/// <summary>
/// 網址參數內容是否有效
/// </summary>
public bool IsQueryStringValueValid(string execFilePath, NameValueCollection queryString)
{
if (queryString == null || queryString.Count == 0)
{
return(true);
}
//建立參數過濾物件
//特殊頁面參數過濾
SpecificPageParamFilter specificPageParam = new SpecificPageParamFilter();
//非字串參數過濾
NonStringParamFilter nonStringParam = new NonStringParamFilter();
// 指定參數名單
nonStringParam.SetIntParamList(intParams);
nonStringParam.SetGuidParamList(guidParams);
//有限制長度的字串參數過濾
LimitedStringParamFilter limitedStringParam = new LimitedStringParamFilter();
// 指定參數名稱與內容長度對照表
limitedStringParam.SetParamValueLenLookup(paramValueLenLookup);
//規則表達式黑名單過濾
RegexParamFilter regexParam = new RegexParamFilter();
regexParam.SetBlacklistPatterns(blacklistPatterns);
//SQL Injection 過濾
SQLInjectionFilterExt sqlInjection1 = new SQLInjectionFilterExt();
//用 HtmlDecode 解碼參數內容
HtmlDecodeParamValue htmlDecodeValue = new HtmlDecodeParamValue();
//黑名單關鍵字過濾
BlacklistKeywordFilter blacklistKw = new BlacklistKeywordFilter();
// 指定黑名單
blacklistKw.SetBlacklistKeywords(blacklistKeywords);
//SQL Injection過濾
SQLInjectionFilterExt sqlInjection2 = new SQLInjectionFilterExt();
//建立檢查順序
ParamFilter chainOfResponsibility = specificPageParam;
specificPageParam.SetSuccessor(nonStringParam);
nonStringParam.SetSuccessor(limitedStringParam);
limitedStringParam.SetSuccessor(regexParam);
regexParam.SetSuccessor(sqlInjection1);
sqlInjection1.SetSuccessor(htmlDecodeValue);
htmlDecodeValue.SetSuccessor(blacklistKw);
blacklistKw.SetSuccessor(sqlInjection2);
//開始檢查
logger.Debug("checking queryString.Keys");
foreach (string key in queryString.Keys)
{
if (key == null || queryString[key] == null || queryString[key].Length == 0)
{
logger.DebugFormat("skip key[{0}]", key);
continue;
}
//檢查參數名稱
if (Regex.IsMatch(key, "[\"']"))
{
logger.InfoFormat("key[{0}] Failed!", key);
return(false);
}
//參數內容是否有效
ParamFilter.ParamInfo paramInfo = new ParamFilter.ParamInfo()
{
Key = key,
Value = queryString[key],
ExecFilePath = execFilePath
};
if (!chainOfResponsibility.HandleRequest(paramInfo))
{
return(false);
}
}
return(true);
}
/// <summary>
/// POST參數內容是否有效
/// </summary>
public bool IsPostValueValid(string execFilePath, NameValueCollection requestForm)
{
if (requestForm == null || requestForm.Count == 0)
{
return(true);
}
//建立參數過濾物件
//針對 Acunetix 送來的 Post 參數過濾
ForAcunetixPostParamFilter forAcunetix = new ForAcunetixPostParamFilter();
//特殊頁面參數過濾
SpecificPageParamFilter specificPageParam = new SpecificPageParamFilter();
//非字串參數過濾
NonStringParamFilter nonStringParam = new NonStringParamFilter();
// 指定參數名單
nonStringParam.SetIntParamList(intParams);
nonStringParam.SetGuidParamList(guidParams);
//有限制長度的字串參數過濾
LimitedStringParamFilter limitedStringParam = new LimitedStringParamFilter();
// 指定參數名稱與內容長度對照表
limitedStringParam.SetParamValueLenLookup(paramValueLenLookup);
//規則表達式黑名單過濾
RegexParamFilter regexParam = new RegexParamFilter();
regexParam.SetBlacklistPatterns(blacklistPatterns);
//用 HtmlDecode 解碼參數內容
HtmlDecodeParamValue htmlDecodeValue = new HtmlDecodeParamValue();
//SQL Injection過濾
SQLInjectionFilterExt sqlInjection1 = new SQLInjectionFilterExt();
//用 UrlDecode 解碼參數內容
UrlDecodeParamValue urlDecodeValue = new UrlDecodeParamValue();
//黑名單關鍵字過濾
BlacklistKeywordFilter blacklistKw = new BlacklistKeywordFilter();
// 指定黑名單
blacklistKw.SetBlacklistKeywords(blacklistKeywords);
//SQL Injection過濾
