-
return false;
46-
}
47-
4838

4939
}

src/main/java/org/owasp/esapi/waf/rules/RestrictUserAgentRule.java

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -64,13 +64,16 @@ public Action check(HttpServletRequest request, InterceptingHTTPServletResponse
6464
log(request, "Disallowed user agent pattern '" + deny.pattern() + "' found in user agent '" + request.getHeader(USER_AGENT_HEADER) + "'");
6565

6666
/*
67-
* If we don't force this to "block", the user will infinitely blocking our bandwidth.
67+
* If we don't force this to "block", the user will be in an infinite loop, possibly
68+
* eating our bandwidth, and in the case of a dread false positive, really piss them
69+
* off.
70+
*
6871
* Better to just reject.
6972
*/
7073
if ( AppGuardianConfiguration.DEFAULT_FAIL_ACTION == AppGuardianConfiguration.REDIRECT ) {
7174
return new BlockAction();
7275
}
73-
76+
7477
return new DefaultAction();
7578
}
7679

src/test/java/org/owasp/esapi/waf/RestrictUserAgentTest.java

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,19 +20,22 @@
2020
import junit.framework.TestSuite;
2121

2222
public class RestrictUserAgentTest extends WAFTestCase {
23+
2324
public static TestSuite suite() {
2425
return new TestSuite(RestrictUserAgentTest.class);
2526
}
2627

2728
public void testBadUserAgent() throws Exception {
29+
2830
request.addHeader("User-Agent","GoogleBot");
2931

3032
WAFTestUtility.createAndExecuteWAFTransaction( "waf-policies/restrict-user-agent-policy.xml", request, response );
31-
32-
assert(response.getStatus() == HttpServletResponse.SC_MOVED_PERMANENTLY);
33+
34+
assert(response.getStatus() == 403);
3335
}
3436

3537
public void testGoodUserAgent() throws Exception {
38+
3639
request.addHeader("User-Agent","MSIE NT Compatible");
3740

3841
WAFTestUtility.createAndExecuteWAFTransaction( "waf-policies/restrict-user-agent-policy.xml", request, response );

src/test/resources/.esapi/waf-policy.xml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -55,11 +55,11 @@
5555

5656

5757
<bean-shell-rules>
58-
<bean-shell-script
59-
id="example1"
60-
file="waf-policies/bean-shell-rule.bsh"
61-
stage="before-request-body"/>
62-
58+
<!-- <bean-shell-script
59+
id="example1"
60+
file="waf-policies/bean-shell-rule.bsh"
61+
stage="before-request-body"/>
62+
-->
6363
</bean-shell-rules>
6464

6565
<!--

0 commit comments

Comments
 (0)