mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
19261 Commits
29 Branches
Tree: 2b8e6958f4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '2b8e6958f4'
${ noResults }
rspamd/src/libserver/html/html_url.cxx

html_url.cxx 12KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489 
  1. /*-

  2.  * Copyright 2021 Vsevolod Stakhov

  3.  *

  4.  * Licensed under the Apache License, Version 2.0 (the "License");

  5.  * you may not use this file except in compliance with the License.

  6.  * You may obtain a copy of the License at

  7.  *

  8.  *   http://www.apache.org/licenses/LICENSE-2.0

  9.  *

  10.  * Unless required by applicable law or agreed to in writing, software

  11.  * distributed under the License is distributed on an "AS IS" BASIS,

  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13.  * See the License for the specific language governing permissions and

  14.  * limitations under the License.

  15.  */

  16. 

  17. #include "html_url.hxx"

  18. #include "libutil/str_util.h"

  19. #include "libserver/url.h"

  20. #include "libserver/logger.h"

  21. #include "rspamd.h"

  22. 

  23. #include <unicode/idna.h>

  24. 

  25. namespace rspamd::html {

  26. 

  27. static auto

  28. rspamd_url_is_subdomain(std::string_view t1, std::string_view t2) -> bool

  29. {

  30. 	const auto *p1 = t1.data() + t1.size() - 1;

  31. 	const auto *p2 = t2.data() + t2.size() - 1;

  32. 

  33. 	/* Skip trailing dots */

  34. 	while (p1 > t1.data()) {

  35. 		if (*p1 != '.') {

  36. 			break;

  37. 		}

  38. 

  39. 		p1--;

  40. 	}

  41. 

  42. 	while (p2 > t2.data()) {

  43. 		if (*p2 != '.') {

  44. 			break;

  45. 		}

  46. 

  47. 		p2--;

  48. 	}

  49. 

  50. 	while (p1 > t1.data() && p2 > t2.data()) {

  51. 		if (*p1 != *p2) {

  52. 			break;

  53. 		}

  54. 

  55. 		p1--;

  56. 		p2--;

  57. 	}

  58. 

  59. 	if (p2 == t2.data()) {

  60. 		/* p2 can be subdomain of p1 if *p1 is '.' */

  61. 		if (p1 != t1.data() && *(p1 - 1) == '.') {

  62. 			return true;

  63. 		}

  64. 	}

  65. 	else if (p1 == t1.data()) {

  66. 		if (p2 != t2.data() && *(p2 - 1) == '.') {

  67. 			return true;

  68. 		}

  69. 	}

  70. 

  71. 	return false;

  72. }

  73. 

  74. 

  75. static auto

  76. get_icu_idna_instance(void) -> auto

  77. {

  78. 	auto uc_err = U_ZERO_ERROR;

  79. 	static auto *udn = icu::IDNA::createUTS46Instance(UIDNA_DEFAULT, uc_err);

  80. 

  81. 	return udn;

  82. }

  83. 

  84. static auto

  85. convert_idna_hostname_maybe(rspamd_mempool_t *pool, struct rspamd_url *url, bool use_tld)

  86. 		-> std::string_view

  87. {

  88. 	std::string_view ret = use_tld ?

  89. 			std::string_view{rspamd_url_tld_unsafe (url), url->tldlen} :

  90. 			std::string_view {rspamd_url_host_unsafe (url), url->hostlen};

  91. 

  92. 	/* Handle IDN url's */

  93. 	if (ret.size() > 4 &&

  94. 		rspamd_substring_search_caseless(ret.data(), ret.size(), "xn--", 4) != -1) {

  95. 

  96. 		const auto buf_capacity = ret.size() * 2 + 1;

  97. 		auto *idn_hbuf = (char *)rspamd_mempool_alloc (pool, buf_capacity);

  98. 		icu::CheckedArrayByteSink byte_sink{idn_hbuf, (int)buf_capacity};

  99. 

  100. 		/* We need to convert it to the normal value first */

  101. 		icu::IDNAInfo info;

  102. 		auto uc_err = U_ZERO_ERROR;

  103. 		auto *udn = get_icu_idna_instance();

  104. 		udn->nameToUnicodeUTF8(icu::StringPiece(ret.data(), ret.size()),

  105. 				byte_sink, info, uc_err);

  106. 

