From f161c997922ad60be57221db470e446eaaa84afe Mon Sep 17 00:00:00 2001
From: "Alexander A. Klimov" <alexander.klimov@icinga.com>
Date: Tue, 3 Sep 2019 11:13:13 +0200
Subject: [PATCH] Lock out Nessus and OpenVAS

---
 lib/remote/httpserverconnection.cpp | 44 +++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/lib/remote/httpserverconnection.cpp b/lib/remote/httpserverconnection.cpp
index 7d99e392a..acc5eb9f4 100644
--- a/lib/remote/httpserverconnection.cpp
+++ b/lib/remote/httpserverconnection.cpp
@@ -20,6 +20,7 @@
 #include "base/utility.hpp"
 #include <limits>
 #include <memory>
+#include <regex>
 #include <stdexcept>
 #include <boost/asio/error.hpp>
 #include <boost/asio/io_service.hpp>
@@ -207,6 +208,45 @@ bool EnsureValidHeaders(
 	return true;
 }
 
+static const std::regex l_SecurityScannerName (R"EOF(\b(?:Nessus|OpenVAS)\b)EOF");
+
+static inline
+bool LockOutSecurityScanners(
+	AsioTlsStream& stream,
+	boost::beast::http::request<boost::beast::http::string_body>& request,
+	boost::beast::http::response<boost::beast::http::string_body>& response,
+	boost::asio::yield_context& yc
+)
+{
+	namespace http = boost::beast::http;
+
+	auto agent (request[http::field::user_agent]);
+
+	if (std::regex_search(agent.begin(), agent.end(), l_SecurityScannerName)) {
+		response.result(http::status::forbidden);
+
+		if (request[http::field::accept] == "application/json") {
+			HttpUtility::SendJsonBody(response, nullptr, new Dictionary({
+				{ "error", 403 },
+				{ "status", String("Forbidden: Security scans are not allowed") }
+			}));
+		} else {
+			response.set(http::field::content_type, "text/html");
+			response.body() = String("<h1>Forbidden</h1><p><pre>Security scans are not allowed</pre></p>");
+			response.set(http::field::content_length, response.body().size());
+		}
+
+		response.set(http::field::connection, "close");
+
+		http::async_write(stream, response, yc);
+		stream.async_flush(yc);
+
+		return false;
+	}
+
+	return true;
+}
+
 static inline
 void HandleExpect100(
 	AsioTlsStream& stream,
@@ -513,6 +553,10 @@ void HttpServerConnection::ProcessMessages(boost::asio::yield_context yc)
 
 			auto& request (parser.get());
 
+			if (!LockOutSecurityScanners(*m_Stream, request, response, yc)) {
+				break;
+			}
+
 			{
 				auto method (http::string_to_verb(request["X-Http-Method-Override"]));
 
-- 
2.49.0