vyre 0.4.0

GPU compute intermediate representation with a standard operation library
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157

//! Rule detectors for injection and parser-abuse payloads.

use super::bytes::contains_ci;
use super::decode::percent_decode_lower;
use super::{validate_input, DetectionError};

/// Return true for eval plus decoder plus character-code JavaScript obfuscation.
///
/// # Errors
///
/// Returns `Fix: ...` when input exceeds the detector limit.
pub fn detect_obfuscated_js(input: &[u8]) -> Result<bool, DetectionError> {
    validate_input(input)?;
    let normalized = percent_decode_lower(input);
    let eval = contains_ci(&normalized, b"eval(") || contains_ci(&normalized, b"settimeout(");
    let decoder = contains_ci(&normalized, b"atob(") || contains_ci(&normalized, b"unescape(");
    let charcode = contains_ci(&normalized, b"fromcharcode")
        || contains_ci(&normalized, br"\x")
        || contains_ci(&normalized, br"\u00");
    Ok(eval && decoder && charcode)
}

/// Return true for SQL injection tautology, UNION, comment, or stacked-query payloads.
///
/// # Errors
///
/// Returns `Fix: ...` when input exceeds the detector limit.
pub fn detect_sql_injection(input: &[u8]) -> Result<bool, DetectionError> {
    validate_input(input)?;
    let s = percent_decode_lower(input);
    let sql_words = contains_ci(&s, b"select ") && contains_ci(&s, b" from ");
    let union_select = contains_ci(&s, b"union select");
    let tautology = contains_ci(&s, b" or 1=1")
        || contains_ci(&s, b"' or '1'='1")
        || contains_ci(&s, b"\" or \"1\"=\"1")
        || contains_ci(&s, b" or true");
    let comment = contains_ci(&s, b"--") || contains_ci(&s, b"/*") || contains_ci(&s, b"#");
    let stacked = contains_ci(&s, b"; drop ") || contains_ci(&s, b"; select ");
    Ok(union_select || (tautology && (comment || sql_words)) || stacked)
}

/// Return true for script tags, JavaScript URLs, or executable event handlers.
///
/// # Errors
///
/// Returns `Fix: ...` when input exceeds the detector limit.
pub fn detect_xss(input: &[u8]) -> Result<bool, DetectionError> {
    validate_input(input)?;
    let s = percent_decode_lower(input);
    Ok(contains_ci(&s, b"<script")
        || contains_ci(&s, b"javascript:")
        || contains_ci(&s, b"onerror=")
        || contains_ci(&s, b"onload=")
        || contains_ci(&s, b"<svg") && (contains_ci(&s, b"onload") || contains_ci(&s, b"script")))
}

/// Return true for traversal into local sensitive files.
///
/// # Errors
///
/// Returns `Fix: ...` when input exceeds the detector limit.
pub fn detect_lfi(input: &[u8]) -> Result<bool, DetectionError> {
    validate_input(input)?;
    let s = percent_decode_lower(input);
    Ok((contains_ci(&s, b"../") || contains_ci(&s, br"..\"))
        && (contains_ci(&s, b"/etc/passwd")
            || contains_ci(&s, b"boot.ini")
            || contains_ci(&s, b"win.ini")
            || contains_ci(&s, b"/proc/self/environ")))
}

/// Return true for remote URLs supplied to include-like parameters.
///
/// # Errors
///
/// Returns `Fix: ...` when input exceeds the detector limit.
pub fn detect_rfi(input: &[u8]) -> Result<bool, DetectionError> {
    validate_input(input)?;
    let s = percent_decode_lower(input);
    let param = contains_ci(&s, b"file=")
        || contains_ci(&s, b"path=")
        || contains_ci(&s, b"page=")
        || contains_ci(&s, b"include=");
    let remote = contains_ci(&s, b"http://") || contains_ci(&s, b"https://");
    Ok(param && remote)
}

/// Return true for shell metacharacters paired with command names.
///
/// # Errors
///
/// Returns `Fix: ...` when input exceeds the detector limit.
pub fn detect_command_injection(input: &[u8]) -> Result<bool, DetectionError> {
    validate_input(input)?;
    let s = percent_decode_lower(input);
    let meta = contains_ci(&s, b";")
        || contains_ci(&s, b"&&")
        || contains_ci(&s, b"||")
        || contains_ci(&s, b"`")
        || contains_ci(&s, b"$(")
        || contains_ci(&s, b"|");
    let command = contains_ci(&s, b" cat ")
        || contains_ci(&s, b" id")
        || contains_ci(&s, b" whoami")
        || contains_ci(&s, b" curl ")
        || contains_ci(&s, b" wget ")
        || contains_ci(&s, b" nc ")
        || contains_ci(&s, b" /bin/sh")
        || contains_ci(&s, b" powershell");
    Ok(meta && command)
}

/// Return true for URL payloads targeting loopback, metadata, or private hosts.
///
/// # Errors
///
/// Returns `Fix: ...` when input exceeds the detector limit.
pub fn detect_ssrf(input: &[u8]) -> Result<bool, DetectionError> {
    validate_input(input)?;
    let s = percent_decode_lower(input);
    let has_url = contains_ci(&s, b"http://") || contains_ci(&s, b"https://");
    let target = contains_ci(&s, b"localhost")
        || contains_ci(&s, b"127.0.0.1")
        || contains_ci(&s, b"0.0.0.0")
        || contains_ci(&s, b"169.254.169.254")
        || contains_ci(&s, b"10.")
        || contains_ci(&s, b"192.168.")
        || contains_ci(&s, b"172.16.");
    Ok(has_url && target)
}

/// Return true for decoded or raw parent-directory traversal.
///
/// # Errors
///
/// Returns `Fix: ...` when input exceeds the detector limit.
pub fn detect_path_traversal(input: &[u8]) -> Result<bool, DetectionError> {
    validate_input(input)?;
    let s = percent_decode_lower(input);
    Ok(contains_ci(&s, b"../")
        || contains_ci(&s, br"..\")
        || contains_ci(&s, b"..//")
        || contains_ci(&s, br"..\\"))
}

/// Return true for XML external entity declarations with SYSTEM or PUBLIC.
///
/// # Errors
///
/// Returns `Fix: ...` when input exceeds the detector limit.
pub fn detect_xxe(input: &[u8]) -> Result<bool, DetectionError> {
    validate_input(input)?;
    let s = percent_decode_lower(input);
    Ok(contains_ci(&s, b"<!doctype")
        && contains_ci(&s, b"<!entity")
        && (contains_ci(&s, b"system") || contains_ci(&s, b"public")))
}