From 4b5da5cac83fc72796eb509b3295e2a421a8d1bb Mon Sep 17 00:00:00 2001 From: Nuno Fernandes Date: Wed, 17 May 2023 17:02:02 +0100 Subject: [PATCH] Add xss_match_statement support (#101) * Add missing sqli_match_statement * Add support for xss_match_statement * chore: changelog --- CHANGELOG.md | 2 + main.tf | 451 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 453 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0fa4d78..da11e01 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,8 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +- Add support for xss_match_statement +- Add missing sqli_match_statement diff --git a/main.tf b/main.tf index aca5660..6f62b2f 100644 --- a/main.tf +++ b/main.tf @@ -2454,6 +2454,67 @@ resource "aws_wafv2_web_acl" "main" { } } + dynamic "xss_match_statement" { + for_each = length(lookup(rule.value, "xss_match_statement", {})) == 0 ? [] : [lookup(rule.value, "xss_match_statement", {})] + content { + dynamic "field_to_match" { + for_each = length(lookup(xss_match_statement.value, "field_to_match", {})) == 0 ? [] : [lookup(xss_match_statement.value, "field_to_match", {})] + content { + dynamic "uri_path" { + for_each = length(lookup(field_to_match.value, "uri_path", {})) == 0 ? [] : [lookup(field_to_match.value, "uri_path")] + content {} + } + dynamic "all_query_arguments" { + for_each = length(lookup(field_to_match.value, "all_query_arguments", {})) == 0 ? [] : [lookup(field_to_match.value, "all_query_arguments")] + content {} + } + dynamic "body" { + for_each = length(lookup(field_to_match.value, "body", {})) == 0 ? [] : [lookup(field_to_match.value, "body")] + content { + oversize_handling = upper(lookup(body.value, "oversize_handling")) + } + } + dynamic "method" { + for_each = length(lookup(field_to_match.value, "method", {})) == 0 ? [] : [lookup(field_to_match.value, "method")] + content {} + } + dynamic "query_string" { + for_each = length(lookup(field_to_match.value, "query_string", {})) == 0 ? [] : [lookup(field_to_match.value, "query_string")] + content {} + } + dynamic "single_header" { + for_each = length(lookup(field_to_match.value, "single_header", {})) == 0 ? [] : [lookup(field_to_match.value, "single_header")] + content { + name = lower(lookup(single_header.value, "name")) + } + } + dynamic "headers" { + for_each = length(lookup(field_to_match.value, "headers", {})) == 0 ? [] : [lookup(field_to_match.value, "headers")] + content { + match_scope = upper(lookup(headers.value, "match_scope")) + dynamic "match_pattern" { + for_each = length(lookup(headers.value, "match_pattern", {})) == 0 ? [] : [lookup(headers.value, "match_pattern", {})] + content { + dynamic "all" { + for_each = length(lookup(match_pattern.value, "all", {})) == 0 ? [] : [lookup(match_pattern.value, "all")] + content {} + } + included_headers = lookup(match_pattern.value, "included_headers", null) + excluded_headers = lookup(match_pattern.value, "excluded_headers", null) + } + } + oversize_handling = upper(lookup(headers.value, "oversize_handling")) + } + } + } + } + text_transformation { + priority = lookup(xss_match_statement.value["text_transformation"], "priority") + type = lookup(xss_match_statement.value["text_transformation"], "type") + } + } + } + dynamic "rate_based_statement" { for_each = length(lookup(rule.value, "rate_based_statement", {})) == 0 ? [] : [lookup(rule.value, "rate_based_statement", {})] content { @@ -3814,6 +3875,84 @@ resource "aws_wafv2_web_acl" "main" { } } + # OR xss_match_statement + dynamic "xss_match_statement" { + for_each = length(lookup(statement.value, "xss_match_statement", {})) == 0 ? [] : [lookup(statement.value, "xss_match_statement", {})] + content { + dynamic "field_to_match" { + for_each = length(lookup(xss_match_statement.value, "field_to_match", {})) == 0 ? [] : [lookup(xss_match_statement.value, "field_to_match", {})] + content { + dynamic "cookies" { + for_each = length(lookup(field_to_match.value, "cookies", {})) == 0 ? [] : [lookup(field_to_match.value, "cookies")] + content { + match_scope = lookup(cookies.value, "match_scope") + oversize_handling = lookup(cookies.value, "oversize_handling") + dynamic "match_pattern" { + for_each = [lookup(cookies.value, "match_pattern")] + content { + dynamic "all" { + for_each = contains(keys(match_pattern.value), "all") ? [lookup(match_pattern.value, "all")] : [] + content {} + } + included_cookies = length(lookup(match_pattern.value, "included_cookies", [])) != 0 ? lookup(match_pattern.value, "included_cookies") : [] + excluded_cookies = length(lookup(match_pattern.value, "excluded_cookies", [])) != 0 ? lookup(match_pattern.value, "excluded_cookies") : [] + } + } + } + } + dynamic "uri_path" { + for_each = length(lookup(field_to_match.value, "uri_path", {})) == 0 ? [] : [lookup(field_to_match.value, "uri_path")] + content {} + } + dynamic "all_query_arguments" { + for_each = length(lookup(field_to_match.value, "all_query_arguments", {})) == 0 ? [] : [lookup(field_to_match.value, "all_query_arguments")] + content {} + } + dynamic "body" { + for_each = length(lookup(field_to_match.value, "body", {})) == 0 ? [] : [lookup(field_to_match.value, "body")] + content {} + } + dynamic "method" { + for_each = length(lookup(field_to_match.value, "method", {})) == 0 ? [] : [lookup(field_to_match.value, "method")] + content {} + } + dynamic "query_string" { + for_each = length(lookup(field_to_match.value, "query_string", {})) == 0 ? [] : [lookup(field_to_match.value, "query_string")] + content {} + } + dynamic "single_header" { + for_each = length(lookup(field_to_match.value, "single_header", {})) == 0 ? [] : [lookup(field_to_match.value, "single_header")] + content { + name = lower(lookup(single_header.value, "name")) + } + } + dynamic "headers" { + for_each = length(lookup(field_to_match.value, "headers", {})) == 0 ? [] : [lookup(field_to_match.value, "headers")] + content { + match_scope = upper(lookup(headers.value, "match_scope")) + dynamic "match_pattern" { + for_each = length(lookup(headers.value, "match_pattern", {})) == 0 ? [] : [lookup(headers.value, "match_pattern", {})] + content { + dynamic "all" { + for_each = length(lookup(match_pattern.value, "all", {})) == 0 ? [] : [lookup(match_pattern.value, "all")] + content {} + } + included_headers = lookup(match_pattern.value, "included_headers", null) + excluded_headers = lookup(match_pattern.value, "excluded_headers", null) + } + } + oversize_handling = upper(lookup(headers.value, "oversize_handling")) + } + } + } + } + text_transformation { + priority = lookup(xss_match_statement.value["text_transformation"], "priority") + type = lookup(xss_match_statement.value["text_transformation"], "type") + } + } + } + # Scope down OR regex_match_statement dynamic "regex_match_statement" { for_each = length(lookup(statement.value, "regex_match_statement", {})) == 0 ? [] : [lookup(statement.value, "regex_match_statement", {})] @@ -4296,6 +4435,84 @@ resource "aws_wafv2_web_acl" "main" { } } + # OR xss_match_statement + dynamic "xss_match_statement" { + for_each = length(lookup(not_statement.value, "xss_match_statement", {})) == 0 ? [] : [lookup(not_statement.value, "xss_match_statement", {})] + content { + dynamic "field_to_match" { + for_each = length(lookup(xss_match_statement.value, "field_to_match", {})) == 0 ? [] : [lookup(xss_match_statement.value, "field_to_match", {})] + content { + dynamic "cookies" { + for_each = length(lookup(field_to_match.value, "cookies", {})) == 0 ? [] : [lookup(field_to_match.value, "cookies")] + content { + match_scope = lookup(cookies.value, "match_scope") + oversize_handling = lookup(cookies.value, "oversize_handling") + dynamic "match_pattern" { + for_each = [lookup(cookies.value, "match_pattern")] + content { + dynamic "all" { + for_each = contains(keys(match_pattern.value), "all") ? [lookup(match_pattern.value, "all")] : [] + content {} + } + included_cookies = length(lookup(match_pattern.value, "included_cookies", [])) != 0 ? lookup(match_pattern.value, "included_cookies") : [] + excluded_cookies = length(lookup(match_pattern.value, "excluded_cookies", [])) != 0 ? lookup(match_pattern.value, "excluded_cookies") : [] + } + } + } + } + dynamic "uri_path" { + for_each = length(lookup(field_to_match.value, "uri_path", {})) == 