wafrift-oracle 0.2.2

Payload validity oracles for SQL, SSRF, path traversal, command injection, and template injection.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181

//! Path traversal payload oracle.
//!
//! Path traversal payloads navigate the filesystem by using `../` sequences
//! and target sensitive files. The oracle validates that:
//! 1. **Traversal sequences survive** — `../` or encoded equivalents
//! 2. **Target paths remain readable** — `/etc/passwd`, `/etc/shadow`, etc.
//!
//! If encoding destroys the `../` sequences or the target path, the
//! server won't resolve the file and the traversal fails.

use crate::traits::PayloadOracle;
use serde::Deserialize;
use std::sync::OnceLock;

/// Path traversal oracle that validates directory escape sequences.
pub struct PathOracle;

// ──────────────────────────────────────────────
//  TOML-loaded path traversal rules
// ──────────────────────────────────────────────

/// Compile-time embedded TOML rules for path traversal.
const PATH_TRAVERSAL_TOML: &str = include_str!("../rules/path_traversal/sequences.toml");

/// Traversal sequence definition from TOML.
#[derive(Debug, Clone, Deserialize)]
struct TraversalSequence {
    sequence: String,
    #[allow(dead_code)]
    description: String,
    #[allow(dead_code)]
    encoding: String,
}

/// Target file definition from TOML.
#[derive(Debug, Clone, Deserialize)]
struct TargetFile {
    path: String,
    #[allow(dead_code)]
    description: String,
    #[allow(dead_code)]
    os: String,
}

/// Root structure for sequences.toml.
#[derive(Debug, Clone, Deserialize)]
struct PathTraversalRules {
    #[serde(default)]
    traversal_sequence: Vec<TraversalSequence>,
    #[serde(default)]
    target_file: Vec<TargetFile>,
}

/// Parse the embedded TOML rules once at first access.
fn get_rules() -> &'static PathTraversalRules {
    static RULES: OnceLock<PathTraversalRules> = OnceLock::new();
    RULES.get_or_init(|| {
        toml::from_str(PATH_TRAVERSAL_TOML)
            .expect("Failed to parse rules/path_traversal/sequences.toml - invalid TOML format")
    })
}

/// Get traversal sequences (various encodings that servers may decode).
fn traversal_sequences() -> &'static [String] {
    static CACHE: OnceLock<Vec<String>> = OnceLock::new();
    CACHE.get_or_init(|| {
        get_rules()
            .traversal_sequence
            .iter()
            .map(|s| s.sequence.clone())
            .collect()
    })
}

/// Get common target files for path traversal.
fn target_files() -> &'static [String] {
    static CACHE: OnceLock<Vec<String>> = OnceLock::new();
    CACHE.get_or_init(|| {
        get_rules()
            .target_file
            .iter()
            .map(|f| f.path.clone())
            .collect()
    })
}

/// Checks whether a payload contains path traversal structure.
fn has_traversal_structure(payload: &str) -> bool {
    let lower = payload.to_ascii_lowercase();

    // Must have at least one traversal sequence
    let has_traversal = traversal_sequences()
        .iter()
        .any(|seq| lower.contains(&seq.to_ascii_lowercase()));

    // Must reference at least one target file/path
    let has_target = target_files()
        .iter()
        .any(|target| lower.contains(&target.to_ascii_lowercase()));

    // A bare traversal sequence is also valid (attacker may be probing)
    has_traversal || (has_target && payload.contains(".."))
}

impl PayloadOracle for PathOracle {
    fn is_semantically_valid(&self, _original: &str, transformed: &str) -> bool {
        has_traversal_structure(transformed)
    }

    fn name(&self) -> &'static str {
        "PathTraversal"
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn classic_traversal_valid() {
        let oracle = PathOracle;
        assert!(oracle.is_semantically_valid("../../../etc/passwd", "../../../etc/passwd",));
    }

    #[test]
    fn encoded_traversal_valid() {
        let oracle = PathOracle;
        assert!(oracle.is_semantically_valid("../../../etc/passwd", "..%2f..%2f..%2fetc/passwd",));
    }

    #[test]
    fn double_dot_semicolon_valid() {
        let oracle = PathOracle;
        assert!(oracle.is_semantically_valid("../../../etc/passwd", "..;/..;/..;/etc/passwd",));
    }

    #[test]
    fn windows_traversal_valid() {
        let oracle = PathOracle;
        assert!(
            oracle.is_semantically_valid("..\\..\\windows\\win.ini", "..\\..\\windows\\win.ini",)
        );
    }

    #[test]
    fn destroyed_dots_invalid() {
        let oracle = PathOracle;
        // All traversal markers and target paths are fully encoded
        assert!(!oracle.is_semantically_valid("../../../etc/passwd", "XXXX/XXXX/XXXX/XXXX/XXXX",));
    }

    #[test]
    fn plain_text_invalid() {
        let oracle = PathOracle;
        assert!(!oracle.is_semantically_valid("../../../etc/passwd", "hello world",));
    }

    #[test]
    fn proc_self_environ_valid() {
        let oracle = PathOracle;
        assert!(
            oracle
                .is_semantically_valid("../../../proc/self/environ", "../../../proc/self/environ",)
        );
    }

    #[test]
    fn dot_env_valid() {
        let oracle = PathOracle;
        assert!(oracle.is_semantically_valid("../../.env", "../../.env",));
    }

    #[test]
    fn null_byte_bypass_valid() {
        let oracle = PathOracle;
        // Null byte appended but traversal preserved
        assert!(
            oracle.is_semantically_valid("../../../etc/passwd", "../../../etc/passwd\x00.jpg",)
        );
    }
}