Use wasilibs aho-corasick (envoyproxy#132)

arminabf · Jan 24, 2023 · c6676de · c6676de
1 parent 45394e6
commit c6676de
Show file tree

Hide file tree

Showing 12 changed files with 58 additions and 225 deletions.
diff --git a/buildtools/aho-corasick/Cargo.lock b/buildtools/aho-corasick/Cargo.lock
diff --git a/buildtools/aho-corasick/Cargo.toml b/buildtools/aho-corasick/Cargo.toml
diff --git a/buildtools/aho-corasick/Dockerfile b/buildtools/aho-corasick/Dockerfile
diff --git a/buildtools/aho-corasick/src/lib.rs b/buildtools/aho-corasick/src/lib.rs
diff --git a/go.mod b/go.mod
@@ -5,8 +5,9 @@ go 1.19
 require (
 	github.com/corazawaf/coraza/v3 v3.0.0-20230110223518-703d29668893
 	github.com/stretchr/testify v1.8.0
-	github.com/tetratelabs/proxy-wasm-go-sdk v0.20.1-0.20221031045735-89d180d022a5
+	github.com/tetratelabs/proxy-wasm-go-sdk v0.20.1-0.20230115020858-593cf0f7417a
 	github.com/tidwall/gjson v1.14.3
+	github.com/wasilibs/go-aho-corasick v0.2.0
 	github.com/wasilibs/go-re2 v0.0.0-20221219074959-3ec67f9038f0
 )
 
@@ -17,7 +18,7 @@ require (
 	github.com/magefile/mage v1.14.0 // indirect
 	github.com/petar-dambovaliev/aho-corasick v0.0.0-20211021192214-5ab2d9280aa9 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/tetratelabs/wazero v1.0.0-pre.4.0.20221213074253-2e13f57f56a1 // indirect
+	github.com/tetratelabs/wazero v1.0.0-pre.7 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	golang.org/x/net v0.1.0 // indirect

diff --git a/go.sum b/go.sum
@@ -23,17 +23,19 @@ github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSS
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/tetratelabs/proxy-wasm-go-sdk v0.20.1-0.20221031045735-89d180d022a5 h1:gbsZkzeu+H7oX9xJA97eIuNHCuXfppuJh32mX2Cpeqc=
-github.com/tetratelabs/proxy-wasm-go-sdk v0.20.1-0.20221031045735-89d180d022a5/go.mod h1:A0osZ5uU1yRt5ZOdRRzIHxJZf8xzsxvEkeL8Ae698+s=
-github.com/tetratelabs/wazero v1.0.0-pre.4.0.20221213074253-2e13f57f56a1 h1:L+/AG1GzZc8u7tIl7ijAl508T/FHu9esMf+E3hZ1JVA=
-github.com/tetratelabs/wazero v1.0.0-pre.4.0.20221213074253-2e13f57f56a1/go.mod h1:u8wrFmpdrykiFK0DFPiFm5a4+0RzsdmXYVtijBKqUVo=
+github.com/tetratelabs/proxy-wasm-go-sdk v0.20.1-0.20230115020858-593cf0f7417a h1:uxfM0O1fvBKs3UyCZgz69LRzjyg2eBiPIvSD7xmgap8=
+github.com/tetratelabs/proxy-wasm-go-sdk v0.20.1-0.20230115020858-593cf0f7417a/go.mod h1:62ObOye8ebDcihh92dIsVV+TgzjOehFeg8fruL6F12g=
+github.com/tetratelabs/wazero v1.0.0-pre.7 h1:WI5N14XxoXw+ZWhcjSazJ6rEowhJbH/x8hglxC5gN7k=
+github.com/tetratelabs/wazero v1.0.0-pre.7/go.mod h1:u8wrFmpdrykiFK0DFPiFm5a4+0RzsdmXYVtijBKqUVo=
 github.com/tidwall/gjson v1.14.3 h1:9jvXn7olKEHU1S9vwoMGliaT8jq1vJ7IH/n9zD9Dnlw=
 github.com/tidwall/gjson v1.14.3/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
 github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
 github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
 github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
 github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/wasilibs/go-aho-corasick v0.2.0 h1:32cgC99Id42dzoUupwn0nMPMxz3QD6DlxdjYpOVfZOA=
+github.com/wasilibs/go-aho-corasick v0.2.0/go.mod h1:70K0dlZi6vyp5xyczyd73SCZMYcxswRXLVnUwQSKpM4=
 github.com/wasilibs/go-re2 v0.0.0-20221219074959-3ec67f9038f0 h1:+dy0jRJ7Y0sMNJPUkTeZ8qC9qc9tNWJ/Noha+L6w2ZE=
 github.com/wasilibs/go-re2 v0.0.0-20221219074959-3ec67f9038f0/go.mod h1:9YbcVrlaRryN9yCvk1fAjJTn5MLKPEd9/LnCJPkGWxY=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s=

diff --git a/init_tinygo.go b/init_tinygo.go
@@ -7,5 +7,5 @@ package main
 
 import _ "github.com/corazawaf/coraza-proxy-wasm/internal/gc"
 