0 ? [] : [lookup(field_to_match.value, "uri_path")] + content {} + } + dynamic "all_query_arguments" { + for_each = length(lookup(field_to_match.value, "all_query_arguments", {})) == 0 ? [] : [lookup(field_to_match.value, "all_query_arguments")] + content {} + } + dynamic "body" { + for_each = length(lookup(field_to_match.value, "body", {})) == 0 ? [] : [lookup(field_to_match.value, "body")] + content {} + } + dynamic "method" { + for_each = length(lookup(field_to_match.value, "method", {})) == 0 ? [] : [lookup(field_to_match.value, "method")] + content {} + } + dynamic "query_string" { + for_each = length(lookup(field_to_match.value, "query_string", {})) == 0 ? [] : [lookup(field_to_match.value, "query_string")] + content {} + } + dynamic "single_header" { + for_each = length(lookup(field_to_match.value, "single_header", {})) == 0 ? [] : [lookup(field_to_match.value, "single_header")] + content { + name = lower(lookup(single_header.value, "name")) + } + } + dynamic "headers" { + for_each = length(lookup(field_to_match.value, "headers", {})) == 0 ? [] : [lookup(field_to_match.value, "headers")] + content { + match_scope = upper(lookup(headers.value, "match_scope")) + dynamic "match_pattern" { + for_each = length(lookup(headers.value, "match_pattern", {})) == 0 ? [] : [lookup(headers.value, "match_pattern", {})] + content { + dynamic "all" { + for_each = length(lookup(match_pattern.value, "all", {})) == 0 ? [] : [lookup(match_pattern.value, "all")] + content {} + } + included_headers = lookup(match_pattern.value, "included_headers", null) + excluded_headers = lookup(match_pattern.value, "excluded_headers", null) + } + } + oversize_handling = upper(lookup(headers.value, "oversize_handling")) + } + } + } + } + text_transformation { + priority = lookup(xss_match_statement.value["text_transformation"], "priority") + type = lookup(xss_match_statement.value["text_transformation"], "type") + } + } + } + # NOT regex_match_statement dynamic "regex_match_statement" { for_each = length(lookup(not_statement.value, "regex_match_statement", {})) == 0 ? [] : [lookup(not_statement.value, "regex_match_statement", {})] @@ -4869,6 +5086,162 @@ resource "aws_wafv2_web_acl" "main" { } } + # OR sqli_match_statement + dynamic "sqli_match_statement" { + for_each = length(lookup(not_statement.value, "sqli_match_statement", {})) == 0 ? [] : [lookup(not_statement.value, "sqli_match_statement", {})] + content { + dynamic "field_to_match" { + for_each = length(lookup(sqli_match_statement.value, "field_to_match", {})) == 0 ? [] : [lookup(sqli_match_statement.value, "field_to_match", {})] + content { + dynamic "cookies" { + for_each = length(lookup(field_to_match.value, "cookies", {})) == 0 ? [] : [lookup(field_to_match.value, "cookies")] + content { + match_scope = lookup(cookies.value, "match_scope") + oversize_handling = lookup(cookies.value, "oversize_handling") + dynamic "match_pattern" { + for_each = [lookup(cookies.value, "match_pattern")] + content { + dynamic "all" { + for_each = contains(keys(match_pattern.value), "all") ? [lookup(match_pattern.value, "all")] : [] + content {} + } + included_cookies = length(lookup(match_pattern.value, "included_cookies", [])) != 0 ? lookup(match_pattern.value, "included_cookies") : [] + excluded_cookies = length(lookup(match_pattern.value, "excluded_cookies", [])) != 0 ? lookup(match_pattern.value, "excluded_cookies") : [] + } + } + } + } + dynamic "uri_path" { + for_each = length(lookup(field_to_match.value, "uri_path", {})) == 0 ? [] : [lookup(field_to_match.value, "uri_path")] + content {} + } + dynamic "all_query_arguments" { + for_each = length(lookup(field_to_match.value, "all_query_arguments", {})) == 0 ? [] : [lookup(field_to_match.value, "all_query_arguments")] + content {} + } + dynamic "body" { + for_each = length(lookup(field_to_match.value, "body", {})) == 0 ? [] : [lookup(field_to_match.value, "body")] + content {} + } + dynamic "method" { + for_each = length(lookup(field_to_match.value, "method", {})) == 0 ? [] : [lookup(field_to_match.value, "method")] + content {} + } + dynamic "query_string" { + for_each = length(lookup(field_to_match.value, "query_string", {})) == 0 ? [] : [lookup(field_to_match.value, "query_string")] + content {} + } + dynamic "single_header" { + for_each = length(lookup(field_to_match.value, "single_header", {})) == 0 ? [] : [lookup(field_to_match.value, "single_header")] + content { + name = lower(lookup(single_header.value, "name")) + } + } + dynamic "headers" { + for_each = length(lookup(field_to_match.value, "headers", {})) == 0 ? [] : [lookup(field_to_match.value, "headers")] + content { + match_scope = upper(lookup(headers.value, "match_scope")) + dynamic "match_pattern" { + for_each = length(lookup(headers.value, "match_pattern", {})) == 0 ? [] : [lookup(headers.value, "match_pattern", {})] + content { + dynamic "all" { + for_each = length(lookup(match_pattern.value, "all", {})) == 0 ? [] : [lookup(match_pattern.value, "all")] + content {} + } + included_headers = lookup(match_pattern.value, "included_headers", null) + excluded_headers = lookup(match_pattern.value, "excluded_headers", null) + } + } + oversize_handling = upper(lookup(headers.value, "oversize_handling")) + } + } + } + } + text_transformation { + priority = lookup(sqli_match_statement.value["text_transformation"], "priority") + type = lookup(sqli_match_statement.value["text_transformation"], "type") + } + } + } + + # OR xss_match_statement + dynamic "xss_match_statement" { + for_each = length(lookup(not_statement.value, "xss_match_statement", {})) == 0 ? [] : [lookup(not_statement.value, "xss_match_statement", {})] + content { + dynamic "field_to_match" { + for_each = length(lookup(xss_match_statement.value, "field_to_match", {})) == 0 ? [] : [lookup(xss_match_statement.value, "field_to_match", {})] + content { + dynamic "cookies" { + for_each = length(lookup(field_to_match.value, "cookies", {})) == 0 ? [] : [lookup(field_to_match.value, "cookies")] + content { + match_scope = lookup(cookies.value, "match_scope") + oversize_handling = lookup(cookies.value, "oversize_handling") + dynamic "match_pattern" { + for_each = [lookup(cookies.value, "match_pattern")] + content { + dynamic "all" { + for_each = contains(keys(match_pattern.value), "all") ? [lookup(match_pattern.value, "all")] : [] + content {} + } + included_cookies = length(lookup(match_pattern.value, "included_cookies", [])) != 0 ? lookup(match_pattern.value, "included_cookies") : [] + excluded_cookies = length(lookup(match_pattern.value, "excluded_cookies", [])) != 0 ? lookup(match_pattern.value, "excluded_cookies") : [] + } + } + } + } + dynamic "uri_path" { + for_each = length(lookup(field_to_match.value, "uri_path", {})) == 0 ? [] : [lookup(field_to_match.value, "uri_path")] + content {} + } + dynamic "all_query_arguments" { + for_each = length(lookup(field_to_match.value, "all_query_arguments", {})) == 0 ? [] : [lookup(field_to_match.value, "all_query_arguments")] + content {} + } + dynamic "body" { + for_each = length(lookup(field_to_match.value, "body", {})) == 0 ? [] : [lookup(field_to_match.value, "body")] + content {} + } + dynamic "method" { + for_each = length(lookup(field_to_match.value, "method", {})) == 0 ? [] : [lookup(field_to_match.value, "method")] + content {} + } + dynamic "query_string" { + for_each = length(lookup(field_to_match.value, "query_string", {})) == 0 ? [] : [lookup(field_to_match.value, "query_string")] + content {} + } + dynamic "single_header" { + for_each = length(lookup(field_to_match.value, "single_header", {})) == 0 ? [] : [lookup(field_to_match.value, "single_header")] + content { + name = lower(lookup(single_header.value, "name")) + } + } + dynamic "headers" { + for_each = length(lookup(field_to_match.value, "headers", {})) == 0 ? [] : [lookup(field_to_match.value, "headers")] + content { + match_scope = upper(lookup(headers.value, "match_scope")) + dynamic "match_pattern" { + for_each = length(lookup(headers.value, "match_pattern", {})) == 0 ? [] : [lookup(headers.value, "match_pattern", {})] + content { + dynamic "all" { + for_each = length(lookup(match_pattern.value, "all", {})) == 0 ? [] : [lookup(match_pattern.value, "all")] + content {} + } + included_headers = lookup(match_pattern.value, "included_headers", null) + excluded_headers = lookup(match_pattern.value, "excluded_headers", null) + } + } + oversize_handling = upper(lookup(headers.value, "oversize_handling")) + } + } + } + } + text_transformation { + priority = lookup(xss_match_statement.value["text_transformation"], "priority") + type = lookup(xss_match_statement.value["text_transformation"], "type") + } + } + } + # AND not_statement regex_match_statement dynamic "regex_match_statement" { for_each = length(lookup(not_statement.value, "regex_match_statement", {})) == 0 ? [] : [lookup(not_statement.value, "regex_match_statement", {})] @@ -5819,6 +6192,84 @@ resource "aws_wafv2_web_acl" "main" { } } + # OR xss_match_statement + dynamic "xss_match_statement" { + for_each = length(lookup(statement.value, "xss_match_statement", {})) == 0 ? [] : [lookup(statement.value, "xss_match_statement", {})] + content { + dynamic "field_to_match" { + for_each = length(lookup(xss_match_statement.value, "field_to_match", {})) == 0 ? [] : [lookup(xss_match_statement.value, "field_to_match", {})] + content { + dynamic "cookies" { + for_each = length(lookup(field_to_match.value, "cookies", {})) == 0 ? [] : [lookup(field_to_match.value, "cookies")] + content { + match_scope = lookup(cookies.value, "match_scope") + oversize_handling = lookup(cookies.value, "oversize_handling") + dynamic "match_pattern" { + for_each = [lookup(cookies.value, "match_pattern")] + content { + dynamic "all" { + for_each = contains(keys(match_pattern.value), "all") ? [lookup(match_pattern.value, "all")] : [] + content {} + } + included_cookies = length(lookup(match_pattern.value, "included_cookies", [])) != 0 ? lookup(match_pattern.value, "included_cookies") : [] + excluded_cookies = length(lookup(match_pattern.value, "excluded_cookies", [])) != 0 ? lookup(match_pattern.value, "excluded_cookies") : [] + } + } + } + } + dynamic "uri_path" { + for_each = length(lookup(field_to_match.value, "uri_path", {})) == 0 ? [] : [lookup(field_to_match.value, "uri_path")] + content {} + } + dynamic "all_query_arguments" { + for_each = length(lookup(field_to_match.value, "all_query_arguments", {})) == 0 ? [] : [lookup(field_to_match.value, "all_query_arguments")] + content {} + } + dynamic "body" { + for_each = length(lookup(field_to_match.value, "body", {})) == 0 ? [] : [lookup(field_to_match.value, "body")] + content {} + } + dynamic "method" { + for_each = length(lookup(field_to_match.value, "method", {})) == 0 ? [] : [lookup(field_to_match.value, "method")] + content {} + } + dynamic "query_string" { + for_each = length(lookup(field_to_match.value, "query_string", {})) == 0 ? [] : [lookup(field_to_match.value, "query_string")] + content {} + } + dynamic "single_header" { + for_each = length(lookup(field_to_match.value, "single_header", {})) == 0 ? [] : [lookup(field_to_match.value, "single_header")] + content { + name = lower(lookup(single_header.value, "name")) + } + } + dynamic "headers" { + for_each = length(lookup(field_to_match.value, "headers", {})) == 0 ? [] : [lookup(field_to_match.value, "headers")] + content { + match_scope = upper(lookup(headers.value, "match_scope")) + dynamic "match_pattern" { + for_each = length(lookup(headers.value, "match_pattern", {})) == 0 ? [] : [lookup(headers.value, "match_pattern", {})] + content { + dynamic "all" { + for_each = length(lookup(match_pattern.value, "all", {})) == 0 ? [] : [lookup(match_pattern.value, "all")] + content {} + } + included_headers = lookup(match_pattern.value, "included_headers", null) + excluded_headers = lookup(match_pattern.value, "excluded_headers", null) + } + } + oversize_handling = upper(lookup(headers.value, "oversize_handling")) + } + } + } + } + text_transformation { + priority = lookup(xss_match_statement.value["text_transformation"], "priority") + type = lookup(xss_match_statement.value["text_transformation"], "type") + } + } + } + # OR regex_match_statement dynamic "regex_match_statement" { for_each = length(lookup(statement.value, "regex_match_statement", {})) == 0 ? [] : [lookup(statement.value, "regex_match_statement", {})]