private List<Filter> Detect(string key, string val)
{
if (_exclusions.Contains(key))
{
return null;
}
if (key == null)
{
key = string.Empty;
}
if (val == null)
{
val = string.Empty;
}
//Check if input match a-Z_- for which there is no exploit
string pattern = "^(\\w+)$";
if (System.Text.RegularExpressions.Regex.IsMatch(key, pattern) && System.Text.RegularExpressions.Regex.IsMatch(val, pattern))
{
//No need to detect further
return null;
}
List<Filter> ret = new List<Filter>();
//START DECODING
/* Match PHPIDS' conversion order
$value = IDS_Converter::convertFromUTF7($value);
$value = IDS_Converter::convertQuotes($value);
$value = IDS_Converter::convertFromJSCharcode($value);
$value = IDS_Converter::convertFromCommented($value);
$value = IDS_Converter::convertConcatenations($value);
*/
string keydecoded = key;
string valdecoded = val;
//UTF7 Decode
if (UTF7Decode)
{
keydecoded = CharsetConverter.convertFromUTF7(keydecoded);
valdecoded = CharsetConverter.convertFromUTF7(valdecoded);
}
//Quotes Decode
keydecoded += CharsetConverter.convertQuotes(keydecoded);
valdecoded += CharsetConverter.convertQuotes(valdecoded);
//JS Decode
if (JSDecode)
{
keydecoded += CharsetConverter.convertFromJSCharcode(keydecoded);
valdecoded += CharsetConverter.convertFromJSCharcode(valdecoded);
}
//Comment decode
keydecoded += CharsetConverter.convertComments(keydecoded);
valdecoded += CharsetConverter.convertComments(valdecoded);
//Concat decode
keydecoded += CharsetConverter.convertConcats(keydecoded);
valdecoded += CharsetConverter.convertConcats(valdecoded);
//Centrifuge decode
//keydecoded += CharsetConverter.convertCentrifuge(keydecoded);
//valdecoded += CharsetConverter.convertCentrifuge(valdecoded);
foreach (Filter f in _store.FilterSet)
{
if (f.Match(valdecoded))
{
ret.Add(f);
}
if (ScanKeys)
{
if (f.Match(keydecoded))
{
ret.Add(f);
}
}
}
return ret;
}
#endregion