  107. 		if (uc_err == U_ZERO_ERROR && !info.hasErrors()) {

  108. 			/* idn_hbuf is allocated in mempool, so it is safe to use */

  109. 			ret = std::string_view{idn_hbuf, (std::size_t)byte_sink.NumberOfBytesWritten()};

  110. 		}

  111. 		else {

  112. 			msg_err_pool ("cannot convert to IDN: %s (0x%xd)",

  113. 					u_errorName(uc_err), info.getErrors());

  114. 		}

  115. 	}

  116. 

  117. 	return ret;

  118. };

  119. 

  120. constexpr auto sv_equals(std::string_view s1, std::string_view s2) -> auto {

  121. 	return (s1.size() == s2.size()) &&

  122. 		std::equal(s1.begin(), s1.end(), s2.begin(), s2.end(),

  123. 				[](const auto c1, const auto c2) {

  124. 					return g_ascii_tolower(c1) == g_ascii_tolower(c2);

  125. 		});

  126. }

  127. 

  128. constexpr auto

  129. is_transfer_proto(struct rspamd_url *u) -> bool

  130. {

  131. 	return (u->protocol & (PROTOCOL_HTTP|PROTOCOL_HTTPS|PROTOCOL_FTP)) != 0;

  132. }

  133. 

  134. auto

  135. html_url_is_phished(rspamd_mempool_t *pool,

  136. 					struct rspamd_url *href_url,

  137. 					std::string_view text_data) -> std::optional<rspamd_url *>

  138. {

  139. 	struct rspamd_url *text_url;

  140. 	std::string_view disp_tok, href_tok;

  141. 	goffset url_pos;

  142. 	gchar *url_str = NULL;

  143. 

  144. 	auto sz = text_data.size();

  145. 	const auto *trimmed = rspamd_string_unicode_trim_inplace(text_data.data(), &sz);

  146. 	text_data = std::string_view(trimmed, sz);

  147. 

  148. 	if (text_data.size() > 4 &&

  149. 		rspamd_url_find(pool, text_data.data(), text_data.size(), &url_str,

  150. 				RSPAMD_URL_FIND_ALL,

  151. 				&url_pos, NULL) && url_str != nullptr) {

  152. 

  153. 		if (url_pos > 0) {

  154. 			/*

  155. 			 * We have some url at some offset, so we need to check what is

  156. 			 * at the start of the text

  157. 			 */

  158. 			return std::nullopt;

  159. 		}

  160. 

  161. 		text_url = rspamd_mempool_alloc0_type (pool, struct rspamd_url);

  162. 		auto rc = rspamd_url_parse(text_url, url_str, strlen(url_str), pool,

  163. 				RSPAMD_URL_PARSE_TEXT);

  164. 

  165. 		if (rc == URI_ERRNO_OK) {

  166. 			text_url->flags |= RSPAMD_URL_FLAG_HTML_DISPLAYED;

  167. 			href_url->flags |= RSPAMD_URL_FLAG_DISPLAY_URL;

  168. 

  169. 			/* Check for phishing */

  170. 			if (is_transfer_proto(text_url) == is_transfer_proto(href_url)) {

  171. 				disp_tok = convert_idna_hostname_maybe(pool, text_url, false);

  172. 				href_tok = convert_idna_hostname_maybe(pool, href_url, false);

  173. 

  174. 				if (!sv_equals(disp_tok, href_tok) &&

  175. 					text_url->tldlen > 0 && href_url->tldlen > 0) {

  176. 

  177. 					/* Apply the same logic for TLD */

  178. 					disp_tok = convert_idna_hostname_maybe(pool, text_url, true);

  179. 					href_tok = convert_idna_hostname_maybe(pool, href_url, true);

  180. 

  181. 					if (!sv_equals(disp_tok, href_tok)) {

  182. 						/* Check if one url is a subdomain for another */

  183. 

  184. 						if (!rspamd_url_is_subdomain(disp_tok, href_tok)) {

  185. 							href_url->flags |= RSPAMD_URL_FLAG_PHISHED;

  186. 							href_url->linked_url = text_url;

  187. 							text_url->flags |= RSPAMD_URL_FLAG_HTML_DISPLAYED;

  188. 						}

  189. 					}

  190. 				}

  191. 			}

  192. 

