This repository has been archived by the owner on Nov 2, 2023. It is now read-only.
agent/protection/http: lazy access to post form values #148
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
September 8, 2020 12:03
Remove the current call to `ParseForm()` in the middlewares in favor of a direct access to the cached value in the `Request` structure. This value is not nil when the request handler has called `ParseForm()` itself. Meaning that the In-WAF and RASP protections will now only consider the POST form values of the request when actually parsed by the request handler. Note that the In-App WAF is now dynamically attached to `ParseForm()` which returns a non-nil error of type `*SqreenError` when blocked by the In-App WAF (cf. https://docs.sqreen.com/go/integration for more details). This fixes the usage of the Go agent in a reverse proxy server where the agent was consuming the body because of the call to `ParseForm()`, making later reads to `Request.Body` return EOF. A server can now correctly copy the request body.
|
System Tests will fail until the new rule gets merged and the reported agent version is bumped in this repo. |
Merged
Julio-Guerra
pushed a commit
that referenced
this pull request
Sep 10, 2020
New Feature: - (#149) Add activity monitoring of RASP protections. The number of times a protection has been used in the application is now displayed on the `Activity` tab of each RASP protection dashboard page. Fixes: - (#148) Fix the usage of the Go agent in a reverse proxy server: avoid automatically reading a POST request's body because of the former usage of `Request.ParseForm()` in Sqreen's middleware functions, and rather get POST form values from `Request.PostForm`, and URL query values from `Request.URL.Query()`. Note that since `Request.PostForm`'s value is assigned by `Request.ParseForm()`, the In-WAF and RASP protections will now consider POST form values when the request handler will have called `Request.ParseForm()` itself for its own needs. Therefore, the In-App WAF is now also attached to `ParseForm()` to monitor the resulting POST form values, which can return a non-nil error when an attack is detected (cf. <https://docs.sqreen.com/go/integration> for more Go integration details). - (ef81fc2) Enforce a request body reader to ignore it when blocked by the In-App WAF by returning it 0 bytes read along with the current non-nil error. This allows for example `io.LimitReader` not to copy the body buffer despite the non-nil error returned by the In-App WAF protection.
Julio-Guerra
pushed a commit
that referenced
this pull request
Sep 10, 2020
New Feature: - (#149) Add activity monitoring of RASP protections. The number of times a protection has been used in the application is now displayed on the `Activity` tab of each RASP protection dashboard page. Fixes: - (#148) Fix the usage of the Go agent in a reverse proxy server: avoid automatically reading a POST request's body because of the former usage of `Request.ParseForm()` in Sqreen's middleware functions, and rather get POST form values from `Request.PostForm`, and URL query values from `Request.URL.Query()`. Note that since `Request.PostForm`'s value is assigned by `Request.ParseForm()`, the In-WAF and RASP protections will now consider POST form values when the request handler will have called `Request.ParseForm()` itself for its own needs. Therefore, the In-App WAF is now also attached to `ParseForm()` to monitor the resulting POST form values, which can return a non-nil error when an attack is detected (cf. <https://docs.sqreen.com/go/integration> for more Go integration details). - (ef81fc2) Enforce a request body reader to ignore it when blocked by the In-App WAF by returning it 0 bytes read along with the current non-nil error. This allows for example `io.LimitReader` not to copy the body buffer despite the non-nil error returned by the In-App WAF protection.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Remove the current call to
ParseForm()in the middlewares in favor of a directaccess to the cached value in the
Requeststructure. This value is not nilwhen the request handler has called
ParseForm()itself. Meaning that theIn-WAF and RASP protections will now only consider the POST form values of the
request when actually parsed by the request handler.
Note that the In-App WAF is now dynamically attached to
ParseForm()whichreturns a non-nil error of type
*SqreenErrorwhen blocked by the In-App WAF(cf. https://docs.sqreen.com/go/integration for more details).
This fixes the usage of the Go agent in a reverse proxy server where the agent
was consuming the body because of the call to
ParseForm(), making later readsto
Request.Bodyreturn EOF. A server can now correctly copy the request body.