-// #cgo LDFLAGS: lib/libinjection.a lib/libaho_corasick.a lib/libmimalloc.a lib/libgc.a
+// #cgo LDFLAGS: lib/libinjection.a lib/libmimalloc.a lib/libgc.a
 import "C"
diff --git a/internal/ahocorasick/ahocorasick.go b/internal/ahocorasick/ahocorasick.go
diff --git a/internal/operators/pm.go b/internal/operators/pm.go
@@ -9,30 +9,57 @@ import (
 	"strings"
 
 	"github.com/corazawaf/coraza/v3/rules"
-
-	"github.com/corazawaf/coraza-proxy-wasm/internal/ahocorasick"
+	ahocorasick "github.com/wasilibs/go-aho-corasick"
 )
 
 type pm struct {
-	m ahocorasick.Matcher
+	matcher ahocorasick.AhoCorasick
 }
 
 var _ rules.Operator = (*pm)(nil)
 
 func newPM(options rules.OperatorOptions) (rules.Operator, error) {
-	return &pm{m: ahocorasick.NewMatcher(strings.Split(options.Arguments, " "))}, nil
+	data := options.Arguments
+
+	data = strings.ToLower(data)
+	dict := strings.Split(data, " ")
+	builder := ahocorasick.NewAhoCorasickBuilder(ahocorasick.Opts{
+		AsciiCaseInsensitive: true,
+		MatchOnlyWholeWords:  false,
+		MatchKind:            ahocorasick.LeftMostLongestMatch,
+		DFA:                  true,
+	})
+
+	// TODO this operator is supposed to support snort data syntax: "@pm A|42|C|44|F"
+	return &pm{matcher: builder.Build(dict)}, nil
 }
 
 func (o *pm) Evaluate(tx rules.TransactionState, value string) bool {
-	return pmEvaluate(o.m, tx, value)
+	return pmEvaluate(o.matcher, tx, value)
 }
 
-func pmEvaluate(m ahocorasick.Matcher, tx rules.TransactionState, value string) bool {
-	matches := m.Matches(value, 8)
-	if tx.Capturing() {
-		for i, c := range matches {
-			tx.CaptureField(i, c)
+func pmEvaluate(matcher ahocorasick.AhoCorasick, tx rules.TransactionState, value string) bool {
+	iter := matcher.Iter(value)
+
+	if !tx.Capturing() {
+		// Not capturing so just one match is enough.
+		return iter.Next() != nil
+	}
+
+	var numMatches int
+	for {
+		m := iter.Next()
+		if m == nil {
+			break
+		}
+
+		tx.CaptureField(numMatches, value[m.Start():m.End()])
+
+		numMatches++
+		if numMatches == 10 {
+			return true
 		}
 	}
-	return len(matches) > 0
+
+	return numMatches > 0
 }
diff --git a/internal/operators/pm_from_file.go b/internal/operators/pm_from_file.go
@@ -11,8 +11,7 @@ import (
 	"strings"
 
 	"github.com/corazawaf/coraza/v3/rules"
-
-	"github.com/corazawaf/coraza-proxy-wasm/internal/ahocorasick"
+	ahocorasick "github.com/wasilibs/go-aho-corasick"
 )
 
 func newPMFromFile(options rules.OperatorOptions) (rules.Operator, error) {
@@ -37,5 +36,12 @@ func newPMFromFile(options rules.OperatorOptions) (rules.Operator, error) {
 		lines = append(lines, strings.ToLower(l))
 	}
 
-	return &pm{m: ahocorasick.NewMatcher(lines)}, nil
+	builder := ahocorasick.NewAhoCorasickBuilder(ahocorasick.Opts{
+		AsciiCaseInsensitive: true,
+		MatchOnlyWholeWords:  false,
+		MatchKind:            ahocorasick.LeftMostLongestMatch,
+		DFA:                  false,
+	})
+
+	return &pm{matcher: builder.Build(lines)}, nil
 }
diff --git a/lib/libaho_corasick.a b/lib/libaho_corasick.a
diff --git a/magefiles/magefile.go b/magefiles/magefile.go
@@ -203,7 +203,7 @@ tinygo build -gc=custom -opt=2 -o %s -scheduler=none -target=wasi %s`, filepath.
 
 // UpdateLibs updates the C++ filter dependencies.
 func UpdateLibs() error {
-	libs := []string{"aho-corasick", "bdwgc", "libinjection", "mimalloc"}
+	libs := []string{"bdwgc", "libinjection", "mimalloc"}
 	for _, lib := range libs {
 		if err := sh.RunV("docker", "build", "-t", "ghcr.io/corazawaf/coraza-proxy-wasm/buildtools-"+lib, filepath.Join("buildtools", lib)); err != nil {
 			return err