spip-contrib-extensions/waf | 19 commits
Par pierretux, le 7 mai 2026 à 12h02min :
feat: add per-IP rate limiting with safe defaults
Add a sliding 60-second APCu window rate limiter per IP. Disabled by
default (0 rpm) to avoid false positives on shared egress IPs (corporate
NAT, CDN) — enable explicitly via mes_options.php.
Also removes the static-extension early return which opened a trivial
WAF bypass (e.g. /spip.php/x.jpg); static assets never reach PHP on a
correctly configured server so the check was both useless and dangerous.
Modifié
README.md
base/waf.php
prive/squelettes/contenu/stats_waf.html
waf_fonctions.php
==============================
Par Urs Riggenbach, le 7 mai 2026 à 11h38min :
Merge branch ‹ feat/sql-injection-patterns › into ‹ main ›
feat: add SQL injection detection patterns
See merge request spip-contrib-extensions/waf!29
Modifié
waf_fonctions.php
==============================
Par Urs Riggenbach, le 7 mai 2026 à 11h33min :
Merge branch ‹ feat/tarpit-delay › into ‹ main ›
feat: add configurable tarpit delay for banned IPs
See merge request spip-contrib-extensions/waf!27
Modifié
README.md
waf_fonctions.php
==============================
Par Urs Riggenbach, le 7 mai 2026 à 11h30min :
Merge branch ‹ feat/suspicious-ua-detection › into ‹ main ›
feat: detect known scanner/tool User-Agent strings
See merge request spip-contrib-extensions/waf!30
Modifié
waf_fonctions.php
==============================
Par pierretux, le 6 mai 2026 à 14h35min :
docs: document tarpit delay and advanced configuration constants
Modifié
README.md
==============================
Par pierretux, le 6 mai 2026 à 14h32min :
feat: add configurable tarpit delay for banned IPs
waf_tarpit_and_block() sends the 403, calls fastcgi_finish_request() to
release the HTTP connection, then sleeps _WAF_TARPIT_DELAY seconds (default 3).
The sleep runs after the socket is closed so an attacker cannot exhaust the
PHP-FPM worker pool by flooding banned IPs. Set to 0 in mes_options.php to
disable, or raise it (e.g. 10) for more aggressive tarpitting.
Modifié
waf_fonctions.php
==============================
Par pierretux, le 6 mai 2026 à 14h28min :
feat: add SQL injection detection patterns
Extend waf_malicious_payload_patterns() with UNION SELECT, OR/AND
injection, stacked queries (DROP/ALTER/…), information_schema
enumeration, time-based blind (SLEEP/BENCHMARK), and MySQL file
exfiltration (LOAD_FILE / INTO OUTFILE). Word-boundary anchors and
structural requirements keep false-positive risk low.
Modifié
waf_fonctions.php
==============================
Par pierretux, le 6 mai 2026 à 14h25min :
feat: detect known scanner/tool User-Agent strings
Add waf_suspicious_ua_patterns() with signatures for Nikto, sqlmap,
Masscan, Nuclei, zgrab, DirBuster, Gobuster, Wfuzz, Nessus, Acunetix
and others. waf_check_suspicious_ua() runs early in the pipeline so
scanner traffic triggers the normal strike/ban escalation path.
Modifié
waf_fonctions.php
==============================
Par Urs Riggenbach, le 6 mai 2026 à 13h51min :
Merge branch ‹ main › of git.spip.net:spip-contrib-extensions/waf
Modifié
base/waf.php
waf_fonctions.php
==============================
Par Urs Riggenbach, le 6 mai 2026 à 13h51min :
docs: _WAF_INSTALL_PREFIX, _WAF_TARPIT_DELAY, _WAF_RATE_LIMIT_RPM
Modifié
README.md
==============================
Par Urs Riggenbach, le 6 mai 2026 à 13h47min :
Merge branch ‹ feat/cloudflare-pipeline › into ‹ main ›
feat: expose waf_on_ban pipeline for companion plugins
See merge request spip-contrib-extensions/waf!31
Modifié
waf_fonctions.php
==============================
Par Urs Riggenbach, le 6 mai 2026 à 11h56min :
Merge branch ‹ feat/db-indexes › into ‹ main ›
perf: add composite DB indexes for dashboard and per-IP queries
See merge request spip-contrib-extensions/waf!26
Modifié
base/waf.php
==============================
Par Urs Riggenbach, le 6 mai 2026 à 11h54min :
Merge branch ‹ refactor/rename-blacklist-constant › into ‹ main ›
refactor: rename WAF_REASON_BLACKLISTED_IP to WAF_REASON_MANUAL_BLACKLIST
See merge request spip-contrib-extensions/waf!25
Modifié
waf_fonctions.php
==============================
Par Urs Riggenbach, le 6 mai 2026 à 11h52min :
Merge branch ‹ fix/cms-probe-subfolder › into ‹ main ›
fix: support SPIP installed in a subfolder for CMS probe patterns
See merge request spip-contrib-extensions/waf!24
Modifié
waf_fonctions.php
==============================
Par pierretux, le 6 mai 2026 à 08h25min :
feat: expose waf_on_ban pipeline for companion plugins
Allows third-party plugins (e.g. Cloudflare WAF Sync) to react
instantly when an IP is banned, without polling spip_waf_events.
Modifié
waf_fonctions.php
==============================
Par Urs Riggenbach, le 4 mai 2026 à 20h49min :
fix: flush before dashboard load
Modifié
prive/squelettes/contenu/stats_waf.html
==============================
Par pierretux, le 4 mai 2026 à 07h55min :
fix: support SPIP installed in a subfolder for CMS probe patterns
CMS probe URI patterns were hardcoded to docroot (e.g. /wp-admin).
With SPIP in a subfolder they would never match and could miss attacks.
Add _WAF_INSTALL_PREFIX constant (define it in mes_options.php, e.g.
‹ /cms ›) that is prepended regex-safely to every pattern at build time.
Default is empty, so docroot installs are unaffected.
Modifié
waf_fonctions.php
==============================
Par pierretux, le 4 mai 2026 à 07h54min :
refactor: rename WAF_REASON_BLACKLISTED_IP to WAF_REASON_MANUAL_BLACKLIST
WAF_REASON_BLOCKLISTED_IP (public blocklists) and
WAF_REASON_BLACKLISTED_IP (manual admin list) were easy to confuse.
Rename the manual-blacklist constant to WAF_REASON_MANUAL_BLACKLIST
to make the distinction explicit. The stored DB value (‹ BLACKLISTED_IP ›)
is unchanged so no data migration is needed. A backward-compat alias
keeps third-party code working until it is updated.
Modifié
waf_fonctions.php
==============================
Par pierretux, le 4 mai 2026 à 07h54min :
perf: add composite DB indexes for dashboard and per-IP queries
idx_type_reason covers the COUNT(DISTINCT ip) queries in
waf_dashboard_coverage_stats() that filter on type+reason.
idx_ip_type_date covers per-IP history lookups and the strike/ban
count queries that scan ip+type+date_event. Both indexes eliminate
full-table scans as spip_waf_events grows.
Modifié
base/waf.php