diff --git a/gatewayd_plugin.yaml b/gatewayd_plugin.yaml index fc95bd0..80273c5 100644 --- a/gatewayd_plugin.yaml +++ b/gatewayd_plugin.yaml @@ -27,10 +27,7 @@ plugins: - METRICS_ENABLED=True - METRICS_UNIX_DOMAIN_SOCKET=/tmp/gatewayd-plugin-sql-ids-ips.sock - METRICS_PATH=/metrics - - TOKENIZER_API_ADDRESS=http://localhost:8000 - - SERVING_API_ADDRESS=http://localhost:8501 - - MODEL_NAME=sqli_model - - MODEL_VERSION=3 + - PREDICTION_API_ADDRESS=http://localhost:8000 # Threshold determine the minimum prediction confidence # required to detect an SQL injection attack. Any value # between 0 and 1 is valid, and it is inclusive. diff --git a/go.mod b/go.mod index 65dbf9f..1a78619 100644 --- a/go.mod +++ b/go.mod @@ -4,16 +4,16 @@ go 1.23.1 require ( github.com/carlmjohnson/requests v0.24.2 - github.com/corazawaf/libinjection-go v0.2.1 - github.com/gatewayd-io/gatewayd-plugin-sdk v0.3.2 - github.com/getsentry/sentry-go v0.29.0 + github.com/corazawaf/libinjection-go v0.2.2 + github.com/gatewayd-io/gatewayd-plugin-sdk v0.3.3 + github.com/getsentry/sentry-go v0.29.1 github.com/hashicorp/go-hclog v1.6.3 github.com/hashicorp/go-plugin v1.6.1 github.com/jackc/pgx/v5 v5.7.1 - github.com/prometheus/client_golang v1.20.4 + github.com/prometheus/client_golang v1.20.5 github.com/spf13/cast v1.7.0 github.com/stretchr/testify v1.9.0 - google.golang.org/grpc v1.67.0 + google.golang.org/grpc v1.67.1 ) require ( @@ -25,7 +25,7 @@ require ( github.com/fatih/color v1.17.0 // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/hashicorp/yamux v0.1.2 // indirect - github.com/klauspost/compress v1.17.10 // indirect + github.com/klauspost/compress v1.17.11 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mitchellh/go-testing-interface v1.14.1 // indirect @@ -34,17 +34,17 @@ require ( github.com/pganalyze/pg_query_go/v5 v5.1.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/prometheus/client_model v0.6.1 // indirect - github.com/prometheus/common v0.59.1 // indirect + github.com/prometheus/common v0.60.0 // indirect github.com/prometheus/procfs v0.15.1 // indirect - github.com/redis/go-redis/v9 v9.6.1 // indirect + github.com/redis/go-redis/v9 v9.7.0 // indirect github.com/rs/zerolog v1.33.0 // indirect - github.com/tetratelabs/wazero v1.8.0 // indirect - github.com/wasilibs/go-pgquery v0.0.0-20240826014338-9ea9e19d01fd // indirect + github.com/tetratelabs/wazero v1.8.1 // indirect + github.com/wasilibs/go-pgquery v0.0.0-20241011013927-817756c5aae4 // indirect github.com/wasilibs/wazero-helpers v0.0.0-20240620070341-3dff1577cd52 // indirect - golang.org/x/net v0.29.0 // indirect - golang.org/x/sys v0.25.0 // indirect - golang.org/x/text v0.18.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 // indirect - google.golang.org/protobuf v1.34.2 // indirect + golang.org/x/net v0.30.0 // indirect + golang.org/x/sys v0.26.0 // indirect + golang.org/x/text v0.19.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53 // indirect + google.golang.org/protobuf v1.35.