bext-waf 0.2.0

Web Application Firewall for bext — rate limiting, IP filtering, GeoIP, rule engine
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

//! NoSQL injection detection (MongoDB, CouchDB, etc.).
//!
//! Detects `$gt`, `$ne`, `$where`, `$regex` operators and JavaScript
//! expressions in query strings and JSON bodies.

use std::sync::OnceLock;

use regex::RegexSet;

static NOSQL_PATTERNS: OnceLock<RegexSet> = OnceLock::new();

static NOSQL_DESCRIPTIONS: &[&str] = &[
    "NoSQL operator injection ($gt/$ne/$lt/$gte/$lte)",
    "NoSQL $where / $regex injection",
    "NoSQL $or/$and/$nor array injection",
    "MongoDB $lookup / $unionWith aggregation abuse",
];

fn patterns() -> &'static RegexSet {
    NOSQL_PATTERNS.get_or_init(|| {
        RegexSet::new([
            // 0: Comparison operators in JSON context
            r#"(?i)"\$(gt|gte|lt|lte|ne|eq|in|nin)"\s*:"#,
            // 1: $where / $regex (code execution)
            r#"(?i)"\$(where|regex|expr|text|mod)"\s*:"#,
            // 2: Logical operators as injection
            r#"(?i)"\$(or|and|nor|not)"\s*:\s*\["#,
            // 3: Aggregation abuse
            r#"(?i)"\$(lookup|unionWith|merge|out|graphLookup)"\s*:"#,
        ])
        .expect("NoSQL regex patterns must compile")
    })
}

/// Check an input string for NoSQL injection patterns.
pub fn check_nosql(input: &str) -> Option<String> {
    let set = patterns();
    let matches: Vec<_> = set.matches(input).into_iter().collect();
    if matches.is_empty() {
        None
    } else {
        let idx = matches[0];
        Some(
            NOSQL_DESCRIPTIONS
                .get(idx)
                .unwrap_or(&"NoSQL injection")
                .to_string(),
        )
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn detects_comparison_operators() {
        assert!(check_nosql(r#"{"username":"admin","password":{"$ne":""}}"#).is_some());
        assert!(check_nosql(r#"{"age":{"$gt":0}}"#).is_some());
    }

    #[test]
    fn detects_where_regex() {
        assert!(check_nosql(r#"{"$where":"this.password.match(/admin/)"}"#).is_some());
        assert!(check_nosql(r#"{"name":{"$regex":"^admin"}}"#).is_some());
    }

    #[test]
    fn detects_logical_operators() {
        assert!(check_nosql(r#"{"$or":[{"user":"admin"},{"user":"root"}]}"#).is_some());
    }

    #[test]
    fn allows_normal_json() {
        assert!(check_nosql(r#"{"name":"John","age":30}"#).is_none());
    }

    #[test]
    fn allows_normal_text() {
        assert!(check_nosql("Hello world").is_none());
    }
}