  193. 			return text_url;

  194. 		}

  195. 		else {

  196. 			/*

  197. 			 * We have found something that looks like an url but it was

  198. 			 * not parsed correctly.

  199. 			 * Sometimes it means an obfuscation attempt, so we have to check

  200. 			 * what's inside of the text

  201. 			 */

  202. 			gboolean obfuscation_found = FALSE;

  203. 

  204. 			if (text_data.size() > 4

  205. 				&& g_ascii_strncasecmp(text_data.begin(), "http", 4) == 0 &&

  206. 				rspamd_substring_search(text_data.begin(), text_data.size(), "://", 3) != -1) {

  207. 				/* Clearly an obfuscation attempt */

  208. 				obfuscation_found = TRUE;

  209. 			}

  210. 

  211. 			msg_info_pool ("extract of url '%s' failed: %s; obfuscation detected: %s",

  212. 					url_str,

  213. 					rspamd_url_strerror(rc),

  214. 					obfuscation_found ? "yes" : "no");

  215. 

  216. 			if (obfuscation_found) {

  217. 				href_url->flags |= RSPAMD_URL_FLAG_PHISHED | RSPAMD_URL_FLAG_OBSCURED;

  218. 			}

  219. 		}

  220. 	}

  221. 

  222. 	return std::nullopt;

  223. }

  224. 

  225. void

  226. html_check_displayed_url(rspamd_mempool_t *pool,

  227. 						 GList **exceptions,

  228. 						 void *url_set,

  229. 						 std::string_view visible_part,

  230. 						 goffset href_offset,

  231. 						 struct rspamd_url *url)

  232. {

  233. 	struct rspamd_url *displayed_url = nullptr;

  234. 	struct rspamd_url *turl;

  235. 	struct rspamd_process_exception *ex;

  236. 	guint saved_flags = 0;

  237. 	gsize dlen;

  238. 

  239. 	if (visible_part.empty()) {

  240. 		/* No displayed url, just some text within <a> tag */

  241. 		return;

  242. 	}

  243. 

  244. 	url->visible_part = rspamd_mempool_alloc_buffer(pool, visible_part.size() + 1);

  245. 	rspamd_strlcpy(url->visible_part,

  246. 			visible_part.data(),

  247. 			visible_part.size() + 1);

  248. 	dlen = visible_part.size();

  249. 

  250. 	/* Strip unicode spaces from the start and the end */

  251. 	url->visible_part = const_cast<char *>(

  252. 			rspamd_string_unicode_trim_inplace(url->visible_part,

  253. 			&dlen));

  254. 	auto maybe_url = html_url_is_phished(pool, url,

  255. 			{url->visible_part, dlen});

  256. 

  257. 	if (maybe_url) {

  258. 		url->flags |= saved_flags;

  259. 		displayed_url = maybe_url.value();

  260. 	}

  261. 

  262. 	if (exceptions && displayed_url != nullptr) {

  263. 		ex = rspamd_mempool_alloc_type (pool,struct rspamd_process_exception);

  264. 		ex->pos = href_offset;

  265. 		ex->len = dlen;

  266. 		ex->type = RSPAMD_EXCEPTION_URL;

  267. 		ex->ptr = url;

  268. 

  269. 		*exceptions = g_list_prepend(*exceptions, ex);

  270. 	}

  271. 

  272. 	if (displayed_url && url_set) {

  273. 		turl = rspamd_url_set_add_or_return((khash_t (rspamd_url_hash) *)url_set, displayed_url);

  274. 

  275. 		if (turl != nullptr) {

  276. 			/* Here, we assume the following:

  277. 			 * if we have a URL in the text part which

  278. 			 * is the same as displayed URL in the

  279. 			 * HTML part, we assume that it is also

  280. 			 * hint only.

  281. 			 */

  282. 			if (turl->flags & RSPAMD_URL_FLAG_FROM_TEXT) {

  283. 

