Merge branch 'fix'

data/data.go

@@ -33,7 +33,7 @@ var (
 	// IsPrimary i.e. Is Primary Node
 	IsPrimary bool
 	// Version of JANUSEC
-	Version = "1.2.2"
+	Version = "1.2.3"
 	// NodeKey share with all nodes
 	NodeKey []byte
 )

firewall/cc.go

@@ -111,21 +111,6 @@ func GetCCPolicyRespByAppID(appID int64) (*models.CCPolicy, error) {
 // IsCCAttack to judge a request is CC attack, return IsCC, CCPolicy, ClientID, NeedLog
 func IsCCAttack(r *http.Request, app *models.Application, srcIP string) (bool, *models.CCPolicy, string, bool) {
 	isCC := false
-	/* v1.2.0 move to before CC check
-	if app.ClientIPMethod == models.IPMethod_REMOTE_ADDR {
-		// First check whether it has IP Policy
-		ipPolicy := GetIPPolicyByIPAddr(srcIP)
-		if ipPolicy != nil {
-			if ipPolicy.ApplyToCC {
-				if ipPolicy.IsAllow {
-					// Allow list, legal security testing
-					return false, nil, "", false
-				}
-				isCC = true
-			}
-		}
-	}
-	*/
 	ccPolicy := GetCCPolicyByAppID(app.ID)
 	if !ccPolicy.IsEnabled {
 		return false, nil, "", false

firewall/firewall.go

@@ -76,34 +76,6 @@ func UnEscapeRawValue(rawQuery string) string {
 
 // IsRequestHitPolicy ...
 func IsRequestHitPolicy(r *http.Request, appID int64, srcIP string) (bool, *models.GroupPolicy) {
-	// First Check IP Policy
-	ipPolicy := GetIPPolicyByIPAddr(srcIP)
-	if ipPolicy != nil {
-		if ipPolicy.ApplyToWAF {
-			var action models.PolicyAction
-			if ipPolicy.IsAllow {
-				// Allow list, legal security testing
-				action = models.Action_Pass_400
-			} else {
-				// Block list
-				action = models.Action_Block_100
-			}
-			groupPolicy := &models.GroupPolicy{
-				ID:          0,
-				Description: "IP Policy",
-				AppID:       appID,
-				VulnID:      vulnTypes[0].ID, // None
-				CheckItems:  nil,
-				HitValue:    0,
-				Action:      action,
-				IsEnabled:   true,
-			}
-			return true, groupPolicy
-		}
-	}
-
-	// Has not IP Policy, Continue
-
 	ctxMap := r.Context().Value(models.PolicyKey("groupPolicyHitValue")).(*sync.Map)
 
 	// ChkPoint_Host

gateway/gateway.go

@@ -116,6 +116,7 @@ func ReverseHandlerFunc(w http.ResponseWriter, r *http.Request) {
 				} else {
 					// Block IP 15 minutes
 					go firewall.AddIP2NFTables(srcIP, 900.0)
+					return
 				}
 			}
 		}
@@ -144,50 +145,51 @@ func ReverseHandlerFunc(w http.ResponseWriter, r *http.Request) {
 			}
 			// search engine, or authorization ok, continue
 		}
-
 	}
 
