synapse-waf 0.9.0

High-performance WAF and reverse proxy with embedded intelligence — built on Cloudflare Pingora
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303

//! Streaming DLP Scanner
//!
//! Allows scanning arbitrarily large streams of data without buffering the entire
//! content in memory. Handles patterns that cross chunk boundaries using an overlap buffer.

use super::scanner::{DlpConfig, DlpConfigError, DlpScanner, ScanResult, SensitiveDataType};
use std::collections::HashSet;
use std::sync::Arc;

/// Default overlap size (should be larger than the longest expected pattern)
const DEFAULT_OVERLAP_SIZE: usize = 1024; // 1KB

/// Default maximum buffer size (16MB)
const DEFAULT_MAX_BUFFER_SIZE: usize = 16 * 1024 * 1024;

/// Safety margin added to auto-calculated overlap
const OVERLAP_SAFETY_MARGIN: usize = 64;

/// Error type for streaming scanner operations
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum StreamingError {
    /// Buffer would exceed maximum allowed size
    BufferOverflow {
        current: usize,
        incoming: usize,
        max: usize,
    },
    /// Configuration error
    Config(DlpConfigError),
}

impl std::fmt::Display for StreamingError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Self::BufferOverflow {
                current,
                incoming,
                max,
            } => {
                write!(
                    f,
                    "buffer overflow: current {} + incoming {} > max {}",
                    current, incoming, max
                )
            }
            Self::Config(e) => write!(f, "config error: {}", e),
        }
    }
}

impl std::error::Error for StreamingError {}

impl From<DlpConfigError> for StreamingError {
    fn from(e: DlpConfigError) -> Self {
        Self::Config(e)
    }
}

/// Streaming wrapper for DlpScanner
pub struct StreamingScanner {
    scanner: Arc<DlpScanner>,
    buffer: Vec<u8>,
    overlap_size: usize,
    max_buffer_size: usize,
    /// Tracks bytes that have been fully processed and shifted out of buffer
    bytes_shifted: usize,
    accumulated_results: ScanResult,
    /// Track seen matches by (data_type, absolute_end_position) to deduplicate
    seen_matches: HashSet<(SensitiveDataType, usize)>,
}

impl StreamingScanner {
    /// Create a new streaming scanner using an existing scanner configuration
    pub fn new(scanner: Arc<DlpScanner>) -> Self {
        Self {
            scanner,
            buffer: Vec::with_capacity(DEFAULT_OVERLAP_SIZE * 2),
            overlap_size: DEFAULT_OVERLAP_SIZE,
            max_buffer_size: DEFAULT_MAX_BUFFER_SIZE,
            bytes_shifted: 0,
            accumulated_results: ScanResult::default(),
            seen_matches: HashSet::new(),
        }
    }

    /// Create a streaming scanner with auto-calculated overlap based on pattern lengths
    pub fn with_auto_overlap(scanner: Arc<DlpScanner>, config: &DlpConfig) -> Self {
        let overlap = config.max_pattern_length() + OVERLAP_SAFETY_MARGIN;
        Self::new(scanner).with_overlap(overlap)
    }

    /// Set custom overlap size (max pattern length to detect across chunks)
    pub fn with_overlap(mut self, size: usize) -> Self {
        self.overlap_size = size;
        self
    }

    /// Set maximum buffer size (default 16MB)
    /// Returns error if a chunk would cause buffer to exceed this limit
    pub fn with_max_buffer_size(mut self, size: usize) -> Self {
        self.max_buffer_size = size;
        self
    }

    /// Get the current absolute stream position (bytes processed so far)
    pub fn bytes_processed(&self) -> usize {
        self.bytes_shifted + self.buffer.len()
    }

    /// Process a new chunk of data
    ///
    /// Returns error if the buffer would exceed max_buffer_size
    pub fn update(&mut self, chunk: &[u8]) -> Result<(), StreamingError> {
        // Check buffer limit before appending
        let new_size = self.buffer.len() + chunk.len();
        if new_size > self.max_buffer_size {
            return Err(StreamingError::BufferOverflow {
                current: self.buffer.len(),
                incoming: chunk.len(),
                max: self.max_buffer_size,
            });
        }

        // Track how much data was in buffer before this chunk (the overlap region)
        let prev_len = self.buffer.len();

        // Append new chunk to buffer
        self.buffer.extend_from_slice(chunk);

        // Scan the current buffer
        let result = self.scanner.scan_bytes(&self.buffer);

        // Process matches
        if result.has_matches {
            for m in result.matches {
                // Calculate absolute stream position for this match
                let abs_start = self.bytes_shifted + m.start;
                let abs_end = self.bytes_shifted + m.end;

                // Deduplication: Skip if we've already seen this match
                // A match is considered duplicate if same type ends at same absolute position
                let match_key = (m.data_type, abs_end);
                if self.seen_matches.contains(&match_key) {
                    continue;
                }

