[mv3] Detect and discard regex-based `from=`/`to=` domains

This commit is contained in:
Raymond Hill 2023-12-05 09:18:58 -05:00
parent b8b4193f15
commit 71be1a4fe5
No known key found for this signature in database
GPG Key ID: 25E1490B761470C2
1 changed files with 49 additions and 29 deletions

View File

@ -1925,13 +1925,13 @@ class FilterFromDomainMissSet extends FilterFromDomainHitSet {
return super.match(idata) === false; return super.match(idata) === false;
} }
static logData(idata, details) {
details.fromDomains.push('~' + this.getDomainOpt(idata).replace(/\|/g, '|~'));
}
static get dnrConditionName() { static get dnrConditionName() {
return 'excludedInitiatorDomains'; return 'excludedInitiatorDomains';
} }
static logData(idata, details) {
details.fromDomains.push('~' + this.getDomainOpt(idata).replace(/\|/g, '|~'));
}
} }
class FilterFromRegexHit extends FilterDomainRegexHit { class FilterFromRegexHit extends FilterDomainRegexHit {
@ -1939,6 +1939,10 @@ class FilterFromRegexHit extends FilterDomainRegexHit {
return $docHostname; return $docHostname;
} }
static get dnrConditionName() {
return 'initiatorDomains';
}
static logData(idata, details) { static logData(idata, details) {
details.fromDomains.push(`${this.getDomainOpt(idata)}`); details.fromDomains.push(`${this.getDomainOpt(idata)}`);
} }
@ -1949,6 +1953,10 @@ class FilterFromRegexMiss extends FilterFromRegexHit {
return super.match(idata) === false; return super.match(idata) === false;
} }
static get dnrConditionName() {
return 'excludedInitiatorDomains';
}
static logData(idata, details) { static logData(idata, details) {
details.fromDomains.push(`~${this.getDomainOpt(idata)}`); details.fromDomains.push(`~${this.getDomainOpt(idata)}`);
} }
@ -2064,6 +2072,10 @@ class FilterToRegexHit extends FilterDomainRegexHit {
return $requestHostname; return $requestHostname;
} }
static get dnrConditionName() {
return 'requestDomains';
}
static logData(idata, details) { static logData(idata, details) {
details.toDomains.push(`${this.getDomainOpt(idata)}`); details.toDomains.push(`${this.getDomainOpt(idata)}`);
} }
@ -2074,6 +2086,10 @@ class FilterToRegexMiss extends FilterToRegexHit {
return super.match(idata) === false; return super.match(idata) === false;
} }
static get dnrConditionName() {
return 'excludedRequestDomains';
}
static logData(idata, details) { static logData(idata, details) {
details.toDomains.push(`~${this.getDomainOpt(idata)}`); details.toDomains.push(`~${this.getDomainOpt(idata)}`);
} }
@ -4430,34 +4446,38 @@ FilterContainer.prototype.dnrFromCompiled = function(op, context, ...args) {
} }
} }
// Detect and attempt salvage of rules with entity-based hostnames. // Detect and attempt salvage of rules with entity-based hostnames and/or
// regex-based domains.
const isUnsupportedDomain = hn => hn.endsWith('.*') || hn.startsWith('/');
for ( const rule of ruleset ) { for ( const rule of ruleset ) {
if ( rule.condition === undefined ) { continue; } if ( rule.condition === undefined ) { continue; }
if ( for ( const prop of [ 'Initiator', 'Request' ] ) {
Array.isArray(rule.condition.initiatorDomains) && const hitProp = `${prop.toLowerCase()}Domains`;
rule.condition.initiatorDomains.some(hn => hn.endsWith('.*')) if ( Array.isArray(rule.condition[hitProp]) ) {
) { if ( rule.condition[hitProp].some(hn => isUnsupportedDomain(hn)) ) {
const domains = rule.condition.initiatorDomains.filter( const domains = rule.condition[hitProp].filter(
hn => hn.endsWith('.*') === false hn => isUnsupportedDomain(hn) === false
); );
if ( domains.length === 0 ) { if ( domains.length === 0 ) {
dnrAddRuleError(rule, `Can't salvage rule with only entity-based domain= option: ${rule.condition.initiatorDomains.join('|')}`); dnrAddRuleError(rule, `Can't salvage rule with unsupported domain= option: ${rule.condition[hitProp].join('|')}`);
} else { } else {
dnrAddRuleWarning(rule, `Salvaged rule by ignoring ${rule.condition.initiatorDomains.length - domains.length} entity-based domain= option: ${rule.condition.initiatorDomains.join('|')}`); dnrAddRuleWarning(rule, `Salvaged rule by ignoring ${rule.condition[hitProp].length - domains.length} unsupported domain= option: ${rule.condition[hitProp].join('|')}`);
rule.condition.initiatorDomains = domains; rule.condition[hitProp] = domains;
}
}
}
const missProp = `excluded${prop}Domains`;
if ( Array.isArray(rule.condition[missProp]) ) {
if ( rule.condition[missProp].some(hn => isUnsupportedDomain(hn)) ) {
const domains = rule.condition[missProp].filter(
hn => isUnsupportedDomain(hn) === false
);
rule.condition[missProp] =
domains.length !== 0
? domains
: undefined;
}
} }
}
if (
Array.isArray(rule.condition.excludedInitiatorDomains) &&
rule.condition.excludedInitiatorDomains.some(hn => hn.endsWith('.*'))
) {
const domains = rule.condition.excludedInitiatorDomains.filter(
hn => hn.endsWith('.*') === false
);
rule.condition.excludedInitiatorDomains =
domains.length !== 0
? domains
: undefined;
} }
} }