Skip to main content

Crate waf_normalizer

Crate waf_normalizer 

Source

Modules§

body
graphql
Minimal GraphQL lexer (Phase 11) — the 8th custom parser in this crate (fuzzed, see ARCHITECTURE §13). It does NOT build an AST: it makes a single linear, UTF-8-safe, allocation-free pass over the query text and computes the structural metrics the graphql detection module enforces (depth / aliases / fields / directives / introspection). It is evasion-robust at the LEXICAL level — braces, colons and names inside strings, block strings ("""…""") and # comments are skipped, so they cannot inflate or deflate the counts.
grpc
Minimal gRPC framing + protobuf wire-format extractor (the 9th custom parser in this crate, fuzzed — see ARCHITECTURE §13). Two layers, one linear pass, never panics:
url

Structs§

Normalizer

Enums§

NormalizationError

Functions§

header_content_inspectable
Closed ALLOWLIST of header names whose VALUE the content-inspection modules scan (P1-B). Unlike query/body, request headers are mostly NOT attacker payload carriers, so we invert the policy: inspect ONLY the user-controlled forwarding headers (Referer, X-Forwarded-{For,Host,Proto}) and custom x-* headers (gotestwaf injects into X-<random>), and EXCLUDE everything else — even an x-* that is really infra/secret (*-token, proxy-*) or negotiation/validators (accept*, content-*, etag, if-*) or hop-by-hop. Names are pre-lowercased. The deny-list takes precedence over the x-* allowance. (Distinct from [header_base64_excluded], which is a deny-list for the separate base64-derive channel.)