feat: prevent attacks even without HTTP requests

mrtc0 · mrtc0 · commit a2bed7849da5 · 2025-10-29T12:23:04.000+09:00
Signed-off-by: Kohei Morita &lt;moritakouhei@graffer.jp&gt;
diff --git a/exporter/exporter.go b/exporter/exporter.go
@@ -15,7 +15,9 @@ type eventExporterProvider struct {
 	ep EventExporter
 }
 
+// EventExporter exports WAF detection events to any desired location.
 type EventExporter interface {
+	// Export transforms and transmits event data to any desired location.
 	Export(ctx context.Context, event waf.ReadOnlyDetectionEvents) error
 }
 
diff --git a/internal/emitter/account_takeover/handler.go b/internal/emitter/account_takeover/handler.go
@@ -37,7 +37,7 @@ func IsSuspiciousLoginActivity(
 ) error {
 	parent, _ := operation.FindOperationFromContext(ctx)
 	if parent == nil {
-		return nil
+		parent = operation.NewOperation(nil)
 	}
 
 	var wafop *waf.WafOperation
diff --git a/internal/emitter/http/client_handler.go b/internal/emitter/http/client_handler.go
@@ -44,7 +44,7 @@ var _ http.RoundTripper = &Transport{}
 func ProtectRoundTrip(ctx context.Context, url string) error {
 	parent, _ := operation.FindOperationFromContext(ctx)
 	if parent == nil {
-		return nil
+		parent = operation.NewOperation(nil)
 	}
 
 	var wafop *waf.WafOperation
diff --git a/internal/emitter/http/client_handler_test.go b/internal/emitter/http/client_handler_test.go
@@ -35,8 +35,8 @@ func TestWrapClient(t *testing.T) {
 		},
 		"when not through http operation": {
 			ctx:       context.Background(),
-			url:       "https://example.com",
-			expectErr: false,
+			url:       "http://169.254.169.254",
+			expectErr: true,
 		},
 	}
 
diff --git a/internal/emitter/os/handler.go b/internal/emitter/os/handler.go
@@ -32,7 +32,7 @@ func (r *FileOperationResult) IsBlock() bool {
 func ProtectFileOperation(ctx context.Context, path string) error {
 	parent, _ := operation.FindOperationFromContext(ctx)
 	if parent == nil {
-		return nil
+		parent = operation.NewOperation(nil)
 	}
 
 	var wafop *waf.WafOperation
diff --git a/internal/emitter/os/handler_test.go b/internal/emitter/os/handler_test.go
@@ -9,12 +9,13 @@ import (
 	"github.com/sitebatch/waffle-go/internal/emitter/os"
 	"github.com/sitebatch/waffle-go/waf"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestProtectFileOperation(t *testing.T) {
 	t.Parallel()
 
-	waffle.Start()
+	require.NoError(t, waffle.Start())
 
 	testCases := map[string]struct {
 		ctx       context.Context
@@ -36,6 +37,11 @@ func TestProtectFileOperation(t *testing.T) {
 			filePath:  "file.txt",
 			expectErr: false,
 		},
+		"not through http operation and attack request": {
+			ctx:       context.Background(),
+			filePath:  "/var/run/secrets/kubernetes.io/serviceaccount/token",
+			expectErr: true,
+		},
 	}
 
 	for name, tt := range testCases {
diff --git a/internal/emitter/sql/handler.go b/internal/emitter/sql/handler.go
@@ -32,7 +32,7 @@ func (r *SQLOperationResult) IsBlock() bool {
 func ProtectSQLOperation(ctx context.Context, query string) error {
 	parent, _ := operation.FindOperationFromContext(ctx)
 	if parent == nil {
-		return nil
+		parent = operation.NewOperation(nil)
 	}
 
 	var wafop *waf.WafOperation
diff --git a/internal/emitter/sql/handler_test.go b/internal/emitter/sql/handler_test.go
@@ -9,12 +9,13 @@ import (
 	"github.com/sitebatch/waffle-go/internal/emitter/sql"
 	"github.com/sitebatch/waffle-go/waf"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestProtectSQLOperation(t *testing.T) {
 	t.Parallel()
 
