feat: add Cloudflare WAF service#155
Conversation
|
Review 阻塞:这个 service package PR 有测试文件,但我没有在 PR 描述、评论或改动文件中找到真实的测试截图证据(图片链接或提交的图片文件)。请补充能证明该 service package 跑通的截图,例如 |
8ecc90d to
ce6fa8f
Compare
|
PR Title: feat: add Cloudflare WAF service Commit: 本次 PR 新增了多个 OctoBus Service Package(Cloudflare WAF、TopSec WAF、DefectDojo、Elastic Kibana、CloudAtlas、QiAnXin Hunter、Slack Group Robot、ThreatBook NGTIP 等),并扩展了 关键发现:
|
| if (authEmail && authKey) { | ||
| return { 'x-auth-email': authEmail, 'x-auth-key': authKey }; | ||
| } | ||
| throw errorWithCode('INVALID_ARGUMENT', 'apiToken (or authEmail + authKey) is required'); |
There was a problem hiding this comment.
多处 Service 向 Node.js fetch 传入无效选项导致超时和 TLS 配置失效
callCloudflare 将 timeoutMs 以及 insecureSkipVerify/tlsInsecureSkipVerify 等选项直接展开到 fetch 的参数中。Node.js 原生 fetch(基于 undici)不支持这些选项,它们会被静默忽略。这导致配置的超时时间对请求毫无约束,网络异常时请求可能无限挂起;同时 TLS 跳过校验配置也不生效,遇到自签名证书时会连接失败。
Problem code:
Changed code at services/cloudflare__waf/src/cloudflare-waf.js:190
Recommendation:
使用 AbortSignal.timeout(timeoutMs) 实现请求超时;对于 TLS 跳过校验,应使用支持 rejectUnauthorized: false 的自定义 https.Agent 并通过 fetch 的 dispatcher 选项(或全局 undici Agent)传入,而非传递无效选项。此问题在 elastic-kibana-7-17-26.js、cloudatlas.js、hunter.js、threatbook-ngtip-v5.js、slack-group-robot.js 等文件中同样存在,建议一并修复。
|
Reviewer note: this PR currently has merge conflicts with the target branch, so it cannot be merged or reviewed safely in its current state. Please rebase or merge the latest base branch, resolve the conflicts, and make sure GitHub Actions pass again. I am marking/keeping this PR as draft until the conflicts are resolved. |
接入设备
Cloudflare WAF — Cloudflare 边缘防火墙 / Web 应用防护(SaaS)。服务包
services/cloudflare__waf,proto 包Cloudflare_WAF。设备版本
Cloudflare API v4(
https://api.cloudflare.com/client/v4),SaaS 无版本号、稳定 API。认证方式
secret.apiToken,以Authorization: Bearer <token>发送;最小权限Zone.Firewall Services+Zone.Zone Settings。secret.authEmail+secret.authKey(X-Auth-Email/X-Auth-Key),仅在无 apiToken 时使用。实现方法
方式:RPC(gRPC,5 个方法)
BlockIPPOST /…/firewall/access_rules/rulestarget+mode幂等去重,created_count报告实际新建数UnblockIPDELETE /…/firewall/access_rules/rules/{id}deleted_count=0(幂等)ListAccessRulesGET /…/firewall/access_rules/rulesGetSecurityLevelGET /zones/{zone}/settings/security_levelSetSecurityLevelPATCH /zones/{zone}/settings/security_levelaccount_id优先,否则zone_id(请求或配置)。INVALID_ARGUMENT,401/403 或 CF 错误码 9109/10000→PERMISSION_DENIED,4xx 或success:false→FAILED_PRECONDITION,5xx/网络→UNAVAILABLE,非 JSON→UNKNOWN。x-request-id/x-engine-instance)。测试命令
已知限制
SetSecurityLevel: under_attack为高影响操作,建议加审批。真实设备验证
(截图:Cloudflare Dashboard → Security → WAF → Tools 中可见对应 IP Access Rule 的创建与删除)