feat: add request block regular matching and modify block_ Urls are e… (#517)

2026-03-07 10:00:48 +08:00 · 2023-09-25 16:48:38 +08:00
parent 945787f7dc
commit 64ccbab29c
5 changed files with 88 additions and 7 deletions
--- a/plugins/wasm-go/extensions/request-block/README.md
+++ b/plugins/wasm-go/extensions/request-block/README.md
@@ -6,6 +6,8 @@
 | 名称 | 数据类型 | 填写要求 |  默认值 | 描述 |
 | -------- | -------- | -------- | -------- | -------- |
 |  block_urls     |  array of string     | 选填，`block_urls`,`block_headers`,`block_bodies` 中至少必填一项     |   -  |  配置用于匹配需要屏蔽 URL 的字符串   |
+|  block_exact_urls     |  array of string     | 选填，`block_urls`,`block_headers`,`block_bodies` 中至少必填一项     |   -  |  配置用于匹配需要精确屏蔽 URL 的字符串   |
+|  block_regexp_urls     |  array of string     | 选填，`block_urls`,`block_headers`,`block_bodies` 中至少必填一项     |   -  |  配置用于匹配需要屏蔽 URL 的正则表达式  |
 |  block_headers     |  array of string     | 选填，`block_urls`,`block_headers`,`block_bodies` 中至少必填一项     |   -  |  配置用于匹配需要屏蔽请求 Header 的字符串   |
 |  block_bodies     |  array of string     | 选填，`block_urls`,`block_headers`,`block_bodies` 中至少必填一项     |   -  |  配置用于匹配需要屏蔽请求 Body 的字符串   |
 |  blocked_code     |  number     | 选填     |   403  |  配置请求被屏蔽时返回的 HTTP 状态码   |
--- a/plugins/wasm-go/extensions/request-block/VERSION
+++ b/plugins/wasm-go/extensions/request-block/VERSION
@@ -1 +1 @@
-1.0.0
+1.0.1
--- a/plugins/wasm-go/extensions/request-block/main.go
+++ b/plugins/wasm-go/extensions/request-block/main.go
@@ -17,6 +17,7 @@ package main
 import (
 	"errors"
 	"fmt"
+	"regexp"
 	"strings"

 	"github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm"
@@ -36,12 +37,14 @@ func main() {
 }

 type RequestBlockConfig struct {
-	blockedCode    uint32
-	blockedMessage string
-	caseSensitive  bool
-	blockUrls      []string
-	blockHeaders   []string
-	blockBodies     []string
+	blockedCode      uint32
+	blockedMessage   string
+	caseSensitive    bool
+	blockUrls        []string
+	blockExactUrls   []string
+	blockHeaders     []string
+	blockBodies      []string
+	blockRegExpArray []*regexp.Regexp
 }

 func parseConfig(json gjson.Result, config *RequestBlockConfig, log wrapper.Log) error {
@@ -64,6 +67,30 @@ func parseConfig(json gjson.Result, config *RequestBlockConfig, log wrapper.Log)
 			config.blockUrls = append(config.blockUrls, strings.ToLower(url))
 		}
 	}
+	for _, item := range json.Get("block_exact_urls").Array() {
+		url := item.String()
+		if url == "" {
+			continue
+		}
+		if config.caseSensitive {
+			config.blockExactUrls = append(config.blockExactUrls, url)
+		} else {
+			config.blockExactUrls = append(config.blockExactUrls, strings.ToLower(url))
+		}
+	}
+	for _, item := range json.Get("block_regexp_urls").Array() {
+		regexpUrl := item.String()
+		if regexpUrl == "" {
+			continue
+		}
+		if config.caseSensitive {
+			reg := regexp.MustCompile(regexpUrl)
+			config.blockRegExpArray = append(config.blockRegExpArray, reg)
+		} else {
+			reg := regexp.MustCompile(strings.ToLower(regexpUrl))
+			config.blockRegExpArray = append(config.blockRegExpArray, reg)
+		}
+	}
 	for _, item := range json.Get("block_headers").Array() {
 		header := item.String()
 		if header == "" {
@@ -103,12 +130,24 @@ func onHttpRequestHeaders(ctx wrapper.HttpContext, config RequestBlockConfig, lo
 		if !config.caseSensitive {
 			requestUrl = strings.ToLower(requestUrl)
 		}
+		for _, blockExactUrl := range config.blockExactUrls {
+			if requestUrl == blockExactUrl {
+				proxywasm.SendHttpResponse(config.blockedCode, nil, []byte(config.blockedMessage), -1)
+				return types.ActionContinue
+			}
+		}
 		for _, blockUrl := range config.blockUrls {
 			if strings.Contains(requestUrl, blockUrl) {
 				proxywasm.SendHttpResponse(config.blockedCode, nil, []byte(config.blockedMessage), -1)
 				return types.ActionContinue
 			}
 		}
+		for _, regExpObj := range config.blockRegExpArray {
+			if regExpObj.MatchString(requestUrl) {
+				proxywasm.SendHttpResponse(config.blockedCode, nil, []byte(config.blockedMessage), -1)
+				return types.ActionContinue
+			}
+		}
 	}
 	if len(config.blockHeaders) > 0 {
 		headers, err := proxywasm.GetHttpRequestHeaders()
--- a/test/e2e/conformance/tests/go-wasm-request-block.go
+++ b/test/e2e/conformance/tests/go-wasm-request-block.go
@@ -50,6 +50,42 @@ var WasmPluginsRequestBlock = suite.ConformanceTest{
 					},
 				},
 			},
+			{
+				Meta: http.AssertionMeta{
+					TargetBackend:   "infra-backend-v1",
+					TargetNamespace: "higress-conformance-infra",
+				},
+				Request: http.AssertionRequest{
+					ActualRequest: http.Request{
+						Host:             "foo.com",
+						Path:             "/env/info",
+						UnfollowRedirect: true,
+					},
+				},
+				Response: http.AssertionResponse{
+					ExpectedResponse: http.Response{
+						StatusCode: 403,
+					},
+				},
+			},
+			{
+				Meta: http.AssertionMeta{
+					TargetBackend:   "infra-backend-v1",
+					TargetNamespace: "higress-conformance-infra",
+				},
+				Request: http.AssertionRequest{
+					ActualRequest: http.Request{
+						Host:             "foo.com",
+						Path:             "/web/info",
+						UnfollowRedirect: true,
+					},
+				},
+				Response: http.AssertionResponse{
+					ExpectedResponse: http.Response{
+						StatusCode: 403,
+					},
+				},
+			},
 		}
 		t.Run("WasmPlugins request-block", func(t *testing.T) {
 			for _, testcase := range testcases {
--- a/test/e2e/conformance/tests/go-wasm-request-block.yaml
+++ b/test/e2e/conformance/tests/go-wasm-request-block.yaml
@@ -42,4 +42,8 @@ spec:
  defaultConfig:
    block_urls:
    - "swagger.html"
+    block_regexp_urls:
+    - "/env.*"
+    block_exact_urls:
+    - "/web/info"
  url: file:///opt/plugins/wasm-go/extensions/request-block/plugin.wasm
@@ -1 +1 @@
 .0.0
 .0.1