修复WAF的临时白名单被当做黑名单使用的Bug

internal/const/const.go

@@ -1,7 +1,7 @@
 package teaconst
 
 const (
-	Version = "0.3.5.2"
+	Version = "0.3.6"
 
 	ProductName = "Edge Node"
 	ProcessName = "edge-node"

internal/iplibrary/action_ipset.go

@@ -297,8 +297,9 @@ func (this *IPSetAction) runActionSingleIP(action string, listType IPListType, i
 	case "deleteItem":
 		args = append(args, "del")
 	}
+
+	args = append(args, listName, item.IpFrom)
 	if action == "addItem" {
-		args = append(args, listName, item.IpFrom)
 		timestamp := time.Now().Unix()
 		if item.ExpiredAt > timestamp {
 			args = append(args, "timeout", strconv.FormatInt(item.ExpiredAt-timestamp, 10))

internal/nodes/http_request.go

@@ -86,13 +86,21 @@ type HTTPRequest struct {
 // 初始化
 func (this *HTTPRequest) init() {
 	this.writer = NewHTTPWriter(this, this.RawWriter)
-	this.web = &serverconfigs.HTTPWebConfig{IsOn: true}
+	this.web = &serverconfigs.HTTPWebConfig{
+		IsOn: true,
+	}
+
 	// this.uri = this.RawReq.URL.RequestURI()
 	// 之所以不使用RequestURI()，是不想让URL中的Path被Encode
+	var urlPath = this.RawReq.URL.Path
+	if this.Server.Web != nil && this.Server.Web.MergeSlashes {
+		urlPath = utils.CleanPath(urlPath)
+		this.web.MergeSlashes = true
+	}
 	if len(this.RawReq.URL.RawQuery) > 0 {
-		this.uri = this.RawReq.URL.Path + "?" + this.RawReq.URL.RawQuery
+		this.uri = urlPath + "?" + this.RawReq.URL.RawQuery
 	} else {
-		this.uri = this.RawReq.URL.Path
+		this.uri = urlPath
 	}
 
 	this.rawURI = this.uri

internal/nodes/http_request_host_redirect.go

@@ -1,6 +1,7 @@
 package nodes
 
 import (
+	"github.com/TeaOSLab/EdgeNode/internal/utils"
 	"net/http"
 	"strconv"
 	"strings"
@@ -8,7 +9,11 @@ import (
 
 // 主机地址快速跳转
 func (this *HTTPRequest) doHostRedirect() (blocked bool) {
-	fullURL := this.requestScheme() + "://" + this.Host + this.RawReq.URL.Path
+	var urlPath = this.RawReq.URL.Path
+	if this.web.MergeSlashes {
+		urlPath = utils.CleanPath(urlPath)
+	}
+	fullURL := this.requestScheme() + "://" + this.Host + urlPath
 	for _, u := range this.web.HostRedirects {
 		if !u.IsOn {
 			continue

internal/utils/path.go

@@ -1,6 +1,6 @@
 package utils
 
-// 清理Path中的多余的字符
+// CleanPath 清理Path中的多余的字符
 func CleanPath(path string) string {
 	l := len(path)
 	if l == 0 {
@@ -9,6 +9,10 @@ func CleanPath(path string) string {
 	result := []byte{'/'}
 	isSlash := true
 	for i := 0; i < l; i++ {
+		if path[i] == '?' {
+			result = append(result, path[i:]...)
+			break
+		}
 		if path[i] == '\\' || path[i] == '/' {
 			if !isSlash {
 				isSlash = true
@@ -21,4 +25,3 @@ func CleanPath(path string) string {
 	}
 	return string(result)
 }
-

internal/utils/path_test.go

@@ -16,6 +16,11 @@ func TestCleanPath(t *testing.T) {
 	a.IsTrue(CleanPath("/hello////world") == "/hello/world")
 }
 
+func TestCleanPath_Args(t *testing.T) {
+	a := assert.NewAssertion(t)
+	a.IsTrue(CleanPath("/hello/world?base=///////") == "/hello/world?base=///////")
+}
+
 func BenchmarkCleanPath(b *testing.B) {
 	for i := 0; i < b.N; i++ {
 		_ = CleanPath("/hello///world/very/long/very//long")

internal/waf/ip_list.go

@@ -10,8 +10,15 @@ import (
 	"sync/atomic"
 )
 
-var SharedIPWhiteList = NewIPList()
-var SharedIPBlackList = NewIPList()
+var SharedIPWhiteList = NewIPList(IPListTypeAllow)
+var SharedIPBlackList = NewIPList(IPListTypeDeny)
+
+type IPListType = string
+
+const (
+	IPListTypeAllow IPListType = "allow"
+	IPListTypeDeny  IPListType = "deny"
+)
 
 const IPTypeAll = "*"
 
@@ -20,16 +27,18 @@ type IPList struct {
 	expireList *expires.List
 	ipMap      map[string]int64 // ip => id
 	idMap      map[int64]string // id => ip
+	listType   IPListType
 
 	id     int64
 	locker sync.RWMutex
 }
 
 // NewIPList 获取新对象
-func NewIPList() *IPList {
+func NewIPList(listType IPListType) *IPList {
 	var list = &IPList{
-		ipMap: map[string]int64{},
-		idMap: map[int64]string{},
+		ipMap:    map[string]int64{},
+		idMap:    map[int64]string{},
+		listType: listType,
 	}
 
 	e := expires.NewList()
@@ -67,20 +76,22 @@ func (this *IPList) Add(ipType string, scope firewallconfigs.FirewallScope, serv
 func (this *IPList) RecordIP(ipType string, scope firewallconfigs.FirewallScope, serverId int64, ip string, expiresAt int64, policyId int64, groupId int64, setId int64) {
 	this.Add(ipType, scope, serverId, ip, expiresAt)
 
-	select {
-	case recordIPTaskChan <- &recordIPTask{
-		ip:                            ip,
-		listId:                        firewallconfigs.GlobalListId,
-		expiredAt:                     expiresAt,
-		level:                         firewallconfigs.DefaultEventLevel,
-		serverId:                      serverId,
-		sourceServerId:                serverId,
-		sourceHTTPFirewallPolicyId:    policyId,
-		sourceHTTPFirewallRuleGroupId: groupId,
-		sourceHTTPFirewallRuleSetId:   setId,
-	}:
-	default:
+	if this.listType == IPListTypeDeny {
+		select {
+		case recordIPTaskChan <- &recordIPTask{
+			ip:                            ip,
+			listId:                        firewallconfigs.GlobalListId,
+			expiredAt:                     expiresAt,
+			level:                         firewallconfigs.DefaultEventLevel,
+			serverId:                      serverId,
+			sourceServerId:                serverId,
+			sourceHTTPFirewallPolicyId:    policyId,
+			sourceHTTPFirewallRuleGroupId: groupId,
+			sourceHTTPFirewallRuleSetId:   setId,
+		}:
+		default:
 
+		}
 	}
 }