From 79b12e8470a379d64a16a4002709880c77e70223 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 19 Sep 2025 15:28:58 +0000
Subject: [PATCH 1/4] Initial plan


From 21e1697b8a0e984199fd8c20e4872b50af07ed7c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 19 Sep 2025 15:36:40 +0000
Subject: [PATCH 2/4] Significantly enhance block-exploits.conf with
 comprehensive security protections

Co-authored-by: fuomag9 <1580624+fuomag9@users.noreply.github.com>
---
 .../nginx/conf.d/include/block-exploits.conf  | 321 +++++++++++++++++-
 1 file changed, 318 insertions(+), 3 deletions(-)

diff --git a/docker/rootfs/etc/nginx/conf.d/include/block-exploits.conf b/docker/rootfs/etc/nginx/conf.d/include/block-exploits.conf
index 093bda235..25534b0fc 100644
--- a/docker/rootfs/etc/nginx/conf.d/include/block-exploits.conf
+++ b/docker/rootfs/etc/nginx/conf.d/include/block-exploits.conf
@@ -1,6 +1,7 @@
 ## Block SQL injections
 set $block_sql_injections 0;
 
+# Traditional SQL injection patterns
 if ($query_string ~ "union.*select.*\(") {
 	set $block_sql_injections 1;
 }
@@ -13,6 +14,36 @@ if ($query_string ~ "concat.*\(") {
 	set $block_sql_injections 1;
 }
 
+# Enhanced SQL injection patterns
+if ($query_string ~ "(select|insert|update|delete|drop|create|alter|exec|execute).*[\s\(]") {
+	set $block_sql_injections 1;
+}
+
+if ($query_string ~ "(or|and).*[\s]*[0-9]+[\s]*[=<>]+[\s]*[0-9]+") {
+	set $block_sql_injections 1;
+}
+
+if ($query_string ~ "[\s]*['\"`][\s]*(or|and)[\s]*['\"`][\s]*[=<>]") {
+	set $block_sql_injections 1;
+}
+
+if ($query_string ~ "information_schema|mysql\.user|pg_user|pg_shadow") {
+	set $block_sql_injections 1;
+}
+
+if ($query_string ~ "(sleep|benchmark|waitfor)\s*\(") {
+	set $block_sql_injections 1;
+}
+
+# NoSQL injection patterns (MongoDB, CouchDB, etc.)
+if ($query_string ~ "(\$ne|\$gt|\$gte|\$lt|\$lte|\$regex|\$where)") {
+	set $block_sql_injections 1;
+}
+
+if ($query_string ~ "javascript:|constructor|prototype|__proto__") {
+	set $block_sql_injections 1;
+}
+
 if ($block_sql_injections = 1) {
 	return 403;
 }
@@ -20,10 +51,12 @@ if ($block_sql_injections = 1) {
 ## Block file injections
 set $block_file_injections 0;
 
-if ($query_string ~ "[a-zA-Z0-9_]=http://") {
+# Remote file inclusion
+if ($query_string ~ "[a-zA-Z0-9_]=(https?|ftp|ftps)://") {
 	set $block_file_injections 1;
 }
 
+# Directory traversal - enhanced patterns
 if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
 	set $block_file_injections 1;
 }
@@ -32,6 +65,30 @@ if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
 	set $block_file_injections 1;
 }
 
+# Additional traversal patterns
+if ($query_string ~ "(\.\./)|(\.\.\\\\)|(\.\.%2f)|(\.\.%5c)") {
+	set $block_file_injections 1;
+}
+
+if ($query_string ~ "(\.\.%252f)|(\.\.%255c)|(%2e%2e%2f)|(%2e%2e%5c)") {
+	set $block_file_injections 1;
+}
+
+# Windows system files
+if ($query_string ~ "(boot\.ini)|(win\.ini)|(system\.ini)|(\.\.\\\\windows)") {
+	set $block_file_injections 1;
+}
+
+# Unix system files
+if ($query_string ~ "(\/etc\/passwd)|(\/etc\/shadow)|(\/etc\/hosts)") {
+	set $block_file_injections 1;
+}
+
+# Null bytes and encoding attacks
+if ($query_string ~ "(%00|%0a|%0d|%09|%20$)") {
+	set $block_file_injections 1;
+}
+
 if ($block_file_injections = 1) {
 	return 403;
 }
@@ -39,10 +96,29 @@ if ($block_file_injections = 1) {
 ## Block common exploits
 set $block_common_exploits 0;
 
