From 5a32e49d098eedf20dc0e190db6e1d7ffd02cd07 Mon Sep 17 00:00:00 2001 From: josefaidt Date: Mon, 5 Feb 2024 15:11:19 -0800 Subject: [PATCH] improve waf rules, ignore file extensions --- cdk/src/components/waf.ts | 85 +++++++++++++++++++++++++-------------- 1 file changed, 54 insertions(+), 31 deletions(-) diff --git a/cdk/src/components/waf.ts b/cdk/src/components/waf.ts index 55f3e95d..43d04d45 100644 --- a/cdk/src/components/waf.ts +++ b/cdk/src/components/waf.ts @@ -100,37 +100,9 @@ export class WAF extends wafv2.CfnWebACL { sampledRequestsEnabled: true, }, }, - { - name: 'DenyRequestsForSqlFiles', - priority: 3, - action: { - block: {}, - }, - statement: { - byteMatchStatement: { - // if request ends in .sql - searchString: '.sql', - fieldToMatch: { - uriPath: {}, - }, - positionalConstraint: 'ENDS_WITH', - textTransformations: [ - { - priority: 0, - type: 'NONE', - }, - ], - }, - }, - visibilityConfig: { - cloudWatchMetricsEnabled: true, - metricName: 'MetricForWaf-DenyRequestsForSqlFiles', - sampledRequestsEnabled: true, - }, - }, { name: 'DenyRequestsToWpAdmin', - priority: 4, + priority: 3, action: { block: {}, }, @@ -158,7 +130,7 @@ export class WAF extends wafv2.CfnWebACL { }, { name: 'DenyRequestsToWpContent', - priority: 5, + priority: 4, action: { block: {}, }, @@ -186,7 +158,7 @@ export class WAF extends wafv2.CfnWebACL { }, { name: 'DenyRequestsForSwagger', - priority: 6, + priority: 5, action: { block: {}, }, @@ -214,6 +186,23 @@ export class WAF extends wafv2.CfnWebACL { }, ], }) + + this.ignoreFileExtension('.sql') + this.ignoreFileExtension('.zip') + this.ignoreFileExtension('.rar') + this.ignoreFileExtension('.axd') + this.ignoreFileExtension('.txt') + this.ignoreFileExtension('.md') + this.ignoreFileExtension('.yml') + this.ignoreFileExtension('.tar.gz') + } + + private get nextPriority() { + const rules = this.rules as wafv2.CfnWebACL.RuleProperty[] + return rules.reduce((acc, curr) => { + if (acc > curr.priority) return acc + else return curr.priority + 1 + }, 0) } public addAssociation(logicalId: string, resourceArn: string) { @@ -222,4 +211,38 @@ export class WAF extends wafv2.CfnWebACL { webAclArn: this.attrArn, }) } + + public ignoreFileExtension(extension: `.${string}`) { + const display = extension.replace(/^\./, '') + const rules = this.rules as wafv2.CfnWebACL.RuleProperty[] + + rules.push({ + name: `DenyRequestsFor${display}Files`, + priority: this.nextPriority, + action: { + block: {}, + }, + statement: { + byteMatchStatement: { + // if request ends in .zip + searchString: extension, + fieldToMatch: { + uriPath: {}, + }, + positionalConstraint: 'ENDS_WITH', + textTransformations: [ + { + priority: 0, + type: 'NONE', + }, + ], + }, + }, + visibilityConfig: { + cloudWatchMetricsEnabled: true, + metricName: `MetricForWaf-DenyRequestsFor${display}Files`, + sampledRequestsEnabled: true, + }, + }) + } }