 	// Check CC
-	isCC, ccPolicy, clientID, needLog := firewall.IsCCAttack(r, app, srcIP)
-	if isCC {
-		targetURL := r.URL.Path
-		if len(r.URL.RawQuery) > 0 {
-			targetURL += "?" + r.URL.RawQuery
-		}
-		hitInfo := &models.HitInfo{TypeID: 1,
-			PolicyID:  ccPolicy.AppID,
-			VulnName:  "CC",
-			Action:    ccPolicy.Action,
-			ClientID:  clientID,
-			TargetURL: targetURL,
-			BlockTime: nowTimeStamp}
-		switch ccPolicy.Action {
-		case models.Action_Block_100:
-			if needLog {
-				go firewall.LogCCRequest(r, app.ID, srcIP, ccPolicy)
-			}
-			if app.ClientIPMethod == models.IPMethod_REMOTE_ADDR {
-				go firewall.AddIP2NFTables(srcIP, ccPolicy.BlockSeconds)
-			}
-			GenerateBlockPage(w, hitInfo)
-			return
-		case models.Action_BypassAndLog_200:
-			if needLog {
-				go firewall.LogCCRequest(r, app.ID, srcIP, ccPolicy)
+	if !isAllowIP {
+		isCC, ccPolicy, clientID, needLog := firewall.IsCCAttack(r, app, srcIP)
+		if isCC {
+			targetURL := r.URL.Path
+			if len(r.URL.RawQuery) > 0 {
+				targetURL += "?" + r.URL.RawQuery
 			}
-		case models.Action_CAPTCHA_300:
-			if needLog {
-				go firewall.LogCCRequest(r, app.ID, srcIP, ccPolicy)
+			hitInfo := &models.HitInfo{TypeID: 1,
+				PolicyID:  ccPolicy.AppID,
+				VulnName:  "CC",
+				Action:    ccPolicy.Action,
+				ClientID:  clientID,
+				TargetURL: targetURL,
+				BlockTime: nowTimeStamp}
+			switch ccPolicy.Action {
+			case models.Action_Block_100:
+				if needLog {
+					go firewall.LogCCRequest(r, app.ID, srcIP, ccPolicy)
+				}
+				if app.ClientIPMethod == models.IPMethod_REMOTE_ADDR {
+					go firewall.AddIP2NFTables(srcIP, ccPolicy.BlockSeconds)
+				}
+				GenerateBlockPage(w, hitInfo)
+				return
+			case models.Action_BypassAndLog_200:
+				if needLog {
+					go firewall.LogCCRequest(r, app.ID, srcIP, ccPolicy)
+				}
+			case models.Action_CAPTCHA_300:
+				if needLog {
+					go firewall.LogCCRequest(r, app.ID, srcIP, ccPolicy)
+				}
+				captchaHitInfo.Store(hitInfo.ClientID, hitInfo)
+				captchaURL := CaptchaEntrance + "?id=" + hitInfo.ClientID
+				http.Redirect(w, r, captchaURL, http.StatusTemporaryRedirect)
+				return
 			}
-			captchaHitInfo.Store(hitInfo.ClientID, hitInfo)
-			captchaURL := CaptchaEntrance + "?id=" + hitInfo.ClientID
-			http.Redirect(w, r, captchaURL, http.StatusTemporaryRedirect)
-			return
 		}
 	}
 
 	// WAF Check
-	if app.WAFEnabled {
+	if !isAllowIP && app.WAFEnabled {
 		if isHit, policy := firewall.IsRequestHitPolicy(r, app.ID, srcIP); isHit {
 			switch policy.Action {
 			case models.Action_Block_100:
@@ -682,7 +684,7 @@ func TestSMTP(r *http.Request) error {
 	}
 	defer r.Body.Close()
 	smtpSetting := smtpTestReq.Object
-	if len(data.NodeSetting.SMTP.AdminEmails)==0 {
+	if len(data.NodeSetting.SMTP.AdminEmails) == 0 {
 		data.NodeSetting.SMTP.AdminEmails = data.DAL.GetAppAdminEmails()
 	}
 	go utils.SendEmail(smtpSetting.SMTPServer,
@@ -693,4 +695,4 @@ func TestSMTP(r *http.Request) error {
 		"[JANUSEC] Test SMTP",
 		"This is a test email to application administrators.")
 	return nil
-}
+}

release_batch.sh

@@ -2,7 +2,7 @@ printf "Creating installation package\n"
 printf "Checklist:\n"
 printf "* Angular Admin Version Check. \n"
 printf "* Janusec Version Check. \n"
-version="1.2.2"
+version="1.2.3"
 printf "Version: ${version} \n"
 
 read -r -p "Are You Sure? [Y/n] " option