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index ac44136..b201352 100644 --- a/go.sum +++ b/go.sum @@ -10,8 +10,8 @@ github.com/carlmjohnson/requests v0.24.2 h1:JDakhAmTIKL/qL/1P7Kkc2INGBJIkIFP6xUe github.com/carlmjohnson/requests v0.24.2/go.mod h1:duYA/jDnyZ6f3xbcF5PpZ9N8clgopubP2nK5i6MVMhU= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/corazawaf/libinjection-go v0.2.1 h1:vNJ7L6c4xkhRgYU6sIO0Tl54TmeCQv/yfxBma30Dy/Y= -github.com/corazawaf/libinjection-go v0.2.1/go.mod h1:OP4TM7xdJ2skyXqNX1AN1wN5nNZEmJNuWbNPOItn7aw= +github.com/corazawaf/libinjection-go v0.2.2 h1:Chzodvb6+NXh6wew5/yhD0Ggioif9ACrQGR4qjTCs1g= +github.com/corazawaf/libinjection-go v0.2.2/go.mod h1:OP4TM7xdJ2skyXqNX1AN1wN5nNZEmJNuWbNPOItn7aw= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= @@ -25,10 +25,10 @@ github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4= github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= -github.com/gatewayd-io/gatewayd-plugin-sdk v0.3.2 h1:QpQ1S2EQqihMdtzt/m91/QvywqV4YJ1DxcsdzCz1LpE= -github.com/gatewayd-io/gatewayd-plugin-sdk v0.3.2/go.mod h1:y4lg+7kUy1z6RWC7RHdHZ2LuQMuUVK1JWX3nY5kPi3s= -github.com/getsentry/sentry-go v0.29.0 h1:YtWluuCFg9OfcqnaujpY918N/AhCCwarIDWOYSBAjCA= -github.com/getsentry/sentry-go v0.29.0/go.mod h1:jhPesDAL0Q0W2+2YEuVOvdWmVtdsr1+jtBrlDEVWwLY= +github.com/gatewayd-io/gatewayd-plugin-sdk v0.3.3 h1:YEzArv9RhjyXYY+9ZBDasbgu443z/It4aDBl0c3na9I= +github.com/gatewayd-io/gatewayd-plugin-sdk v0.3.3/go.mod h1:32KrFHUNwJFzeI879x8XGEPWXEUMWmjVxMPBTi2y9E8= +github.com/getsentry/sentry-go v0.29.1 h1:DyZuChN8Hz3ARxGVV8ePaNXh1dQ7d76AiB117xcREwA= +github.com/getsentry/sentry-go v0.29.1/go.mod h1:x3AtIzN01d6SiWkderzaH28Tm0lgkafpJ5Bm3li39O0= github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA= github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= @@ -52,8 +52,8 @@ github.com/jackc/pgx/v5 v5.7.1 h1:x7SYsPBYDkHDksogeSmZZ5xzThcTgRz++I5E+ePFUcs= github.com/jackc/pgx/v5 v5.7.1/go.mod h1:e7O26IywZZ+naJtWWos6i6fvWK+29etgITqrqHLfoZA= github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c= github.com/jhump/protoreflect v1.15.1/go.mod h1:jD/2GMKKE6OqX8qTjhADU1e6DShO+gavG9e0Q693nKo= -github.com/klauspost/compress v1.17.10 h1:oXAz+Vh0PMUvJczoi+flxpnBEPxoER1IaAnU/NMPtT0= -github.com/klauspost/compress v1.17.10/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= +github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc= +github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -84,16 +84,16 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.20.4 h1:Tgh3Yr67PaOv/uTqloMsCEdeuFTatm5zIq5+qNN23vI= -github.com/prometheus/client_golang v1.20.4/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= +github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y= +github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= -github.com/prometheus/common v0.59.1 h1:LXb1quJHWm1P6wq/U824uxYi4Sg0oGvNeUm1z5dJoX0= -github.com/prometheus/common v0.59.1/go.mod h1:GpWM7dewqmVYcd7SmRaiWVe9SSqjf0UrwnYnpEZNuT0= +github.com/prometheus/common v0.60.0 h1:+V9PAREWNvJMAuJ1x1BaWl9dewMW4YrHZQbx0sJNllA= +github.com/prometheus/common v0.60.0/go.mod h1:h0LYf1R1deLSKtD4Vdg8gy4RuOvENW2J/h19V5NADQw= github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= -github.com/redis/go-redis/v9 v9.6.1 h1:HHDteefn6ZkTtY5fGUE8tj8uy85AHk6zP7CpzIAM0y4= -github.com/redis/go-redis/v9 v9.6.1/go.mod h1:0C0c6ycQsdpVNQpxb1njEQIqkx5UcsM8FJCQLgE9+RA= +github.com/redis/go-redis/v9 v9.7.0 h1:HhLSs+B6O021gwzl+locl0zEDnyNkxMtf/Z3NNBMa9E= +github.com/redis/go-redis/v9 v9.7.0/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93GewI7inzyWw= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg= @@ -105,16 +105,16 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+ github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -github.com/tetratelabs/wazero v1.8.0 h1:iEKu0d4c2Pd+QSRieYbnQC9yiFlMS9D+Jr0LsRmcF4g= -github.com/tetratelabs/wazero