From 1aa77066a1c54164ded3dfa26b6c18c181461063 Mon Sep 17 00:00:00 2001 From: Dan Milne Date: Mon, 1 Dec 2025 21:23:23 +1100 Subject: [PATCH] Catch exceptions in the process waf job, use symbols for actions, Don't create a rule which matches a supernet rule. --- app/jobs/process_waf_event_job.rb | 1 + app/models/waf_policy.rb | 11 +++++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/app/jobs/process_waf_event_job.rb b/app/jobs/process_waf_event_job.rb index d502449..93f5744 100644 --- a/app/jobs/process_waf_event_job.rb +++ b/app/jobs/process_waf_event_job.rb @@ -79,6 +79,7 @@ class ProcessWafEventJob < ApplicationJob Rails.logger.debug "Network processing took #{((Time.current - network_start) * 1000).round(2)}ms" rescue => e Rails.logger.warn "Failed to process network range for event #{event.id}: #{e.message}" + Sentry.capture_exception(e) end elsif event.ip_address.present? Rails.logger.warn "Event #{event.id} has IP but no network_range_id (private IP?)" diff --git a/app/models/waf_policy.rb b/app/models/waf_policy.rb index eee270b..7a6a8ab 100644 --- a/app/models/waf_policy.rb +++ b/app/models/waf_policy.rb @@ -152,9 +152,16 @@ validate :targets_must_be_array def create_rule_for_network_range(network_range) return nil unless matches_network_range?(network_range) + # Check for existing supernet rules before attempting to create + if network_range.supernet_rules.any? + supernet = network_range.supernet_rules.first + Rails.logger.debug "Skipping rule creation for #{network_range.cidr} - covered by supernet rule ##{supernet.id} (#{supernet.network_range.cidr})" + return nil + end + rule = Rule.create!( waf_rule_type: 'network', - waf_action: policy_action, + waf_action: policy_action.to_sym, network_range: network_range, waf_policy: self, user: user, @@ -203,7 +210,7 @@ validate :targets_must_be_array rule = Rule.create!( waf_rule_type: 'path_pattern', - waf_action: policy_action, + waf_action: policy_action.to_sym, waf_policy: self, user: user, source: "policy",