aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVsevolod Stakhov <vsevolod@highsecure.ru>2019-01-21 12:41:03 +0000
committerVsevolod Stakhov <vsevolod@highsecure.ru>2019-01-21 12:41:34 +0000
commitec8a472f21d83d3bb93a200acdd0d5b257e4e88c (patch)
treef704eba3e7e03c47e6d78e329d582da0484dc7d3
parent1a00212d6271dddc1276eb2e44afaa30971a2cbd (diff)
downloadrspamd-ec8a472f21d83d3bb93a200acdd0d5b257e4e88c.tar.gz
rspamd-ec8a472f21d83d3bb93a200acdd0d5b257e4e88c.zip
[Feature] Add dedicated ZW spaces detection for URLs
Issue: #2725
-rw-r--r--rules/misc.lua20
-rw-r--r--src/libserver/html.c4
-rw-r--r--src/libserver/url.h1
-rw-r--r--src/lua/lua_url.c2
4 files changed, 25 insertions, 2 deletions
diff --git a/rules/misc.lua b/rules/misc.lua
index 26f2a1357..05d4af5d5 100644
--- a/rules/misc.lua
+++ b/rules/misc.lua
@@ -101,25 +101,41 @@ rspamd_config.DATE_IN_PAST = {
type = 'mime',
}
-rspamd_config.R_SUSPICIOUS_URL = {
+local obscured_id = rspamd_config:register_symbol{
callback = function(task)
local urls = task:get_urls()
if urls then
for _,u in ipairs(urls) do
- if u:is_obscured() then
+ local fl = u:get_flags()
+ if fl.obscured then
task:insert_result('R_SUSPICIOUS_URL', 1.0, u:get_host())
end
+ if fl.zw_spaces then
+ task:insert_result('ZERO_WIDTH_SPACE_URL', 1.0, u:get_host())
+ end
end
end
+
return false
end,
+ name = 'R_SUSPICIOUS_URL',
score = 5.0,
one_shot = true,
description = 'Obfusicated or suspicious URL has been found in a message',
group = 'url'
}
+rspamd_config:register_symbol{
+ type = 'virtual',
+ name = 'ZERO_WIDTH_SPACE_URL',
+ score = 7.0,
+ one_shot = true,
+ description = 'Zero width space in url',
+ group = 'url',
+ parent = obscured_id,
+}
+
rspamd_config.ENVFROM_PRVS = {
callback = function (task)
diff --git a/src/libserver/html.c b/src/libserver/html.c
index e97a010fe..afaeae4c5 100644
--- a/src/libserver/html.c
+++ b/src/libserver/html.c
@@ -1351,6 +1351,10 @@ rspamd_html_process_url (rspamd_mempool_t *pool, const gchar *start, guint len,
if (norm_res & (RSPAMD_UNICODE_NORM_ZERO_SPACES|RSPAMD_UNICODE_NORM_ERROR)) {
saved_flags |= RSPAMD_URL_FLAG_OBSCURED;
+
+ if (norm_res & RSPAMD_UNICODE_NORM_ZERO_SPACES) {
+ saved_flags |= RSPAMD_URL_FLAG_ZW_SPACES;
+ }
}
rc = rspamd_url_parse (url, decoded, dlen, pool, RSPAMD_URL_PARSE_HREF);
diff --git a/src/libserver/url.h b/src/libserver/url.h
index a9eda71de..12a649ec7 100644
--- a/src/libserver/url.h
+++ b/src/libserver/url.h
@@ -27,6 +27,7 @@ enum rspamd_url_flags {
RSPAMD_URL_FLAG_HAS_USER = 1 << 14,
RSPAMD_URL_FLAG_SCHEMALESS = 1 << 15,
RSPAMD_URL_FLAG_UNNORMALISED = 1 << 16,
+ RSPAMD_URL_FLAG_ZW_SPACES = 1 << 17,
};
struct rspamd_url_tag {
diff --git a/src/lua/lua_url.c b/src/lua/lua_url.c
index 8b18c7c3d..8bc0cf657 100644
--- a/src/lua/lua_url.c
+++ b/src/lua/lua_url.c
@@ -875,6 +875,7 @@ lua_url_all (lua_State *L)
* - `has_user`: URL has user part
* - `schemaless`: URL has no schema
* - `unnormalised`: URL has some unicode unnormalities
+ * - `zw_spaces`: URL has some zero width spaces
* @return {table} URL flags
*/
#define PUSH_FLAG(fl, name) do { \
@@ -914,6 +915,7 @@ lua_url_get_flags (lua_State *L)
PUSH_FLAG (RSPAMD_URL_FLAG_HAS_USER, "has_user");
PUSH_FLAG (RSPAMD_URL_FLAG_SCHEMALESS, "schemaless");
PUSH_FLAG (RSPAMD_URL_FLAG_UNNORMALISED, "unnormalised");
+ PUSH_FLAG (RSPAMD_URL_FLAG_ZW_SPACES, "zw_spaces");
}
else {
return luaL_error (L, "invalid arguments");