Merge pull request #3187 from DesmondHoLLM/feature/annotations-resty-lua

UPT: annotation enhancement for resty-lua-waf
2018-10-25 00:06:03 -07:00 · 2018-10-25 00:06:03 -07:00 · 063f652711
commit 063f652711
parent 464f579f44 bf03046a80
5 changed files with 156 additions and 17 deletions
--- a/test/e2e/annotations/luarestywaf.go
+++ b/test/e2e/annotations/luarestywaf.go
@ -65,6 +65,71 @@ var _ = framework.IngressNginxDescribe("Annotations - lua-resty-waf", func() {
 			Expect(len(errs)).Should(Equal(0))
 			Expect(resp.StatusCode).Should(Equal(http.StatusOK))
 		})
+		It("should apply the score threshold", func() {
+			host := "foo"
+			createIngress(f, host, "http-svc", 80, map[string]string{
+				"nginx.ingress.kubernetes.io/lua-resty-waf":                 "active",
+				"nginx.ingress.kubernetes.io/lua-resty-waf-score-threshold": "20"})
+
+			url := fmt.Sprintf("%s?msg=<A href=\"http://mysite.com/\">XSS</A>", f.IngressController.HTTPURL)
+			resp, _, errs := gorequest.New().
+				Get(url).
+				Set("Host", host).
+				End()
+
+			Expect(len(errs)).Should(Equal(0))
+			Expect(resp.StatusCode).Should(Equal(http.StatusOK))
+		})
+		It("should not reject request with an unknown content type", func() {
+			host := "foo"
+			contenttype := "application/octet-stream"
+			createIngress(f, host, "http-svc", 80, map[string]string{
+				"nginx.ingress.kubernetes.io/lua-resty-waf-allow-unknown-content-types": "true",
+				"nginx.ingress.kubernetes.io/lua-resty-waf":                             "active"})
+
+			url := fmt.Sprintf("%s?msg=my-message", f.IngressController.HTTPURL)
+			resp, _, errs := gorequest.New().
+				Get(url).
+				Set("Host", host).
+				Set("Content-Type", contenttype).
+				End()
+
+			Expect(len(errs)).Should(Equal(0))
+			Expect(resp.StatusCode).Should(Equal(http.StatusOK))
+		})
+		It("should not fail a request with multipart content type when multipart body processing disabled", func() {
+			contenttype := "multipart/form-data; boundary=alamofire.boundary.3fc2e849279e18fc"
+			host := "foo"
+			createIngress(f, host, "http-svc", 80, map[string]string{
+				"nginx.ingress.kubernetes.io/lua-resty-waf-process-multipart-body": "false",
+				"nginx.ingress.kubernetes.io/lua-resty-waf":                        "active"})
+
+			url := fmt.Sprintf("%s?msg=my-message", f.IngressController.HTTPURL)
+			resp, _, errs := gorequest.New().
+				Get(url).
+				Set("Host", host).
+				Set("Content-Type", contenttype).
+				End()
+
+			Expect(len(errs)).Should(Equal(0))
+			Expect(resp.StatusCode).Should(Equal(http.StatusOK))
+		})
+		It("should fail a request with multipart content type when multipart body processing enabled by default", func() {
+			contenttype := "multipart/form-data; boundary=alamofire.boundary.3fc2e849279e18fc"
+			host := "foo"
+			createIngress(f, host, "http-svc", 80, map[string]string{
+				"nginx.ingress.kubernetes.io/lua-resty-waf": "active"})
+
+			url := fmt.Sprintf("%s?msg=my-message", f.IngressController.HTTPURL)
+			resp, _, errs := gorequest.New().
+				Get(url).
+				Set("Host", host).
+				Set("Content-Type", contenttype).
+				End()
+
+			Expect(len(errs)).Should(Equal(0))
+			Expect(resp.StatusCode).Should(Equal(http.StatusBadRequest))
+		})
 		It("should apply configured extra rules", func() {
 			host := "foo"
 			createIngress(f, host, "http-svc", 80, map[string]string{