-
Notifications
You must be signed in to change notification settings - Fork 8
/
cve.js
83 lines (78 loc) · 2.15 KB
/
cve.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
/**
* (c) Timo Stark F5 Inc. Dec. 2021
*
*/
/**
* Validates an incoming request and checks all Headers as well as the URI for IOCs of CVE2021-44228
*
* @param {Object} r NGINX njs Request Object.
* @return {string} `1` if IOC was found `` if nothing was found.
*/
function inspect(r) {
let allHeaders = "";
r.rawHeadersIn.forEach(header => allHeaders += `${(header.join('--'))}`);
return checkIOCStrings(r, `${r.variables.request_uri}${allHeaders}`);
}
/**
* Validates an incoming request body and checks it for IOCs of CVE2021-44228
*
* @param {Object} r NGINX njs Request Object.
* @return {string} `1` if IOC was found `` if nothing was found.
*/
function postBodyInspect(r) {
if (r.method === "POST" || r.method === "PUT") {
try {
if (checkIOCStrings(r, r.variables.request_body)) {return "http://127.0.0.1:8999/"} else {return r.variables.upstream};
} catch(e) {
r.error(`POST Body inspection failed!`);
}
} else {
return r.variables.upstream;
}
}
/**
* Internal function to handle the check of strings against the List of IOC Strings
*
* @param {Object} r NGINX njs Request Object.
* @param {string} input String that could contain IOC Strings.
* @return {string} `1` if IOC was found `` if nothing was found.
*/
function checkIOCStrings(r, input) {
let found = "";
const iocList = [
'${jndi:ldap:/',
'${jndi:rmi:/',
'${jndi:ldaps:/',
'${jndi:dns:/',
'/$%7bjndi:',
'%24%7bjndi:',
'$%7Bjndi:',
'%2524%257Bjndi',
'%2F%252524%25257Bjndi%3A',
'${jndi:${lower:',
'${::-j}${',
'${jndi:nis',
'${jndi:nds',
'${jndi:corba',
'${jndi:iiop',
'${::-l}${::-d}${::-a}${::-p}',
'${base64:JHtqbmRp',
'/Basic/Command/Base64/',
new RegExp(/\$\{\s*(j|\$?\{.+?\})/)
]
iocList.forEach(element => {
if (typeof element === 'object' && found !== "1") {
if (input.match(element)) {
r.error(`Found CVE2021-44228 IOC: ${element}. Request was blocked! From ${r.remoteAddress}`)
found = "1";
}
} else {
if (input.includes(element)) {
r.error(`Found CVE2021-44228 IOC: ${element}. Request was blocked! From ${r.remoteAddress}`)
found = "1";
}
}
});
return found;
}
export default {inspect, postBodyInspect};