v1.8.0/go.mod h1:yAI0XTsMBhREkM/YDAK/zNou3GoiAce1P6+rp/wQhjs= -github.com/wasilibs/go-pgquery v0.0.0-20240826014338-9ea9e19d01fd h1:sg+N4jmzrjTjOXbDBy7p5nmASwSWiGJR82EL6H2xIJk= -github.com/wasilibs/go-pgquery v0.0.0-20240826014338-9ea9e19d01fd/go.mod h1:wtFpefAF8l2Y52RXDIXZK6bJT9T7bhc9R5VBGdcO/Sk= +github.com/tetratelabs/wazero v1.8.1 h1:NrcgVbWfkWvVc4UtT4LRLDf91PsOzDzefMdwhLfA550= +github.com/tetratelabs/wazero v1.8.1/go.mod h1:yAI0XTsMBhREkM/YDAK/zNou3GoiAce1P6+rp/wQhjs= +github.com/wasilibs/go-pgquery v0.0.0-20241011013927-817756c5aae4 h1:p44LEm5hBmg95D3r4660Yj3JNhq49k8C15x2V8++S9U= +github.com/wasilibs/go-pgquery v0.0.0-20241011013927-817756c5aae4/go.mod h1:wCxHuE+0U5cAPbv6kakm/EPjDwnpEao1HXvBhBMrprA= github.com/wasilibs/wazero-helpers v0.0.0-20240620070341-3dff1577cd52 h1:OvLBa8SqJnZ6P+mjlzc2K7PM22rRUPE1x32G9DTPrC4= github.com/wasilibs/wazero-helpers v0.0.0-20240620070341-3dff1577cd52/go.mod h1:jMeV4Vpbi8osrE/pKUxRZkVaA0EX7NZN0A9/oRzgpgY= -golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= -golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= -golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= -golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= +golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= +golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= +golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= +golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -123,19 +123,19 @@ golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= -golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= -golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= +golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= +golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 h1:N9BgCIAUvn/M+p4NJccWPWb3BWh88+zyL0ll9HgbEeM= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= -google.golang.org/grpc v1.67.0 h1:IdH9y6PF5MPSdAntIcpjQ+tXO41pcQsfZV2RxtQgVcw= -google.golang.org/grpc v1.67.0/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53 h1:X58yt85/IXCx0Y3ZwN6sEIKZzQtDEYaBWrDvErdXrRE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= +google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= +google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= -google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= +google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= +google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= diff --git a/main.go b/main.go index 3820587..740ae6d 100644 --- a/main.go +++ b/main.go @@ -54,10 +54,7 @@ func main() { pluginInstance.Impl.EnableLibinjection = cast.ToBool(cfg["enableLibinjection"]) pluginInstance.Impl.LibinjectionPermissiveMode = cast.ToBool( cfg["libinjectionPermissiveMode"]) - pluginInstance.Impl.TokenizerAPIAddress = cast.ToString(cfg["tokenizerAPIAddress"]) - pluginInstance.Impl.ServingAPIAddress = cast.ToString(cfg["servingAPIAddress"]) - pluginInstance.Impl.ModelName = cast.ToString(cfg["modelName"]) - pluginInstance.Impl.ModelVersion = cast.ToString(cfg["modelVersion"]) + pluginInstance.Impl.PredictionAPIAddress = cast.ToString(cfg["predictionAPIAddress"]) pluginInstance.Impl.ResponseType = cast.ToString(cfg["responseType"]) pluginInstance.Impl.ErrorMessage = cast.ToString(cfg["errorMessage"]) diff --git a/plugin/constants.go b/plugin/constants.go index d2ff29b..2897925 100644 --- a/plugin/constants.go +++ b/plugin/constants.go @@ -3,12 +3,11 @@ package