                // Only report matches that end in the "new" part of the buffer
                // (i.e., end index > prev_len relative to current buffer)
                // This prevents reporting the same match twice when it's fully in overlap
                if m.end > prev_len {
                    self.seen_matches.insert(match_key);

                    // Create match with absolute stream offset
                    let mut new_match = m;
                    new_match.stream_offset = Some(abs_start);
                    // Update start/end to absolute positions
                    new_match.start = abs_start;
                    new_match.end = abs_end;

                    self.accumulated_results.matches.push(new_match);
                    self.accumulated_results.match_count += 1;
                    self.accumulated_results.has_matches = true;
                }
            }
        }

        // Prepare buffer for next chunk: keep only overlap
        if self.buffer.len() > self.overlap_size {
            let keep_start = self.buffer.len() - self.overlap_size;

            // Track how many bytes we're shifting out
            self.bytes_shifted += keep_start;

            // Keep only the tail
            self.buffer.drain(0..keep_start);
        }

        Ok(())
    }

    /// Finish the stream and get final results
    #[must_use = "final scan results should be processed"]
    pub fn finish(mut self) -> ScanResult {
        // Update total bytes scanned
        self.accumulated_results.content_length = self.bytes_shifted + self.buffer.len();
        self.accumulated_results.scanned = true;
        self.accumulated_results
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::dlp::DlpConfig;

    #[test]
    fn test_streaming_split_pattern() {
        let config = DlpConfig {
            enabled: true,
            ..Default::default()
        };
        let scanner = Arc::new(DlpScanner::new(config));
        let mut stream = StreamingScanner::new(scanner);

        // "Credit card: 4532015112830366" split across chunks
        stream.update(b"Credit card: 45320151").unwrap();
        stream.update(b"12830366 is valid.").unwrap();

        let result = stream.finish();

        assert!(result.has_matches);
        assert_eq!(result.match_count, 1);
        assert_eq!(
            result.matches[0].data_type,
            crate::dlp::SensitiveDataType::CreditCard
        );
        // Should have stream offset set
        assert!(result.matches[0].stream_offset.is_some());
    }

    #[test]
    fn test_streaming_no_duplicates() {
        let config = DlpConfig {
            enabled: true,
            ..Default::default()
        };
        let scanner = Arc::new(DlpScanner::new(config));
        let mut stream = StreamingScanner::new(scanner);

        // Pattern fits in first chunk, but is retained in overlap
        // Should not be reported twice
        let chunk1 = b"Credit card: 4532015112830366 ";
        let chunk2 = b"next chunk data";

        stream.update(chunk1).unwrap();
        stream.update(chunk2).unwrap();

        let result = stream.finish();

        assert_eq!(result.match_count, 1, "Should detect exactly once");
    }

    #[test]
    fn test_buffer_overflow_protection() {
        let config = DlpConfig {
            enabled: true,
            ..Default::default()
        };
        let scanner = Arc::new(DlpScanner::new(config));
        let mut stream = StreamingScanner::new(scanner).with_max_buffer_size(100);

        // First small chunk should work
        assert!(stream.update(b"small data").is_ok());

        // Large chunk should fail
        let large_chunk = vec![b'x'; 200];
        let result = stream.update(&large_chunk);
        assert!(matches!(result, Err(StreamingError::BufferOverflow { .. })));
    }

    #[test]
    fn test_stream_position_tracking() {
        let config = DlpConfig {
            enabled: true,
            ..Default::default()
        };
        let scanner = Arc::new(DlpScanner::new(config));
        let mut stream = StreamingScanner::new(scanner).with_overlap(50);

        // Send data in chunks
        stream.update(b"prefix data here ").unwrap(); // 17 bytes
        stream.update(b"Card: 4532015112830366").unwrap(); // Card at position ~17

        let result = stream.finish();

        assert!(result.has_matches);
        let credit_card = &result.matches[0];
        assert!(credit_card.stream_offset.is_some());
        // The credit card number starts after "Card: " which is at ~17 + 6 = 23
        let offset = credit_card.stream_offset.unwrap();
        assert!(offset >= 17, "Stream offset {} should be >= 17", offset);
    }

    #[test]
    fn test_auto_overlap() {
        let config = DlpConfig {
            enabled: true,
            custom_keywords: Some(vec!["VeryLongSecretKeyword123456789".to_string()]),
            ..Default::default()
        };
        let scanner = Arc::new(DlpScanner::new(config.clone()));
        let stream = StreamingScanner::with_auto_overlap(scanner, &config);

        // Auto overlap should be at least max_pattern_length + safety margin
        let expected_min = config.max_pattern_length() + OVERLAP_SAFETY_MARGIN;
        assert!(
            stream.overlap_size >= expected_min,
            "overlap {} should be >= {}",
            stream.overlap_size,
            expected_min
        );
    }
}