Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ngx.req.get_uri_args() can't get more than 100 request arguments #280

Open
lua-study opened this issue May 30, 2017 · 3 comments
Open

ngx.req.get_uri_args() can't get more than 100 request arguments #280

lua-study opened this issue May 30, 2017 · 3 comments
Labels
enhancement new feature

Comments

@lua-study
Copy link

ngx.req.get_uri_args()
some note from https://github.com/openresty/lua-nginx-module#ngxreqget_uri_args
“Note that a maximum of 100 request arguments are parsed by default (including those with the same name) and that additional request arguments are silently discarded to guard against potential denial of service attacks.”
Testing by me:

  1. rule checking ”information_schema“

  2. request:
    /test.php?&a0=0&a1=1&a2=2&a3=3&a4=4&a5=5&a6=6&a7=7&a8=8&a9=9&a10=10&a11=11&a12=12&a13=13&a14=14&a15=15&a16=16&a17=17&a18=18&a19=19&a20=20&a21=21&a22=22&a23=23&a24=24&a25=25&a26=26&a27=27&a28=28&a29=29&a30=30&a31=31&a32=32&a33=33&a34=34&a35=35&a36=36&a37=37&a38=38&a39=39&a40=40&a41=41&a42=42&a43=43&a44=44&a45=45&a46=46&a47=47&a48=48&a49=49&a50=50&a51=51&a52=52&a53=53&a54=54&a55=55&a56=56&a57=57&a58=58&a59=59&a60=60&a61=61&a62=62&a63=63&a64=64&a65=65&a66=66&a67=67&a68=68&a69=69&a70=70&a71=71&a72=72&a73=73&a74=74&a75=75&a76=76&a77=77&a78=78&a79=79&a80=80&a81=81&a82=82&a83=83&a84=84&a85=85&a86=86&a87=87&a88=88&a89=89&a90=90&a91=91&a92=92&a93=93&a94=94&a95=95&a96=96&a97=97&a98=98&a=information_schemas

  3. result: the request can bypass the rule

The other APIs are same for example:
ngx.req.get_post_args()
ngx.req.get_headers()
@harston
Copy link

harston commented May 31, 2017

AFAIK You can change it in ngx_http_lua_common.h but i haven't test how increasing this value will affect performance.

I think that good idea is to limit or alert on high (unnatural) number of arguments and headers.

94
95 #ifndef NGX_HTTP_LUA_MAX_ARGS
96 #define NGX_HTTP_LUA_MAX_ARGS 100
97 #endif
98
99
100 #ifndef NGX_HTTP_LUA_MAX_HEADERS
101 #define NGX_HTTP_LUA_MAX_HEADERS 100
102 #endif
103

@p0pr0ck5
Copy link
Owner

@harston no, editing the lua-nginx-module source is patently the wrong solution :) these functions all take a param to limit the number of elements returned.

I think the proper solution here is configurable soft/hard limits for these elements; wherein we warn or set TX vars if these thresholds are passed. This will likely make lua-resty-core a hard dependency as we'll need to leverage some of the FFI functions to get request element count.

@p0pr0ck5
Copy link
Owner

related: openresty/lua-nginx-module#1306

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@p0pr0ck5 @harston @lua-study