External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-17 09:45:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
patterns/json2nginx.py
codeflash-ai[bot] a54f33e097
️ Speed up function validate_regex by 2,003% 
### Explanation.

1. **Caching with lru_cache**.
   - By using `functools.lru_cache`, the function `validate_regex` now caches the results of previous calls. If the same pattern is validated multiple times, the cached result is returned immediately, significantly improving the performance for repeated patterns. This change optimizes the runtime without altering the function's behavior.
2025-02-09 14:04:43 +00:00

175 lines
6.4 KiB
Python
Raw Blame History

import json
import os
import re
import logging
from pathlib import Path
from collections import defaultdict
from functools import lru_cache
# Configure logging
logging.basicConfig(
level=logging.INFO,
format="%(asctime)s - %(levelname)s - %(message)s",
handlers=[logging.StreamHandler()],
)
# Input and output paths
INPUT_FILE = Path(os.getenv("INPUT_FILE", "owasp_rules.json"))
OUTPUT_DIR = Path(os.getenv("OUTPUT_DIR", "waf_patterns/nginx"))
MAPS_FILE = OUTPUT_DIR / "waf_maps.conf"
RULES_FILE = OUTPUT_DIR / "waf_rules.conf"
# Create output directory if it doesn't exist
OUTPUT_DIR.mkdir(parents=True, exist_ok=True)
def load_owasp_rules(file_path):
"""Load OWASP rules from a JSON file."""
try:
with open(file_path, "r") as f:
return json.load(f)
except FileNotFoundError:
logging.error(f"Input file not found: {file_path}")
raise
except json.JSONDecodeError:
logging.error(f"Invalid JSON in file: {file_path}")
raise
@lru_cache(maxsize=None)
def validate_regex(pattern):
"""Validate if a pattern is a valid regex."""
try:
re.compile(pattern)
return True
except re.error:
return False
def sanitize_pattern(pattern):
"""Sanitize and validate OWASP patterns for Nginx compatibility."""
if any(
keyword in pattern
for keyword in ["@pmFromFile", "!@eq", "!@within", "@lt"]
):
logging.warning(f"Skipping unsupported pattern: {pattern}")
return None
if pattern.startswith("@rx "):
sanitized_pattern = pattern.replace("@rx ", "").strip()
if validate_regex(sanitized_pattern):
return re.escape(sanitized_pattern).replace(r'\@', '@')
else:
logging.warning(f"Invalid regex in pattern: {sanitized_pattern}")
return None
if validate_regex(pattern):
return re.escape(pattern).replace(r'\@', '@')
else:
logging.warning(f"Invalid regex in pattern: {pattern}")
return None
def generate_nginx_waf(rules):
"""Generate Nginx WAF configuration snippets from OWASP rules."""
categorized_rules = defaultdict(set)
# Group rules by category
for rule in rules:
category = rule.get("category", "generic").lower()
pattern = rule.get("pattern")
sanitized_pattern = sanitize_pattern(pattern)
if sanitized_pattern:
categorized_rules[category].add(sanitized_pattern)
else:
logging.warning(f"Invalid or unsupported pattern skipped: {pattern}")
# Write map definitions to a dedicated file
try:
with open(MAPS_FILE, "w") as f:
f.write("# Nginx WAF Maps Definitions\n")
f.write("# Automatically generated from OWASP rules.\n\n")
f.write("http {\n")
for category, patterns in categorized_rules.items():
f.write(f" map $request_uri $waf_block_{category} {{\n")
f.write(" default 0;\n")
for pattern in patterns:
escaped_pattern = pattern.replace('"', '\\"')
f.write(f' "~*{escaped_pattern}" 1;\n')
f.write(" }\n\n")
f.write("}\n")
logging.info(f"Generated {MAPS_FILE} containing map definitions")
except IOError as e:
logging.error(f"Failed to write {MAPS_FILE}: {e}")
# Write if blocks to a dedicated file
try:
with open(RULES_FILE, "w") as f:
f.write("# Nginx WAF Rules\n")
f.write("# Automatically generated from OWASP rules.\n")
f.write("# Include this file inside server block\n\n")
f.write(" # WAF rules\n")
for category in categorized_rules.keys():
f.write(f" if ($waf_block_{category}) {{\n")
f.write(" return 403;\n")
f.write(" # Log the blocked request (optional)\n")
f.write(" # access_log /var/log/nginx/waf_blocked.log;\n")
f.write(" }\n\n")
logging.info(f"Generated {RULES_FILE} containing rules")
except IOError as e:
logging.error(f"Failed to write {RULES_FILE}: {e}")
# Generate a README file with usage instructions
readme_file = OUTPUT_DIR / "README.md"
with open(readme_file, "w") as f:
f.write("# Nginx WAF Configuration\n\n")
f.write("This directory contains Nginx WAF configuration files generated from OWASP rules.\n")
f.write("You can include these files in your existing Nginx configuration to enhance security.\n\n")
f.write("## Usage\n")
f.write("1. Include the `waf_maps.conf` file in your `nginx.conf` *inside the `http` block*:\n")
f.write(" ```nginx\n")
f.write(" http {\n")
f.write(" include /path/to/waf_patterns/nginx/waf_maps.conf;\n")
f.write(" # ... other http configurations ...\n")
f.write(" }\n")
f.write(" ```\n")
f.write("2. Include the `waf_rules.conf` file in your `server` block:\n")
f.write(" ```nginx\n")
f.write(" server {\n")
f.write(" # ... other server configurations ...\n")
f.write(" include /path/to/waf_patterns/nginx/waf_rules.conf;\n")
f.write(" }\n")
f.write(" ```\n")
f.write("3. Reload Nginx to apply the changes:\n")
f.write(" ```bash\n")
f.write(" sudo nginx -t && sudo systemctl reload nginx\n")
f.write(" ```\n")
f.write("\n## Notes\n")
f.write("- The rules use `map` directives for efficient pattern matching. The maps are defined in the `waf_maps.conf` file.\n")
f.write("- The rules (if statements) are defined in the `waf_rules.conf` file.\n")
f.write("- Blocked requests return a `403 Forbidden` response by default.\n")
f.write("- You can enable logging for blocked requests by uncommenting the `access_log` line.\n")
def main():
"""Main function to load rules and generate Nginx configurations."""
try:
logging.info("Loading OWASP rules...")
owasp_rules = load_owasp_rules(INPUT_FILE)
logging.info(f"Generating Nginx WAF configs from {len(owasp_rules)} rules...")
generate_nginx_waf(owasp_rules)
logging.info("Nginx WAF configurations generated successfully.")
except Exception as e:
logging.critical(f"Script failed: {e}")
exit(1)
if __name__ == "__main__":
main()
Reference in New Issue View Git Blame Copy Permalink