+# XSS protection - enhanced patterns
+if ($query_string ~ "(<|%3C).*(script|iframe|object|embed|applet|meta|link|form|input|img).*(\s|%20).*(>|%3E)") {
+	set $block_common_exploits 1;
+}
+
+if ($query_string ~ "(javascript|vbscript|onload|onerror|onclick|onmouseover|onfocus|onblur|onchange|onsubmit):") {
+	set $block_common_exploits 1;
+}
+
 if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
 	set $block_common_exploits 1;
 }
 
+# Enhanced XSS vectors
+if ($query_string ~ "(document\.|window\.|eval\(|setTimeout\(|setInterval\(|function\s*\()") {
+	set $block_common_exploits 1;
+}
+
+if ($query_string ~ "(expression\s*\(|url\s*\(|@import|behaviour:)") {
+	set $block_common_exploits 1;
+}
+
+# PHP globals and superglobals
 if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
 	set $block_common_exploits 1;
 }
@@ -51,6 +127,11 @@ if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
 	set $block_common_exploits 1;
 }
 
+if ($query_string ~ "(_GET|_POST|_COOKIE|_SESSION|_FILES|_SERVER|_ENV)(=|\[|\%[0-9A-Z]{0,2})") {
+	set $block_common_exploits 1;
+}
+
+# System information disclosure
 if ($query_string ~ "proc/self/environ") {
 	set $block_common_exploits 1;
 }
@@ -59,10 +140,35 @@ if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
 	set $block_common_exploits 1;
 }
 
+# Encoding attacks
 if ($query_string ~ "base64_(en|de)code\(.*\)") {
 	set $block_common_exploits 1;
 }
 
+# Command injection patterns
+if ($query_string ~ "(`|%60|\$\(|%24%28|\|\||%7C%7C|&&|%26%26|;|%3B)") {
+	set $block_common_exploits 1;
+}
+
+if ($query_string ~ "(cat|ls|pwd|id|whoami|uname|nc|netcat|wget|curl|ping)\s") {
+	set $block_common_exploits 1;
+}
+
+# LDAP injection
+if ($query_string ~ "(\*\)|\(\||\&\(|\|\()") {
+	set $block_common_exploits 1;
+}
+
+# XML/XXE attacks
+if ($query_string ~ "(!DOCTYPE|!ENTITY|SYSTEM|PUBLIC|xmlns)") {
+	set $block_common_exploits 1;
+}
+
+# Server-side template injection
+if ($query_string ~ "(\{\{|\}\}|\{%|%\}|\$\{|\}$)") {
+	set $block_common_exploits 1;
+}
+
 if ($block_common_exploits = 1) {
 	return 403;
 }
@@ -70,6 +176,7 @@ if ($block_common_exploits = 1) {
 ## Block spam
 set $block_spam 0;
 
+# Original spam keywords
 if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
 	set $block_spam 1;
 }
@@ -86,19 +193,50 @@ if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamb
 	set $block_spam 1;
 }
 
+# Enhanced spam keywords
+if ($query_string ~ "\b(casino|poker|gambling|betting|lottery|jackpot|slot)\b") {
+	set $block_spam 1;
+}
+
+if ($query_string ~ "\b(loan|credit|mortgage|insurance|investment|forex|crypto)\b") {
+	set $block_spam 1;
+}
+
+if ($query_string ~ "\b(escort|adult|xxx|porn|sex|dating|hookup|webcam)\b") {
+	set $block_spam 1;
+}
+
+if ($query_string ~ "\b(replica|fake|counterfeit|knockoff|imitation)\b") {
+	set $block_spam 1;
+}
+
+if ($query_string ~ "\b(weight.?loss|diet.?pill|muscle|steroid|supplement)\b") {
+	set $block_spam 1;
+}
+
+# Common spam patterns
+if ($query_string ~ "(\[url=|\[link=|\[email=|email.*@.*\..*\])") {
+	set $block_spam 1;
+}
+
+if ($query_string ~ "(click.here|visit.site|buy.now|free.trial|limited.offer)") {
+	set $block_spam 1;
+}
+
 if ($block_spam = 1) {
 	return 403;
 }
 
