Skip to content

Commit

Permalink
Various appsec fixes (#2742)
Browse files Browse the repository at this point in the history
  • Loading branch information
blotus authored Jan 15, 2024
1 parent e452dc8 commit 6acbcb0
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 9 deletions.
8 changes: 6 additions & 2 deletions pkg/acquisition/modules/appsec/appsec.go
Original file line number Diff line number Diff line change
Expand Up @@ -353,14 +353,18 @@ func (w *AppsecSource) appsecHandler(rw http.ResponseWriter, r *http.Request) {
w.InChan <- parsedRequest

response := <-parsedRequest.ResponseChannel
statusCode := http.StatusOK

if response.InBandInterrupt {
statusCode = http.StatusForbidden
AppsecBlockCounter.With(prometheus.Labels{"source": parsedRequest.RemoteAddrNormalized, "appsec_engine": parsedRequest.AppsecEngine}).Inc()
}

appsecResponse := w.AppsecRuntime.GenerateResponse(response, logger)
logger.Debugf("Response: %+v", appsecResponse)
rw.WriteHeader(appsecResponse.HTTPStatus)
body, err := json.Marshal(BodyResponse{Action: appsecResponse.Action})

rw.WriteHeader(statusCode)
body, err := json.Marshal(appsecResponse)
if err != nil {
logger.Errorf("unable to marshal response: %s", err)
rw.WriteHeader(http.StatusInternalServerError)
Expand Down
12 changes: 6 additions & 6 deletions pkg/acquisition/modules/appsec/appsec_runner.go
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,11 @@ func (r *AppsecRunner) processRequest(tx appsec.ExtendedTransaction, request *ap
defer func() {
request.Tx.ProcessLogging()
//We don't close the transaction here, as it will reset coraza internal state and break variable tracking

err := r.AppsecRuntime.ProcessPostEvalRules(request)
if err != nil {
r.logger.Errorf("unable to process PostEval rules: %s", err)
}
}()

//pre eval (expr) rules
Expand Down Expand Up @@ -182,11 +187,6 @@ func (r *AppsecRunner) processRequest(tx appsec.ExtendedTransaction, request *ap
r.logger.Debugf("rules matched for body : %d", in.RuleID)
}

err = r.AppsecRuntime.ProcessPostEvalRules(request)
if err != nil {
r.logger.Errorf("unable to process PostEval rules: %s", err)
}

return nil
}

Expand Down Expand Up @@ -272,7 +272,7 @@ func (r *AppsecRunner) handleOutBandInterrupt(request *appsec.ParsedRequest) {
r.logger.Errorf("unable to accumulate tx to event : %s", err)
}
if in := request.Tx.Interruption(); in != nil {
r.logger.Debugf("inband rules matched : %d", in.RuleID)
r.logger.Debugf("outband rules matched : %d", in.RuleID)
r.AppsecRuntime.Response.OutOfBandInterrupt = true

err = r.AppsecRuntime.ProcessOnMatchRules(request, evt)
Expand Down
3 changes: 2 additions & 1 deletion pkg/apiserver/middlewares/v1/api_key.go
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,8 @@ func (a *APIKey) MiddlewareFunc() gin.HandlerFunc {
}
}

if bouncer.IPAddress != c.ClientIP() && bouncer.IPAddress != "" {
//Don't update IP on HEAD request, as it's used by the appsec to check the validity of the API key provided
if bouncer.IPAddress != c.ClientIP() && bouncer.IPAddress != "" && c.Request.Method != http.MethodHead {
log.Warningf("new IP address detected for bouncer '%s': %s (old: %s)", bouncer.Name, c.ClientIP(), bouncer.IPAddress)

if err := a.DbClient.UpdateBouncerIP(c.ClientIP(), bouncer.ID); err != nil {
Expand Down

0 comments on commit 6acbcb0

Please sign in to comment.