plugin const ( DecodedQueryField string = "decodedQuery" DetectorField string = "detector" - ScoreField string = "score" QueryField string = "query" ErrorField string = "error" IsInjectionField string = "is_injection" ResponseField string = "response" - OutputsField string = "outputs" + ConfidenceField string = "confidence" TokensField string = "tokens" StringField string = "String" ResponseTypeField string = "response_type" @@ -23,6 +22,5 @@ const ( ErrorDetail string = "Back off, you're not welcome here." LogLevel string = "error" - TokenizeAndSequencePath string = "/tokenize_and_sequence" - PredictPath string = "/v1/models/%s/versions/%s:predict" + PredictPath string = "/predict" ) diff --git a/plugin/module.go b/plugin/module.go index 0f88954..09de3d8 100644 --- a/plugin/module.go +++ b/plugin/module.go @@ -36,12 +36,8 @@ var ( "metricsUnixDomainSocket": sdkConfig.GetEnv( "METRICS_UNIX_DOMAIN_SOCKET", "/tmp/gatewayd-plugin-sql-ids-ips.sock"), "metricsEndpoint": sdkConfig.GetEnv("METRICS_ENDPOINT", "/metrics"), - "tokenizerAPIAddress": sdkConfig.GetEnv( - "TOKENIZER_API_ADDRESS", "http://localhost:8000"), - "servingAPIAddress": sdkConfig.GetEnv( - "SERVING_API_ADDRESS", "http://localhost:8501"), - "modelName": sdkConfig.GetEnv("MODEL_NAME", "sqli_model"), - "modelVersion": sdkConfig.GetEnv("MODEL_VERSION", "1"), + "predictionAPIAddress": sdkConfig.GetEnv( + "PREDICTION_API_ADDRESS", "http://localhost:8000"), "threshold": sdkConfig.GetEnv("THRESHOLD", "0.8"), "enableLibinjection": sdkConfig.GetEnv("ENABLE_LIBINJECTION", "true"), "libinjectionPermissiveMode": sdkConfig.GetEnv("LIBINJECTION_MODE", "true"), diff --git a/plugin/plugin.go b/plugin/plugin.go index 0cc72db..2be7da1 100644 --- a/plugin/plugin.go +++ b/plugin/plugin.go @@ -4,7 +4,6 @@ import ( "context" "encoding/base64" "encoding/json" - "fmt" "github.com/carlmjohnson/requests" "github.com/corazawaf/libinjection-go" @@ -28,10 +27,7 @@ type Plugin struct { Threshold float32 EnableLibinjection bool LibinjectionPermissiveMode bool - TokenizerAPIAddress string - ServingAPIAddress string - ModelName string - ModelVersion string + PredictionAPIAddress string ResponseType string ErrorMessage string ErrorSeverity string @@ -111,36 +107,12 @@ func (p *Plugin) OnTrafficFromClient(ctx context.Context, req *v1.Struct) (*v1.S } queryString := cast.ToString(queryMap[StringField]) - var tokens map[string]any - err = requests. - URL(p.TokenizerAPIAddress). - Path(TokenizeAndSequencePath). - BodyJSON(map[string]any{ - QueryField: queryString, - }). - ToJSON(&tokens). - Fetch(context.Background()) - if err != nil { - p.Logger.Error("Failed to make POST request", ErrorField, err) - if p.isSQLi(queryString) && !p.LibinjectionPermissiveMode { - return p.prepareResponse( - req, - map[string]any{ - QueryField: queryString, - DetectorField: Libinjection, - ErrorField: "Failed to make POST request to tokenizer API", - }, - ), nil - } - return req, nil - } - var output map[string]any err = requests. - URL(p.ServingAPIAddress). - Path(fmt.Sprintf(PredictPath, p.ModelName, p.ModelVersion)). + URL(p.PredictionAPIAddress). + Path(PredictPath). BodyJSON(map[string]any{ - "inputs": []any{cast.ToSlice(tokens[TokensField])}, + QueryField: queryString, }). ToJSON(&output). Fetch(context.Background()) @@ -152,34 +124,32 @@ func (p *Plugin) OnTrafficFromClient(ctx context.Context, req *v1.Struct) (*v1.S map[string]any{ QueryField: queryString, DetectorField: Libinjection, - ErrorField: "Failed to make POST request to serving API", + ErrorField: "Failed to make POST request to tokenizer API", }, ), nil } return req, nil } - predictions := cast.ToSlice(output[OutputsField]) - scores := cast.ToSlice(predictions[0]) - score := cast.ToFloat32(scores[0]) - p.Logger.Trace("Deep learning model prediction", ScoreField, score) + confidence := cast.ToFloat32(output[ConfidenceField]) + p.Logger.Trace("Deep learning model prediction", ConfidenceField, confidence) // Check the prediction against the threshold, // otherwise check if the query is an SQL injection using libinjection. injection := p.isSQLi(queryString) - if score >= p.Threshold { + if confidence >= p.Threshold { if p.EnableLibinjection && !injection { p.Logger.Debug("False positive detected", DetectorField, Libinjection) } Detections.With(map[string]string{DetectorField: DeepLearningModel}).Inc() - p.Logger.Warn(p.ErrorMessage, ScoreField, score, DetectorField, DeepLearningModel) + p.Logger.Warn(p.ErrorMessage, ConfidenceField, confidence, DetectorField, DeepLearningModel) return p.prepareResponse( req, map[string]any{ - QueryField: queryString, - ScoreField: score, - DetectorField: DeepLearningModel, + QueryField: queryString, + ConfidenceField: confidence, + DetectorField: DeepLearningModel, }, ), nil } else if p.EnableLibinjection && injection && !p.LibinjectionPermissiveMode { diff --git a/plugin/plugin_test.go b/plugin/plugin_test.go index 4ed0eec..fdcb19f 100644 --- a/plugin/plugin_test.go +++ b/plugin/plugin_test.go @@ -3,7 +3,6 @@ package plugin import ( "context" "encoding/json" - "fmt" "net/http" "net/http/httptest" "testing" @@ -71,28 +70,13 @@ func Test_errorResponse(t *testing.T) { func Test_OnTrafficFromClinet(t *testing.T) { p := &Plugin{ - Logger: hclog.NewNullLogger(), - ModelName: "sqli_model", - ModelVersion: "2", + Logger: hclog.NewNullLogger(), } server := httptest.NewServer( http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { switch r.URL.Path { - case TokenizeAndSequencePath: - w.WriteHeader(http.StatusOK) - w.Header().Set("Content-Type", "application/json") - // This is the tokenized query: - // {"query":"select * from users where id = 1 or 1=1"} - resp := map[string][]float32{ - "tokens": { - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3, 6, 5, 73, 7, 68, 4, 11, 12, - }, - } - data, _ := json.Marshal(resp) - _, err := w.Write(data) - require.NoError(t, err) - case fmt.Sprintf(PredictPath, p.ModelName, p.ModelVersion): + case PredictPath: w.WriteHeader(http.StatusOK) w.Header().Set("Content-Type", "application/json") // This is the output of the deep learning model. @@ -107,8 +91,7 @@ func Test_OnTrafficFromClinet(t *testing.T) { ) defer server.Close() - p.TokenizerAPIAddress = server.URL - p.ServingAPIAddress = server.URL + p.PredictionAPIAddress = server.URL query := pgproto3.Query{String: "SELECT * FROM users WHERE id = 1 OR 1=1"} queryBytes, err := query.Encode(nil) @@ -136,17 +119,13 @@ func Test_OnTrafficFromClinet(t *testing.T) { func Test_OnTrafficFromClinetFailedTokenization(t *testing.T) { plugins := []*Plugin{ { - Logger: hclog.NewNullLogger(), - ModelName: "sqli_model", - ModelVersion: "2", + Logger: hclog.NewNullLogger(), // If libinjection is enabled, the response should contain the "response" field, // and the "signals" field, which means the plugin will terminate the request. EnableLibinjection: true, }, { - Logger: hclog.NewNullLogger(), - ModelName: "sqli_model", - ModelVersion: "2", + Logger: hclog.NewNullLogger(), // If libinjection is disabled, the response should not contain the "response" field, // and the "signals" field, which means the plugin will not terminate the request. EnableLibinjection: false, @@ -156,7 +135,7 @@ func Test_OnTrafficFromClinetFailedTokenization(t *testing.T) { server := httptest.NewServer( http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { switch r.URL.Path { - case TokenizeAndSequencePath: + case PredictPath: w.WriteHeader(http.StatusInternalServerError) default: w.WriteHeader(http.StatusNotFound) @@ -166,8 +145,7 @@ func Test_OnTrafficFromClinetFailedTokenization(t *testing.T) { defer server.Close() for i := range plugins { - plugins[i].TokenizerAPIAddress = server.URL - plugins[i].ServingAPIAddress = server.URL + plugins[i].PredictionAPIAddress = server.URL query := pgproto3.Query{String: "SELECT * FROM users WHERE id = 1 OR 1=1"} queryBytes, err := query.Encode(nil) @@ -204,43 +182,22 @@ func Test_OnTrafficFromClinetFailedTokenization(t *testing.T) { func Test_OnTrafficFromClinetFailedPrediction(t *testing.T) { plugins := []*Plugin{ { - Logger: hclog.NewNullLogger(), - ModelName: "sqli_model", - ModelVersion: "2", + Logger: hclog.NewNullLogger(), // If libinjection is disabled, the response should not contain the "response" field, // and the "signals" field, which means the plugin will not terminate the request. EnableLibinjection: false, }, { - Logger: hclog.NewNullLogger(), - ModelName: "sqli_model", - ModelVersion: "2", + Logger: hclog.NewNullLogger(), // If libinjection is enabled, the response should contain the "response" field, // and the "signals" field, which means the plugin will terminate the request. EnableLibinjection: true, }, } - - // This is the same for both plugins. - predictPath := fmt.Sprintf(PredictPath, plugins[0].ModelName, plugins[1].ModelVersion) - server := httptest.NewServer( http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { switch r.URL.Path { - case TokenizeAndSequencePath: - w.WriteHeader(http.StatusOK) - w.Header().Set("Content-Type", "application/json") - // This is the tokenized query: - // {"query":"select * from users where id = 1 or 1=1"} - resp := map[string][]float32{ - "tokens": { - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3, 6, 5, 73, 7, 68, 4, 11, 12, - }, - } - data, _ := json.Marshal(resp) - _, err := w.Write(data) - require.NoError(t, err) - case predictPath: + case PredictPath: w.WriteHeader(http.StatusInternalServerError) default: w.WriteHeader(http.StatusNotFound) @@ -250,8 +207,7 @@ func Test_OnTrafficFromClinetFailedPrediction(t *testing.T) { defer server.Close() for i := range plugins { - plugins[i].TokenizerAPIAddress = server.URL - plugins[i].ServingAPIAddress = server.URL + plugins[i].PredictionAPIAddress = server.URL query := pgproto3.Query{String: "SELECT * FROM users WHERE id = 1 OR 1=1"} queryBytes, err := query.Encode(nil) diff --git a/rules/gatewayd/sql-injection-detected.yaml b/rules/gatewayd/sql-injection-detected.yaml index d75edfc..17ce583 100644 --- a/rules/gatewayd/sql-injection-detected.yaml +++ b/rules/gatewayd/sql-injection-detected.yaml @@ -7,7 +7,7 @@ references: - https://capec.mitre.org/data/definitions/66.html - https://cwe.mitre.org/data/definitions/89.html author: Mostafa Moradian -date: 2024/05/19 +date: 2024-05-19 tags: - attack.initial_access - attack.t1190