-	waffle.Start()
+	require.NoError(t, waffle.Start())
 
 	testCases := map[string]struct {
 		ctx       context.Context
@@ -36,11 +37,14 @@ func TestProtectSQLOperation(t *testing.T) {
 			query:     "SELECT * FROM users",
 			expectErr: false,
 		},
+		"not through http operation and attack request": {
+			ctx:       context.Background(),
+			query:     "SELECT * FROM users WHERE id = '1' OR 1=1--",
+			expectErr: true,
+		},
 	}
 
 	for name, tt := range testCases {
-		tt := tt
-
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 
diff --git a/waffle.go b/waffle.go
@@ -46,6 +46,7 @@ func WithRule(ruleJSON []byte) Options {
 	}
 }
 
+// Start initializes and starts Waffle with the provided options.
 func Start(opts ...Options) error {
 	response.InitResponseWriterFeature()
 
@@ -90,6 +91,12 @@ func SetErrorHandler(h handler.ErrorHandler) {
 	handler.SetErrorHandler(h)
 }
 
+// SetExporter sets a exporter of WAF detection event.
+//
+// Waffle can export WAF detection events to any desired location using the provided exporter.
+// By default, Waffle uses a no-operation exporter that does not export any events.
+// You can implement your own exporter by implementing the exporter.EventExporter interface
+// and set it using this function.
 func SetExporter(eventExporter exporter.EventExporter) {
 	exporter.SetExporter(eventExporter)
 }

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,9 @@ type eventExporterProvider struct {`
`15`	`15`	`ep EventExporter`
`16`	`16`	`}`
`17`	`17`
	`18`	`+// EventExporter exports WAF detection events to any desired location.`
`18`	`19`	`type EventExporter interface {`
	`20`	`+ // Export transforms and transmits event data to any desired location.`
`19`	`21`	`Export(ctx context.Context, event waf.ReadOnlyDetectionEvents) error`
`20`	`22`	`}`
`21`	`23`
Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ func IsSuspiciousLoginActivity(`
`37`	`37`	`) error {`
`38`	`38`	`parent, _ := operation.FindOperationFromContext(ctx)`
`39`	`39`	`if parent == nil {`
`40`		`- return nil`
	`40`	`+ parent = operation.NewOperation(nil)`
`41`	`41`	`}`
`42`	`42`
`43`	`43`	`var wafop *waf.WafOperation`
Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ var _ http.RoundTripper = &Transport{}`
`44`	`44`	`func ProtectRoundTrip(ctx context.Context, url string) error {`
`45`	`45`	`parent, _ := operation.FindOperationFromContext(ctx)`
`46`	`46`	`if parent == nil {`
`47`		`- return nil`
	`47`	`+ parent = operation.NewOperation(nil)`
`48`	`48`	`}`
`49`	`49`
`50`	`50`	`var wafop *waf.WafOperation`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ func (r *FileOperationResult) IsBlock() bool {`
`32`	`32`	`func ProtectFileOperation(ctx context.Context, path string) error {`
`33`	`33`	`parent, _ := operation.FindOperationFromContext(ctx)`
`34`	`34`	`if parent == nil {`
`35`		`- return nil`
	`35`	`+ parent = operation.NewOperation(nil)`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`var wafop *waf.WafOperation`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ func (r *SQLOperationResult) IsBlock() bool {`
`32`	`32`	`func ProtectSQLOperation(ctx context.Context, query string) error {`
`33`	`33`	`parent, _ := operation.FindOperationFromContext(ctx)`
`34`	`34`	`if parent == nil {`
`35`		`- return nil`
	`35`	`+ parent = operation.NewOperation(nil)`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`var wafop *waf.WafOperation`
Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,7 @@ func WithRule(ruleJSON []byte) Options {`
`46`	`46`	`}`
`47`	`47`	`}`
`48`	`48`
	`49`	`+// Start initializes and starts Waffle with the provided options.`
`49`	`50`	`func Start(opts ...Options) error {`
`50`	`51`	`response.InitResponseWriterFeature()`
`51`	`52`
`@@ -90,6 +91,12 @@ func SetErrorHandler(h handler.ErrorHandler) {`
`90`	`91`	`handler.SetErrorHandler(h)`
`91`	`92`	`}`
`92`	`93`
	`94`	`+// SetExporter sets a exporter of WAF detection event.`
	`95`	`+//`
	`96`	`+// Waffle can export WAF detection events to any desired location using the provided exporter.`
	`97`	`+// By default, Waffle uses a no-operation exporter that does not export any events.`
	`98`	`+// You can implement your own exporter by implementing the exporter.EventExporter interface`
	`99`	`+// and set it using this function.`
`93`	`100`	`func SetExporter(eventExporter exporter.EventExporter) {`
`94`	`101`	`exporter.SetExporter(eventExporter)`
`95`	`102`	`}`