fix: Syntax error fixes to the primitive rules

riotkit-org · May 29, 2022 · d9c2b1d · d9c2b1d
1 parent d4a0eaa
commit d9c2b1d
Showing 1 changed file with 8 additions and 20 deletions.
diff --git a/container-files/etc/nginx/nginx.conf b/container-files/etc/nginx/nginx.conf
@@ -72,31 +72,19 @@ http {
 
         # https://ayrn.io/how-to-harden-nginx-security/
 
-        location ~* "(eval\(|shell_exec\(|exec\(|system\(unserialize\(|query\(|serialize\(|popen\(|pcntl_exec\(|passthru\(|require\(|include\(|require_once\(|include_once\(|create_function\(|proc_open\(|base64_decode\(|str_rot13\()" { deny all }
-        location ~* "(javascript:)(.*)(;)" { return 416 }
-        location ~* "(GLOBALS|REQUEST)(=|[|%)" { return 416 }
-        location ~* "(<|%3C).*script.*(>|%3)" { return 416 }
-
-        ##
-        # Some of SQL syntax
-        ##
-        set $block_sql_injections 0
-        if ($query_string ~ "union.*select.*(") { set $block_sql_injections 1 }
-        if ($query_string ~ "union.*all.*select.*") { set $block_sql_injections 1 }
-        if ($query_string ~ "concat.*(") { set $block_sql_injections 1 }
-        if ($block_sql_injections = 1) { return 416 }
+        location ~* "(eval\(|shell_exec\(|exec\(|system\(unserialize\(|query\(|serialize\(|popen\(|pcntl_exec\(|passthru\(|require\(|include\(|require_once\(|include_once\(|create_function\(|proc_open\(|base64_decode\(|str_rot13\()" { return 416; }
+        location ~* "(javascript:)(.*)(;)" { return 416; }
+        location ~* "(GLOBALS|REQUEST)(=|\[|%)" { return 416; }
 
         ##
         # Block common exploits
         ##
         set $block_common_exploits 0;
-        if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { set $block_common_exploits 1 }
-        if ($query_string ~ "GLOBALS(=|[|%[0-9A-Z]{0,2})") { set $block_common_exploits 1 }
-        if ($query_string ~ "_REQUEST(=|[|%[0-9A-Z]{0,2})") { set $block_common_exploits 1 }
-        if ($query_string ~ "proc/self/environ") { set $block_common_exploits 1 }
-        if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") { set $block_common_exploits 1 }
-        if ($query_string ~ "(eval\(|shell_exec\(|exec\(|system\(unserialize\(|query\(|serialize\(|popen\(|pcntl_exec\(|passthru\(|require\(|include\(|require_once\(|include_once\(|create_function\(|proc_open\(|base64_decode\(|str_rot13\()") { set $block_common_exploits 1 }
-        if ($block_common_exploits = 1) { return 416 }
+        if ($query_string ~ "GLOBALS(=|[|%[0-9A-Z]{0,2})") { set $block_common_exploits 1; }
+        if ($query_string ~ "_REQUEST(=|[|%[0-9A-Z]{0,2})") { set $block_common_exploits 1; }
+        if ($query_string ~ "proc/self/environ") { set $block_common_exploits 1; }
+        if ($query_string ~ "(eval\(|shell_exec\(|exec\(|system\(unserialize\(|query\(|serialize\(|popen\(|pcntl_exec\(|passthru\(|require\(|include\(|require_once\(|include_once\(|create_function\(|proc_open\(|base64_decode\(|str_rot13\()") { set $block_common_exploits 1; }
+        if ($block_common_exploits = 1) { return 416; }
 
         location = /favicon.ico {
             log_not_found off;