PageRenderTime 32ms CodeModel.GetById 19ms RepoModel.GetById 0ms app.codeStats 0ms

/wp-content/plugins/wordfence/views/waf/debug.php

https://gitlab.com/edgarze188/sunrise
PHP | 225 lines | 199 code | 22 blank | 4 comment | 11 complexity | c40ca285d88d4761c65f26ef0b7f2362 MD5 | raw file
    

  1. <?php
    2. 

  2. 

  3. /** @var wfRequestModel $hit */
    4. 

  4. /** @var stdClass $hitData */
    5. 

  5. 

  6. $title = sprintf('Debugging #%d as False Positive', $hit->id);
    7. 

  7. 

  8. $fields = array(
    9. 

  9. 	'URL'         => $hit->URL,
    10. 

  10. 	'Timestamp'   => date('r', $hit->ctime),
    11. 

  11. 	'IP'          => wfUtils::inet_ntop($hit->IP),
    12. 

  12. 	'Status Code' => $hit->statusCode,
    13. 

  13. 	'User Agent'  => $hit->UA,
    14. 

  14. 	'Referer'     => $hit->referer,
    15. 

  15. );
    16. 

  16. 

  17. if (isset($hitData->fullRequest)) {
    18. 

  18. 	$requestString = base64_decode($hitData->fullRequest);
    19. 

  19. 	$request = wfWAFRequest::parseString($requestString);
    20. 

  20. } else {
    21. 

  21. 	$request = new wfWAFRequest();
    22. 

  22. 	$request->setAuth(array());
    23. 

  23. 	$request->setBody(array());
    24. 

  24. 	$request->setCookies(array());
    25. 

  25. 	$request->setFileNames(array());
    26. 

  26. 	$request->setFiles(array());
    27. 

  27. 	$request->setHeaders(array());
    28. 

  28. 	$request->setHost('');
    29. 

  29. 	$request->setIp('');
    30. 

  30. 	$request->setMethod('GET');
    31. 

  31. 	$request->setPath('');
    32. 

  32. 	$request->setProtocol('http');
    33. 

  33. 	$request->setQueryString(array());
    34. 

  34. 	$request->setTimestamp('');
    35. 

  35. 	$request->setUri('');
    36. 

  36. 

  37. 	$headers = array();
    38. 

  38. 	$urlPieces = parse_url($hit->URL);
    39. 

  39. 	if ($urlPieces) {
    40. 

  40. 		if (array_key_exists('scheme', $urlPieces)) {
    41. 

  41. 			$request->setProtocol($urlPieces['scheme']);
    42. 

  42. 		}
    43. 

  43. 		if (array_key_exists('host', $urlPieces)) {
    44. 

  44. 			$request->setHost($urlPieces['host']);
    45. 

  45. 			$headers['Host'] = $urlPieces['host'];
    46. 

  46. 		}
    47. 

  47. 		$uri = '/';
    48. 

  48. 		if (array_key_exists('path', $urlPieces)) {
    49. 

  49. 			$request->setPath($urlPieces['path']);
    50. 

  50. 			$uri = $urlPieces['path'];
    51. 

  51. 		}
    52. 

  52. 		if (array_key_exists('query', $urlPieces)) {
    53. 

  53. 			$uri .= '?' . $urlPieces['query'];
    54. 

  54. 			parse_str($urlPieces['query'], $query);
    55. 

  55. 			$request->setQueryString($query);
    56. 

  56. 		}
    57. 

  57. 		$request->setUri($uri);
    58. 

  58. 	}
    59. 

  59. 	$headers['User-Agent'] = $hit->UA;
    60. 

  60. 	$headers['Referer'] = $hit->referer;
    61. 

  61. 	$request->setHeaders($headers);
    62. 

  62. 

  63. 	preg_match('/request\.([a-z]+)(?:\[(.*?)\](.*?))?/i', $hitData->paramKey, $matches);
    64. 

  64. 	if ($matches) {
    65. 

  65. 		switch ($matches[1]) {
    66. 

  66. 			case 'body':
    67. 

