scubbing: fix the waf metadata scrubbing

Julio Guerra · web-flow · commit 897eb376247f · 2020-07-24T12:25:12.000+02:00
Change the scrubbing function of the WAF metadata to sanitize substrings and not
only the full string value.
diff --git a/internal/backend/api/api.go b/internal/backend/api/api.go
@@ -6,6 +6,7 @@ package api
 
 import (
 	"encoding/json"
+	"strings"
 	"time"
 
 	"github.com/sqreen/go-agent/internal/sqlib/sqsanitize"
@@ -451,12 +452,17 @@ func (i *WAFAttackInfo) Scrub(scrubber *sqsanitize.Scrubber, info sqsanitize.Inf
 	redactedString := scrubber.RedactedValueMask()
 	for e := range wafInfo {
 		for f := range wafInfo[e].Filter {
-			if info.Contains(wafInfo[e].Filter[f].ResolvedValue) {
-				wafInfo[e].Filter[f].ResolvedValue = redactedString
-				if wafInfo[e].Filter[f].MatchStatus != "" {
-					wafInfo[e].Filter[f].MatchStatus = redactedString
+			for v := range info {
+				resolvedValue := wafInfo[e].Filter[f].ResolvedValue
+				newStr := strings.ReplaceAll(resolvedValue, v, redactedString)
+				if newStr != resolvedValue {
+					// The string was changed
+					wafInfo[e].Filter[f].ResolvedValue = newStr
+					if wafInfo[e].Filter[f].MatchStatus != "" {
+						wafInfo[e].Filter[f].MatchStatus = strings.ReplaceAll(wafInfo[e].Filter[f].MatchStatus, v, redactedString)
+					}
+					scrubbed = true
 				}
-				scrubbed = true
 			}
 		}
 	}
diff --git a/internal/backend/api/json_test.go b/internal/backend/api/json_test.go
@@ -220,7 +220,7 @@ func TestCustomScrubber(t *testing.T) {
 						OperatorValue:   "trigger",
 						BindingAccessor: "#.request_params",
 						ResolvedValue:   expectedMask,
-						MatchStatus:     expectedMask,
+						MatchStatus:     "forbidden",
 					},
 				},
 			},
diff --git a/internal/sqlib/sqsanitize/sanitize.go b/internal/sqlib/sqsanitize/sanitize.go
@@ -236,6 +236,9 @@ func (s *Scrubber) scrubMap(v reflect.Value, info Info) (scrubbed bool) {
 		// When the current value is an interface value, we scrub its underlying
 		// value.
 		if hasInterfaceValueType {
+			if val.IsNil() {
+				continue
+			}
 			val = val.Elem()
 			valT = val.Type()
 		}
@@ -337,14 +340,6 @@ func (i Info) Add(value string) {
 	i[value] = struct{}{}
 }
 
-func (i Info) Contains(value string) bool {
-	if len(i) == 0 {
-		return false
-	}
-	_, exists := i[value]
-	return exists
-}
-
 func (i Info) Append(info Info) {
 	if i == nil || len(info) == 0 {
 		return
diff --git a/internal/sqlib/sqsanitize/sanitize_test.go b/internal/sqlib/sqsanitize/sanitize_test.go
@@ -935,6 +935,14 @@ func TestScrubber(t *testing.T) {
 						},
 						"e":      33,
 						"passwd": []interface{}{"everything", randString},
+						"g":      nil,
+						"h":      (*string)(nil),
+						"i":      []interface{}{nil},
+						"j":      []interface{}{(*string)(nil)},
+						"password": map[string]interface{}{
+							"a": nil,
+							"b": []interface{}{nil},
+						},
 					}
 				},
 				expected: expectedValues{
@@ -948,6 +956,14 @@ func TestScrubber(t *testing.T) {
 						},
 						"e":      33,
 						"passwd": []interface{}{expectedMask, randString},
+						"g":      nil,
+						"h":      (*string)(nil),
+						"i":      []interface{}{nil},
+						"j":      []interface{}{(*string)(nil)},
+						"password": map[string]interface{}{
+							"a": nil,
+							"b": []interface{}{nil},
+						},
 					},
 					withKeyRE: map[string]interface{}{
 						"apikey": expectedMask,
@@ -959,6 +975,14 @@ func TestScrubber(t *testing.T) {
 						},
 						"e":      33,
 						"passwd": []interface{}{expectedMask, expectedMask},
+						"g":      nil,
+						"h":      (*string)(nil),
+						"i":      []interface{}{nil},
+						"j":      []interface{}{(*string)(nil)},
+						"password": map[string]interface{}{
+							"a": nil,
+							"b": []interface{}{nil},
+						},
 					},
 					withBothRE: map[string]interface{}{
 						"apikey": expectedMask,
@@ -970,6 +994,14 @@ func TestScrubber(t *testing.T) {
 						},
 						"e":      33,
 						"passwd": []interface{}{expectedMask, expectedMask},
+						"g":      nil,
+						"h":      (*string)(nil),
+						"i":      []interface{}{nil},
+						"j":      []interface{}{(*string)(nil)},
+						"password": map[string]interface{}{
+							"a": nil,
+							"b": []interface{}{nil},
+						},
 					},
 					withBothDisabled: map[string]interface{}{
 						"apikey": randString,
@@ -981,6 +1013,14 @@ func TestScrubber(t *testing.T) {
 						},
 						"e":      33,
 						"passwd": []interface{}{"everything", randString},
+						"g":      nil,
+						"h":      (*string)(nil),
+						"i":      []interface{}{nil},
+						"j":      []interface{}{(*string)(nil)},
+						"password": map[string]interface{}{
+							"a": nil,
+							"b": []interface{}{nil},
+						},
 					},
 				},
 			},
