From 65cbc6922c01472e92afb5e7e72ba7e768614160 Mon Sep 17 00:00:00 2001 From: Xe Iaso Date: Thu, 24 Apr 2025 19:15:20 -0400 Subject: [PATCH] data: add some examples of expression-based rules Signed-off-by: Xe Iaso --- data/apps/git-client.yaml | 7 +++++++ data/clients/go-get.yaml | 7 +++++++ data/common/allow-api-like.yaml | 6 ++++++ data/common/keep-internet-working.yaml | 3 +++ data/common/rfc-violations.yaml | 3 +++ data/embed.go | 2 +- 6 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 data/apps/git-client.yaml create mode 100644 data/clients/go-get.yaml create mode 100644 data/common/allow-api-like.yaml create mode 100644 data/common/rfc-violations.yaml diff --git a/data/apps/git-client.yaml b/data/apps/git-client.yaml new file mode 100644 index 00000000..b2964937 --- /dev/null +++ b/data/apps/git-client.yaml @@ -0,0 +1,7 @@ +- name: allow-git-clients + action: ALLOW + expression: + and: + - userAgent.startsWith("git/") || userAgent.contains("libgit") || userAgent.startsWith("go-git") || userAgent.startsWith("JGit/") || userAgent.startsWith("JGit-") + - > + "Git-Protocol" in headers && headers["Git-Protocol"] == "version=2" \ No newline at end of file diff --git a/data/clients/go-get.yaml b/data/clients/go-get.yaml new file mode 100644 index 00000000..ca061e28 --- /dev/null +++ b/data/clients/go-get.yaml @@ -0,0 +1,7 @@ +- name: go-get + action: ALLOW + expression: + and: + - userAgent.startsWith("Go-http-client/") + - '"go-get" in query' + - query["go-get"] == "1" \ No newline at end of file diff --git a/data/common/allow-api-like.yaml b/data/common/allow-api-like.yaml new file mode 100644 index 00000000..50738123 --- /dev/null +++ b/data/common/allow-api-like.yaml @@ -0,0 +1,6 @@ +- name: allow-api-routes + action: ALLOW + expression: + and: + - '!(method == "HEAD" || method == "GET")' + - path.startsWith("/api/") \ No newline at end of file diff --git a/data/common/keep-internet-working.yaml b/data/common/keep-internet-working.yaml index 8270ef4e..d72f5abf 100644 --- a/data/common/keep-internet-working.yaml +++ b/data/common/keep-internet-working.yaml @@ -7,4 +7,7 @@ action: ALLOW - name: robots-txt path_regex: ^/robots.txt$ + action: ALLOW +- name: sitemap + path_regex: ^/sitemap.xml$ action: ALLOW \ No newline at end of file diff --git a/data/common/rfc-violations.yaml b/data/common/rfc-violations.yaml new file mode 100644 index 00000000..77ffe9eb --- /dev/null +++ b/data/common/rfc-violations.yaml @@ -0,0 +1,3 @@ +- name: no-user-agent-string + expression: userAgent == "" + action: DENY \ No newline at end of file diff --git a/data/embed.go b/data/embed.go index ebb2152f..06cf30d3 100644 --- a/data/embed.go +++ b/data/embed.go @@ -3,6 +3,6 @@ package data import "embed" var ( - //go:embed botPolicies.yaml botPolicies.json apps bots common crawlers + //go:embed botPolicies.yaml botPolicies.json apps bots clients common crawlers BotPolicies embed.FS )