  67. 				$request->setMethod('POST');
    68. 

  68. 				parse_str("$matches[2]$matches[3]", $body);
    69. 

  69. 				$request->setBody($body);
    70. 

  70. 				break;
    71. 

  71. 		}
    72. 

  72. 	}
    73. 

  73. }
    74. 

  74. 

  75. $request->setIP(wfUtils::inet_ntop($hit->IP));
    76. 

  76. $request->setTimestamp($hit->ctime);
    77. 

  77. 

  78. 

  79. $waf = wfWAF::getInstance();
    80. 

  80. $waf->setRequest($request);
    81. 

  81. 

  82. $result = '<strong class="ok">Passed</strong>';
    83. 

  83. $failedRules = array();
    84. 

  84. try {
    85. 

  85. 	$waf->runRules();
    86. 

  86. } catch (wfWAFAllowException $e) {
    87. 

  87. 	$result = '<strong class="ok">Whitelisted</strong>';
    88. 

  88. } catch (wfWAFBlockException $e) {
    89. 

  89. 	$result = '<strong class="error">Blocked</strong>';
    90. 

  90. 	$failedRules = $waf->getFailedRules();
    91. 

  91. } catch (wfWAFBlockSQLiException $e) {
    92. 

  92. 	$result = '<strong class="error">Blocked For SQLi</strong>';
    93. 

  93. 	$failedRules = $waf->getFailedRules();
    94. 

  94. } catch (wfWAFBlockXSSException $e) {
    95. 

  95. 	$result = '<strong class="error">Blocked For XSS</strong>';
    96. 

  96. 	$failedRules = $waf->getFailedRules();
    97. 

  97. }
    98. 

  98. 

  99. ?>
    100. 

  100. <!doctype html>
    101. 

  101. <html lang="en">
    102. 

  102. <head>
    103. 

  103. 	<meta charset="UTF-8">
    104. 

  104. 	<title><?php echo esc_html($title) ?></title>
    105. 

  105. 	<link rel="stylesheet" href="<?php echo wfUtils::getBaseURL() . 'css/main.css' ?>">
    106. 

  106. 	<style>
    107. 

  107. 		html {
    108. 

  108. 			font-family: "Open Sans", Helvetica, Arial, sans-serif;
    109. 

  109. 		}
    110. 

  110. 		h1, h2, h3, h4, h5 {
    111. 

  111. 			margin: 20px 0px 8px;
    112. 

  112. 		}
    113. 

  113. 		pre, p {
    114. 

  114. 			margin: 8px 0px 20px;
    115. 

  115. 		}
    116. 

  116. 		pre.request-debug {
    117. 

  117. 			padding: 12px;
    118. 

  118. 			background: #fafafa;
    119. 

  119. 			border: 1px solid #999999;
    120. 

  120. 			overflow: auto;
    121. 

  121. 		}
    122. 

  122. 		pre.request-debug em {
    123. 

  123. 			font-style: normal;
    124. 

  124. 			padding: 1px;
    125. 

  125. 			border: 1px solid #ffb463;
    126. 

  126. 			background-color: #ffffe0;
    127. 

  127. 			border-radius: 2px;
    128. 

  128. 		}
    129. 

  129. 		pre.request-debug strong {
    130. 

  130. 			border: 1px solid #ff4a35;
    131. 

  131. 			background-color: #ffefe7;
    132. 

  132. 			margin: 1px;
    133. 

  133. 		}
    134. 

  134. 		.ok {
    135. 

  135. 			color: #00c000;
    136. 

  136. 		}
    137. 

  137. 		.error {
    138. 

  138. 			color: #ff4a35;
    139. 

  139. 		}
    140. 

  140. 		#wrapper {
    141. 

  141. 			max-width: 1060px;
    142. 

  142. 			margin: 0px auto;
    143. 

  143. 		}
    144. 

  144. 	</style>
    145. 

  145. </head>
    146. 

  146. <body>
    147. 

  147. <div id="wrapper">
    148. 

  148. 	<h1><?php echo esc_html($title) ?></h1>
    149. 