  284. 				/*

  285. 				 * We have the same URL for href and displayed url, so we

  286. 				 * know that this url cannot be both target and display (as

  287. 				 * it breaks logic in many places), so we do not

  288. 				 * propagate html flags

  289. 				 */

  290. 				if (!(turl->flags & RSPAMD_URL_FLAG_DISPLAY_URL)) {

  291. 					turl->flags |= displayed_url->flags;

  292. 				}

  293. 				turl->flags &= ~RSPAMD_URL_FLAG_FROM_TEXT;

  294. 			}

  295. 

  296. 			turl->count++;

  297. 		}

  298. 		else {

  299. 			/* Already inserted by `rspamd_url_set_add_or_return` */

  300. 		}

  301. 	}

  302. 

  303. 	rspamd_normalise_unicode_inplace(url->visible_part, &dlen);

  304. }

  305. 

  306. auto

  307. html_process_url(rspamd_mempool_t *pool, std::string_view &input)

  308. 	-> std::optional<struct rspamd_url *>

  309. {

  310. 	struct rspamd_url *url;

  311. 	guint saved_flags = 0;

  312. 	gint rc;

  313. 	const gchar *s, *prefix = "http://";

  314. 	gchar *d;

  315. 	gsize dlen;

  316. 	gboolean has_bad_chars = FALSE, no_prefix = FALSE;

  317. 	static const gchar hexdigests[] = "0123456789abcdef";

  318. 

  319. 	auto sz = input.length();

  320. 	const auto *trimmed = rspamd_string_unicode_trim_inplace(input.data(), &sz);

  321. 	input = {trimmed, sz};

  322. 

  323. 	const auto *start = input.data();

  324. 	s = start;

  325. 	dlen = 0;

  326. 

  327. 	for (auto i = 0; i < sz; i++) {

  328. 		if (G_UNLIKELY (((guint) s[i]) < 0x80 && !g_ascii_isgraph(s[i]))) {

  329. 			dlen += 3;

  330. 		}

  331. 		else {

  332. 			dlen++;

  333. 		}

  334. 	}

  335. 

  336. 	if (rspamd_substring_search(start, sz, "://", 3) == -1) {

  337. 		if (sz >= sizeof("mailto:") &&

  338. 			(memcmp(start, "mailto:", sizeof("mailto:") - 1) == 0 ||

  339. 			 memcmp(start, "tel:", sizeof("tel:") - 1) == 0 ||

  340. 			 memcmp(start, "callto:", sizeof("callto:") - 1) == 0)) {

  341. 			/* Exclusion, has valid but 'strange' prefix */

  342. 		}

  343. 		else {

  344. 			for (auto i = 0; i < sz; i++) {

  345. 				if (!((s[i] & 0x80) || g_ascii_isalnum (s[i]))) {

  346. 					if (i == 0 && sz > 2 && s[i] == '/' && s[i + 1] == '/') {

  347. 						prefix = "http:";

  348. 						dlen += sizeof("http:") - 1;

  349. 						no_prefix = TRUE;

  350. 					}

  351. 					else if (s[i] == '@') {

  352. 						/* Likely email prefix */

  353. 						prefix = "mailto://";

  354. 						dlen += sizeof("mailto://") - 1;

  355. 						no_prefix = TRUE;

  356. 					}

  357. 					else if (s[i] == ':' && i != 0) {

  358. 						/* Special case */

  359. 						no_prefix = FALSE;

  360. 					}

  361. 					else {

  362. 						if (i == 0) {

  363. 							/* No valid data */

  364. 							return std::nullopt;

  365. 						}

  366. 						else {

  367. 							no_prefix = TRUE;

  368. 							dlen += strlen(prefix);

  369. 						}

  370. 					}

  371. 

  372. 					break;

  373. 				}

  374. 			}

  375. 		}

  376. 	}

  377. 

  378. 	auto *decoded = rspamd_mempool_alloc_buffer(pool, dlen + 1);

  379. 	d = decoded;

  380. 

  381. 	if (no_prefix) {

  382. 		gsize plen = strlen(prefix);

  383. 		memcpy(d, prefix, plen);

  384. 		d += plen;

  385. 	}

  386. 

