Skip to main content

content_rules_split

Function content_rules_split 

Source
pub fn content_rules_split(paranoia: u8) -> (RuleList, RuleList)
Expand description

(rule_id, pattern) for every CONTENT-inspection rule active at paranoia, split into two scope buckets (request_smuggling is excluded — it is structural framing validation, not regex content inspection, and always runs in the connection phase). Single source for the prefilter, so it cannot drift from the per-module rules.

  • main: every rule whose pattern is safe to scan over a superset of the fields it inspects ({path, query, cookies, headers, body}) — the 6 content modules plus the non-host header-injection rules. Over-scanning is sound (it can only over-flag → run the full path), and these patterns are specific enough not to match benign paths/headers.
  • host: the host-only header-injection rule(s) (Scope::HostHeaders), whose broad [/@] pattern MUST be scanned only against host header values — scanning it over the path (always /) is what made a global union useless.