-## Block user agents
+## Block malicious user agents
 set $block_user_agents 0;
 
+# Original user agents
 # Disable Akeeba Remote Control 2.5 and earlier
 if ($http_user_agent ~ "Indy Library") {
 	set $block_user_agents 1;
 }
 
-# Common bandwidth hoggers and hacking tools.
+# Common bandwidth hoggers and hacking tools
 if ($http_user_agent ~ "libwww-perl") {
 	set $block_user_agents 1;
 }
@@ -131,6 +269,183 @@ if ($http_user_agent ~ "GrabNet") {
 	set $block_user_agents 1;
 }
 
+# Enhanced malicious bots and tools
+if ($http_user_agent ~ "(sqlmap|nmap|masscan|zmap|nikto|dirb|dirbuster|gobuster)") {
+	set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "(havij|pangolin|sqlninja|bbqsql|NoSQLMap|commix)") {
+	set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "(nessus|openvas|nexpose|metasploit|burpsuite|owasp.zap)") {
+	set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "(w3af|skipfish|arachni|wpscan|joomscan|cms.scanner)") {
+	set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "(hydra|brutus|medusa|ncrack|john.ripper|hashcat)") {
+	set $block_user_agents 1;
+}
+
+# Scrapers and harvesters
+if ($http_user_agent ~ "(harvest|extract|scrape|spider|crawl|bot).*email") {
+	set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "(winhttp|urllib|python-requests|curl).*script") {
+	set $block_user_agents 1;
+}
+
+# Suspicious patterns
+if ($http_user_agent ~ "^-$|^$|^\.$") {
+	set $block_user_agents 1;
+}
+
+if ($http_user_agent ~ "(<|>|\||&|'|\"|;|\$|\(|\)|`|\{|\})") {
+	set $block_user_agents 1;
+}
+
+# Common attack frameworks
+if ($http_user_agent ~ "(exploit|payload|shellcode|backdoor|webshell)") {
+	set $block_user_agents 1;
+}
+
 if ($block_user_agents = 1) {
 	return 403;
 }
+
+## Block suspicious request methods
+set $block_methods 0;
+
+if ($request_method ~ "^(TRACE|TRACK|DEBUG|OPTIONS|CONNECT)$") {
+	set $block_methods 1;
+}
+
+if ($request_method ~ "^(PUT|DELETE)$") {
+	set $block_methods 1;
+}
+
+if ($block_methods = 1) {
+	return 405;
+}
+
+## Block suspicious headers
+set $block_headers 0;
+
+if ($http_x_forwarded_for ~ "(SELECT|INSERT|UPDATE|DELETE|UNION|SCRIPT|IFRAME|OBJECT|EMBED)") {
+	set $block_headers 1;
+}
+
+if ($http_referer ~ "(SELECT|INSERT|UPDATE|DELETE|UNION|<script|javascript:|vbscript:)") {
+	set $block_headers 1;
+}
+
+if ($http_cookie ~ "(SELECT|INSERT|UPDATE|DELETE|UNION|<script|javascript:|vbscript:)") {
+	set $block_headers 1;
+}
+
+# Block requests with suspicious Host headers
+if ($host ~ "[\x00-\x20\x7f-\xff]") {
+	set $block_headers 1;
+}
+
+if ($block_headers = 1) {
+	return 403;
+}
+
+## Block excessive request size (basic DoS protection)
+set $block_size 0;
+
+if ($content_length ~ "^[0-9]{8,}$") {
+	set $block_size 1;
+}
+
+if ($block_size = 1) {
+	return 413;
+}
+
+## Block requests with too many parameters (potential DoS)
+set $block_params 0;
+
+if ($args ~ "^([^&]*&){50,}") {
+	set $block_params 1;
+}
+
+if ($block_params = 1) {
+	return 403;
+}
+
+## Block protocol attacks
+set $block_protocol 0;
+
+# HTTP Request Smuggling patterns
+if ($http_transfer_encoding ~ "chunked.*chunked") {
+	set $block_protocol 1;
+}
+
+if ($http_content_length ~ "^[0-9]+.*[0-9]+$") {
+	set $block_protocol 1;
+}
+
+# Block requests with null bytes in URI
+if ($request_uri ~ "[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]") {
+	set $block_protocol 1;
+}
+
+# Block requests with control characters
+if ($request_uri ~ "%00|%0a|%0d|%27|%3c|%3e|%00") {
+	set $block_protocol 1;
+}
+
+if ($block_protocol = 1) {
+	return 400;
+}
+
+## Block common vulnerability scanners
+set $block_scanners 0;
+
+if ($request_uri ~ "(wp-admin|wp-login|wp-content|wp-includes|xmlrpc\.php)") {
+	set $block_scanners 1;
+}
+
+if ($request_uri ~ "(phpmyadmin|pma|mysql|admin|administrator|manager)") {
+	set $block_scanners 1;
+}
+
+if ($request_uri ~ "(\.php|\.asp|\.aspx|\.jsp|\.cgi)$") {
+	set $block_scanners 1;
+}
+
+if ($request_uri ~ "(config|backup|log|tmp|temp|cache)") {
+	set $block_scanners 1;
+}
+
+# Common paths used by vulnerability scanners
+if ($request_uri ~ "(robots\.txt|sitemap\.xml|\.well-known|\.git|\.svn|\.env)") {
+	set $block_scanners 1;
+}
+
+if ($block_scanners = 1) {
+	return 404;
+}
+
+## Rate limiting marker (basic implementation)
+set $block_rate_limit 0;
+
+# This requires additional nginx modules for proper rate limiting
+# but we set the variable for potential future use
+if ($remote_addr ~ "^(127\.|10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)") {
+	set $block_rate_limit 0;
+}
+
+# Block requests from suspicious countries (placeholder for GeoIP)
+# if ($geoip_country_code ~ "^(CN|RU|KP|IR)$") {
+#     set $block_rate_limit 1;
+# }
+
+if ($block_rate_limit = 1) {
+	return 429;
+}