  387. 	/*

  388. 	 * We also need to remove all internal newlines, spaces

  389. 	 * and encode unsafe characters

  390. 	 * Another obfuscation find in the wild was encoding of the SAFE url characters,

  391. 	 * including essential ones

  392. 	 */

  393. 	for (auto i = 0; i < sz; i++) {

  394. 		if (G_UNLIKELY (g_ascii_isspace(s[i]))) {

  395. 			continue;

  396. 		}

  397. 		else if (G_UNLIKELY (((guint) s[i]) < 0x80 && !g_ascii_isgraph(s[i]))) {

  398. 			/* URL encode */

  399. 			*d++ = '%';

  400. 			*d++ = hexdigests[(s[i] >> 4) & 0xf];

  401. 			*d++ = hexdigests[s[i] & 0xf];

  402. 			has_bad_chars = TRUE;

  403. 		}

  404. 		else if (G_UNLIKELY (s[i] == '%')) {

  405. 			if (i + 2 < sz) {

  406. 				auto c1 = s[i + 1];

  407. 				auto c2 = s[i + 2];

  408. 

  409. 				if (g_ascii_isxdigit(c1) && g_ascii_isxdigit(c2)) {

  410. 					auto codepoint = 0;

  411. 

  412. 					if      (c1 >= '0' && c1 <= '9') codepoint = c1 - '0';

  413. 					else if (c1 >= 'A' && c1 <= 'F') codepoint = c1 - 'A' + 10;

  414. 					else if (c1 >= 'a' && c1 <= 'f') codepoint = c1 - 'a' + 10;

  415. 

  416. 					codepoint <<= 4;

  417. 

  418. 					if      (c2 >= '0' && c2 <= '9') codepoint += c2 - '0';

  419. 					else if (c2 >= 'A' && c2 <= 'F') codepoint += c2 - 'A' + 10;

  420. 					else if (c2 >= 'a' && c2 <= 'f') codepoint += c2 - 'a' + 10;

  421. 

  422. 					/* Now check for 'interesting' codepoints */

  423. 					if (codepoint == '@' || codepoint == ':' || codepoint == '|' ||

  424. 						codepoint == '?' || codepoint == '\\' || codepoint == '/') {

  425. 						/* Replace it back */

  426. 						*d++ = (char)(codepoint & 0xff);

  427. 						i += 2;

  428. 					}

  429. 					else {

  430. 						*d++ = s[i];

  431. 					}

  432. 				}

  433. 				else {

  434. 					*d++ = s[i];

  435. 				}

  436. 			}

  437. 			else {

  438. 				*d++ = s[i];

  439. 			}

  440. 		}

  441. 		else {

  442. 			*d++ = s[i];

  443. 		}

  444. 	}

  445. 

  446. 	*d = '\0';

  447. 	dlen = d - decoded;

  448. 

  449. 	url = rspamd_mempool_alloc0_type(pool, struct rspamd_url);

  450. 	rspamd_url_normalise_propagate_flags (pool, decoded, &dlen, saved_flags);

  451. 	rc = rspamd_url_parse(url, decoded, dlen, pool, RSPAMD_URL_PARSE_HREF);

  452. 

  453. 	/* Filter some completely damaged urls */

  454. 	if (rc == URI_ERRNO_OK && url->hostlen > 0 &&

  455. 		!((url->protocol & PROTOCOL_UNKNOWN))) {

  456. 		url->flags |= saved_flags;

  457. 

  458. 		if (has_bad_chars) {

  459. 			url->flags |= RSPAMD_URL_FLAG_OBSCURED;

  460. 		}

  461. 

  462. 		if (no_prefix) {

  463. 			url->flags |= RSPAMD_URL_FLAG_SCHEMALESS;

  464. 

  465. 			if (url->tldlen == 0 || (url->flags & RSPAMD_URL_FLAG_NO_TLD)) {

  466. 				/* Ignore urls with both no schema and no tld */

  467. 				return std::nullopt;

  468. 			}

  469. 		}

  470. 

  471. 		decoded = url->string;

  472. 

  473. 		input = {decoded, url->urllen};

  474. 

  475. 		/* Spaces in href usually mean an attempt to obfuscate URL */

  476. 		/* See https://github.com/vstakhov/rspamd/issues/593 */

  477. #if 0

  478. 		if (has_spaces) {

  479. 			url->flags |= RSPAMD_URL_FLAG_OBSCURED;

  480. 		}

  481. #endif

  482. 

  483. 		return url;

  484. 	}

  485. 

  486. 	return std::nullopt;

  487. }

  488. 

  489. }