Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Various appsec fixes #2742

Merged
merged 4 commits into from
Jan 15, 2024
Merged

Various appsec fixes #2742

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2481988
inband -> outband typo
blotus Jan 11, 2024
30f7e9c
always set status code to 403 if inband match, and send the user stat…
blotus Jan 12, 2024
d069d0d
don't update bouncer IP on HEAD requests
blotus Jan 15, 2024
bc087be
run PostEval hooks with defer
blotus Jan 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions pkg/acquisition/modules/appsec/appsec.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -353,14 +353,18 @@
w.InChan <- parsedRequest

response := <-parsedRequest.ResponseChannel
statusCode := http.StatusOK

Check warning on line 357 in pkg/acquisition/modules/appsec/appsec.go

View check run for this annotation

Codecov / codecov/patch

pkg/acquisition/modules/appsec/appsec.go#L356-L357 

Added lines #L356 - L357 were not covered by tests
if response.InBandInterrupt {
statusCode = http.StatusForbidden

Check warning on line 359 in pkg/acquisition/modules/appsec/appsec.go

View check run for this annotation

Codecov / codecov/patch

pkg/acquisition/modules/appsec/appsec.go#L359 

Added line #L359 was not covered by tests
AppsecBlockCounter.With(prometheus.Labels{"source": parsedRequest.RemoteAddrNormalized, "appsec_engine": parsedRequest.AppsecEngine}).Inc()
}

appsecResponse := w.AppsecRuntime.GenerateResponse(response, logger)
logger.Debugf("Response: %+v", appsecResponse)
rw.WriteHeader(appsecResponse.HTTPStatus)
body, err := json.Marshal(BodyResponse{Action: appsecResponse.Action})

rw.WriteHeader(statusCode)
body, err := json.Marshal(appsecResponse)

Check warning on line 367 in pkg/acquisition/modules/appsec/appsec.go

View check run for this annotation

Codecov / codecov/patch

pkg/acquisition/modules/appsec/appsec.go#L365-L367 

Added lines #L365 - L367 were not covered by tests
if err != nil {
logger.Errorf("unable to marshal response: %s", err)
rw.WriteHeader(http.StatusInternalServerError)
Expand Down
12 changes: 6 additions & 6 deletions pkg/acquisition/modules/appsec/appsec_runner.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,11 @@
defer func() {
request.Tx.ProcessLogging()
//We don't close the transaction here, as it will reset coraza internal state and break variable tracking

err := r.AppsecRuntime.ProcessPostEvalRules(request)
if err != nil {
r.logger.Errorf("unable to process PostEval rules: %s", err)
}

Check warning on line 126 in pkg/acquisition/modules/appsec/appsec_runner.go

View check run for this annotation

Codecov / codecov/patch

pkg/acquisition/modules/appsec/appsec_runner.go#L122-L126 

Added lines #L122 - L126 were not covered by tests
}()

//pre eval (expr) rules
Expand Down Expand Up @@ -182,11 +187,6 @@
r.logger.Debugf("rules matched for body : %d", in.RuleID)
}

err = r.AppsecRuntime.ProcessPostEvalRules(request)
if err != nil {
r.logger.Errorf("unable to process PostEval rules: %s", err)
}

return nil
}

Expand Down Expand Up @@ -272,7 +272,7 @@
r.logger.Errorf("unable to accumulate tx to event : %s", err)
}
if in := request.Tx.Interruption(); in != nil {
r.logger.Debugf("inband rules matched : %d", in.RuleID)
r.logger.Debugf("outband rules matched : %d", in.RuleID)

Check warning on line 275 in pkg/acquisition/modules/appsec/appsec_runner.go

View check run for this annotation

Codecov / codecov/patch

pkg/acquisition/modules/appsec/appsec_runner.go#L275 

Added line #L275 was not covered by tests
r.AppsecRuntime.Response.OutOfBandInterrupt = true

err = r.AppsecRuntime.ProcessOnMatchRules(request, evt)
Expand Down
3 changes: 2 additions & 1 deletion pkg/apiserver/middlewares/v1/api_key.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,8 @@
}
}

if bouncer.IPAddress != c.ClientIP() && bouncer.IPAddress != "" {
//Don't update IP on HEAD request, as it's used by the appsec to check the validity of the API key provided
if bouncer.IPAddress != c.ClientIP() && bouncer.IPAddress != "" && c.Request.Method != http.MethodHead {

Check warning on line 170 in pkg/apiserver/middlewares/v1/api_key.go

View check run for this annotation

Codecov / codecov/patch

pkg/apiserver/middlewares/v1/api_key.go#L169-L170 

Added lines #L169 - L170 were not covered by tests
log.Warningf("new IP address detected for bouncer '%s': %s (old: %s)", bouncer.Name, c.ClientIP(), bouncer.IPAddress)
if err := a.DbClient.UpdateBouncerIP(c.ClientIP(), bouncer.ID); err != nil {
logger.Errorf("Failed to update ip address for '%s': %s\n", bouncer.Name, err)
Expand Down
Loading