From dd2e443da6a63d2895e4f1d05af252007f513dc2 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 19 Sep 2025 16:05:22 +0000
Subject: [PATCH 3/4] Remove overly restrictive rules based on feedback -
 PUT/DELETE methods, spam filtering, scanner detection, and rate limiting

Co-authored-by: fuomag9 <1580624+fuomag9@users.noreply.github.com>
---
 .../nginx/conf.d/include/block-exploits.conf  | 104 ------------------
 1 file changed, 104 deletions(-)

diff --git a/docker/rootfs/etc/nginx/conf.d/include/block-exploits.conf b/docker/rootfs/etc/nginx/conf.d/include/block-exploits.conf
index 25534b0fc..15ff736af 100644
--- a/docker/rootfs/etc/nginx/conf.d/include/block-exploits.conf
+++ b/docker/rootfs/etc/nginx/conf.d/include/block-exploits.conf
@@ -173,60 +173,6 @@ if ($block_common_exploits = 1) {
 	return 403;
 }
 
-## Block spam
-set $block_spam 0;
-
-# Original spam keywords
-if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
-	set $block_spam 1;
-}
-
-if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
-	set $block_spam 1;
-}
-
-if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
-	set $block_spam 1;
-}
-
-if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
-	set $block_spam 1;
-}
-
-# Enhanced spam keywords
-if ($query_string ~ "\b(casino|poker|gambling|betting|lottery|jackpot|slot)\b") {
-	set $block_spam 1;
-}
-
-if ($query_string ~ "\b(loan|credit|mortgage|insurance|investment|forex|crypto)\b") {
-	set $block_spam 1;
-}
-
-if ($query_string ~ "\b(escort|adult|xxx|porn|sex|dating|hookup|webcam)\b") {
-	set $block_spam 1;
-}
-
-if ($query_string ~ "\b(replica|fake|counterfeit|knockoff|imitation)\b") {
-	set $block_spam 1;
-}
-
-if ($query_string ~ "\b(weight.?loss|diet.?pill|muscle|steroid|supplement)\b") {
-	set $block_spam 1;
-}
-
-# Common spam patterns
-if ($query_string ~ "(\[url=|\[link=|\[email=|email.*@.*\..*\])") {
-	set $block_spam 1;
-}
-
-if ($query_string ~ "(click.here|visit.site|buy.now|free.trial|limited.offer)") {
-	set $block_spam 1;
-}
-
-if ($block_spam = 1) {
-	return 403;
-}
-
 ## Block malicious user agents
 set $block_user_agents 0;
 