SQLInjectionFilterExt sqlInjection2 = new SQLInjectionFilterExt();
//建立檢查順序
ParamFilter chainOfResponsibility = forAcunetix;
forAcunetix.SetSuccessor(specificPageParam);
specificPageParam.SetSuccessor(regexParam);
regexParam.SetSuccessor(htmlDecodeValue);
htmlDecodeValue.SetSuccessor(sqlInjection1);
sqlInjection1.SetSuccessor(urlDecodeValue);
urlDecodeValue.SetSuccessor(blacklistKw);
blacklistKw.SetSuccessor(sqlInjection2);
//開始檢查
logger.Debug("checking requestForm.Keys");
foreach (string key in requestForm.Keys)
{
if (key == null || requestForm[key] == null || requestForm[key].Length == 0)
{
logger.DebugFormat("skip key[{0}]", key);
continue;
}
if (key.StartsWith("__"))
{
logger.DebugFormat("skip key[{0}]", key);
continue;
}
//參數內容是否有效
ParamFilter.ParamInfo paramInfo = new ParamFilter.ParamInfo()
{
Key = key,
Value = requestForm[key],
ExecFilePath = execFilePath
};
if (!chainOfResponsibility.HandleRequest(paramInfo))
{
return(false);
}
}
return(true);
}
/// <summary>
/// POST參數內容是否有效
/// </summary>
public bool IsPostValueValid(string execFilePath, NameValueCollection requestForm)
{
if (requestForm == null || requestForm.Count == 0)
{
return(true);
}
bool useSimplifedChain = true;
string lowerFileName = execFilePath.ToLower();
if (lowerFileName == "login.aspx" ||
lowerFileName == "psw-change.aspx" ||
lowerFileName == "psw-require.aspx" ||
lowerFileName == "captcha.ashx" ||
lowerFileName == "errorpage.aspx"
)
{
useSimplifedChain = false;
}
//規則表達式黑名單過濾
RegexParamFilter regexParam = new RegexParamFilter();
regexParam.SetBlacklistPatterns(blacklistPatterns);
//黑名單關鍵字過濾
BlacklistKeywordFilter blacklistKw = new BlacklistKeywordFilter();
// 指定黑名單
blacklistKw.SetBlacklistKeywords(blacklistKeywords);
// 指定黑名單關鍵字在特定頁面中要允許的白名單
blacklistKw.SetWhitelistOfBlacklistKeywords(whitelistOfBlacklistKeywords);
//建立檢查順序
ParamFilter chainOfResponsibility = null;
if (useSimplifedChain)
{
//簡易版參數過濾規則
chainOfResponsibility = regexParam;
regexParam.SetSuccessor(blacklistKw);
}
else
{
//針對 Acunetix 送來的 Post 參數過濾
ForAcunetixPostParamFilter forAcunetix = new ForAcunetixPostParamFilter();
//特殊頁面參數過濾
SpecificPageParamFilter specificPageParam = new SpecificPageParamFilter();
//用 HtmlDecode 解碼參數內容
HtmlDecodeParamValue htmlDecodeValue = new HtmlDecodeParamValue();
//SQL Injection過濾
SQLInjectionFilterExt sqlInjection1 = new SQLInjectionFilterExt();
//用 UrlDecode 解碼參數內容
UrlDecodeParamValue urlDecodeValue = new UrlDecodeParamValue();
//SQL Injection過濾
SQLInjectionFilterExt sqlInjection2 = new SQLInjectionFilterExt();
chainOfResponsibility = forAcunetix;
forAcunetix.SetSuccessor(specificPageParam);
specificPageParam.SetSuccessor(regexParam);
regexParam.SetSuccessor(htmlDecodeValue);
htmlDecodeValue.SetSuccessor(sqlInjection1);
sqlInjection1.SetSuccessor(urlDecodeValue);
urlDecodeValue.SetSuccessor(blacklistKw);
blacklistKw.SetSuccessor(sqlInjection2);
}
//開始檢查
logger.Debug("checking requestForm.Keys");
foreach (string key in requestForm.Keys)
{
if (key == null || requestForm[key] == null || requestForm[key].Length == 0)
{
logger.DebugFormat("skip key[{0}]", key);
continue;
}
if (key.StartsWith("__"))
{
logger.DebugFormat("skip key[{0}]", key);
continue;
}
//參數內容是否有效
ParamFilter.ParamInfo paramInfo = new ParamFilter.ParamInfo()
{
Key = key,
Value = requestForm[key],
ExecFilePath = execFilePath
};
if (!chainOfResponsibility.HandleRequest(paramInfo))
{
return(false);
}
}
return(true);
}