  149. 

  150. 	<table class="wf-table">
    151. 

  151. 		<thead>
    152. 

  152. 		<tr>
    153. 

  153. 			<th colspan="2">Request Details</th>
    154. 

  154. 		</tr>
    155. 

  155. 		</thead>
    156. 

  156. 		<?php foreach ($fields as $label => $value): ?>
    157. 

  157. 			<tr>
    158. 

  158. 				<td><?php echo esc_html($label) ?>:</td>
    159. 

  159. 				<td><?php echo esc_html($value) ?></td>
    160. 

  160. 			</tr>
    161. 

  161. 		<?php endforeach ?>
    162. 

  162. 	</table>
    163. 

  163. 

  164. 	<h4>HTTP Request: <?php echo $result ?></h4>
    165. 

  165. 	<?php if (!isset($hitData->fullRequest)): ?>
    166. 

  166. 		<em style="font-size: 14px;">This is a reconstruction of the request using what was flagged by the WAF.
    167. 

  167. 			Full requests are only stored when <code>WFWAF_DEBUG</code> is enabled.</em>
    168. 

  168. 	<?php endif ?>
    169. 

  169. 	<pre class="request-debug"><?php
    170. 

  170. 	$paramKey = wp_hash(uniqid('param', true));
    171. 

  171. 	$matchKey = wp_hash(uniqid('match', true));
    172. 

  172. 

  173. 	$template = array(
    174. 

  174. 		"[$paramKey]"  => '<em>',
    175. 

  175. 		"[/$paramKey]" => '</em>',
    176. 

  176. 		"[$matchKey]"  => '<strong>',
    177. 

  177. 		"[/$matchKey]" => '</strong>',
    178. 

  178. 	);
    179. 

  179. 	$highlightParamFormat = "[$paramKey]%s[/$paramKey]";
    180. 

  180. 	$highlightMatchFormat = "[$matchKey]%s[/$matchKey]";
    181. 

  181. 	$requestOut = esc_html($request->highlightFailedParams($failedRules, $highlightParamFormat, $highlightMatchFormat));
    182. 

  182. 

  183. 	echo str_replace(array_keys($template), $template, $requestOut) ?></pre>
    184. 

  184. 

  185. 	<?php if ($failedRules): ?>
    186. 

  186. 		<h4>Failed Rules</h4>
    187. 

  187. 		<table class="wf-table">
    188. 

  188. 			<thead>
    189. 

  189. 			<tr>
    190. 

  190. 				<th>ID</th>
    191. 

  191. 				<th>Category</th>
    192. 

  192. 			</tr>
    193. 

  193. 			</thead>
    194. 

  194. 			<tbody>
    195. 

  195. 			<?php
    196. 

  196. 			foreach ($failedRules as $paramKey => $categories) {
    197. 

  197. 				foreach ($categories as $categoryKey => $failed) {
    198. 

  198. 					foreach ($failed as $failedRule) {
    199. 

  199. 						/** @var wfWAFRule $rule */
    200. 

  200. 						$rule = $failedRule['rule'];
    201. 

  201. 						printf("<tr><td>%d</td><td>%s</td></tr>", $rule->getRuleID(), $rule->getDescription());
    202. 

  202. 					}
    203. 

  203. 				}
    204. 

  204. 			}
    205. 

  205. 			?>
    206. 

  206. 			</tbody>
    207. 

  207. 		</table>
    208. 

  208. 

  209. 	<?php endif ?>
    210. 

  210. 

  211. 	<p>
    212. 

  212. 		<button type="button" id="run-waf-rules">Run Through WAF Rules</button>
    213. 

  213. 	</p>
    214. 

  214. 

  215. 	<script>
    216. 

  216. 		document.getElementById('run-waf-rules').onclick = function() {
    217. 

  217. 			document.location.href = document.location.href;
    218. 

  218. 		}
    219. 

  219. 	</script>
    220. 

  220. 

  221. 

  222. </div>
    223. 

  223. 

  224. </body>
    225. 

  225. </html>
    226. 

  226.