@@ -324,10 +270,6 @@ if ($request_method ~ "^(TRACE|TRACK|DEBUG|OPTIONS|CONNECT)$") {
 	set $block_methods 1;
 }
 
-if ($request_method ~ "^(PUT|DELETE)$") {
-	set $block_methods 1;
-}
-
 if ($block_methods = 1) {
 	return 405;
 }
@@ -403,49 +345,3 @@ if ($request_uri ~ "%00|%0a|%0d|%27|%3c|%3e|%00") {
 if ($block_protocol = 1) {
 	return 400;
 }
-
-## Block common vulnerability scanners
-set $block_scanners 0;
-
-if ($request_uri ~ "(wp-admin|wp-login|wp-content|wp-includes|xmlrpc\.php)") {
-	set $block_scanners 1;
-}
-
-if ($request_uri ~ "(phpmyadmin|pma|mysql|admin|administrator|manager)") {
-	set $block_scanners 1;
-}
-
-if ($request_uri ~ "(\.php|\.asp|\.aspx|\.jsp|\.cgi)$") {
-	set $block_scanners 1;
-}
-
-if ($request_uri ~ "(config|backup|log|tmp|temp|cache)") {
-	set $block_scanners 1;
-}
-
-# Common paths used by vulnerability scanners
-if ($request_uri ~ "(robots\.txt|sitemap\.xml|\.well-known|\.git|\.svn|\.env)") {
-	set $block_scanners 1;
-}
-
-if ($block_scanners = 1) {
-	return 404;
-}
-
-## Rate limiting marker (basic implementation)
-set $block_rate_limit 0;
-
-# This requires additional nginx modules for proper rate limiting
-# but we set the variable for potential future use
-if ($remote_addr ~ "^(127\.|10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)") {
-	set $block_rate_limit 0;
-}
-
-# Block requests from suspicious countries (placeholder for GeoIP)
-# if ($geoip_country_code ~ "^(CN|RU|KP|IR)$") {
-#     set $block_rate_limit 1;
-# }
-
-if ($block_rate_limit = 1) {
-	return 429;
-}

From 2185b8244c7981a4de13dc4dd19110d323e1d8cd Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 19 Sep 2025 16:55:43 +0000
Subject: [PATCH 4/4] Refine security patterns: reduce false positives in null
 byte detection and expand RFI protocol coverage

Co-authored-by: fuomag9 <1580624+fuomag9@users.noreply.github.com>
---
 docker/rootfs/etc/nginx/conf.d/include/block-exploits.conf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docker/rootfs/etc/nginx/conf.d/include/block-exploits.conf b/docker/rootfs/etc/nginx/conf.d/include/block-exploits.conf
index 15ff736af..76bc9e79b 100644
--- a/docker/rootfs/etc/nginx/conf.d/include/block-exploits.conf
+++ b/docker/rootfs/etc/nginx/conf.d/include/block-exploits.conf
@@ -52,7 +52,7 @@ if ($block_sql_injections = 1) {
 set $block_file_injections 0;
 
 # Remote file inclusion
-if ($query_string ~ "[a-zA-Z0-9_]=(https?|ftp|ftps)://") {
+if ($query_string ~ "[a-zA-Z0-9_]=(https?|ftp|ftps|file|data|php|expect|gopher)://") {
 	set $block_file_injections 1;
 }
 
@@ -84,8 +84,8 @@ if ($query_string ~ "(\/etc\/passwd)|(\/etc\/shadow)|(\/etc\/hosts)") {
 	set $block_file_injections 1;
 }
 
-# Null bytes and encoding attacks
-if ($query_string ~ "(%00|%0a|%0d|%09|%20$)") {
+# Null bytes and dangerous encoding attacks
+if ($query_string ~ "(%00|%0a%0d|%0d%0a)") {
 	set $block_file_injections 1;
 }