Open jeremyjpj0916 opened 4 years ago
Update: Did remove 200000 on my test for this call to see if it removed the slowness(ModSec XML Parse rule), and it did not make things faster.
Ran some more tests tonight, nothing fixed it until I straight up disabled the engine:
# Had to disable to fix the "slow processing" issue.
SecRule REQUEST_URI "@contains /ExampleService/v" \
"id:14,\
phase:1,\
t:none,\
pass,\
nolog,\
ctl:ruleEngine=Off,\
ctl:ruleRemoveById=920273,\
ctl:ruleRemoveById=920272,\
ctl:ruleRemoveById=920260,\
ctl:ruleRemoveById=920240,\
ctl:ruleRemoveById=931110,\
ctl:ruleRemoveById=200000,\
ctl:ruleRemoveById=920470,\
ctl:ruleRemoveTargetById=941160;XML:/*"
URI edited for privacy reasons here :P . But yeah unsure where the slowdown is...
Describe the bug
Seems an
application/xml
payload that uses lots of > and < chars in the place of the actual < >'s will cause insane WAF processing time(you end up with one fairly large XML element containing all this data as string in the long running XML one.With regular < >'s keeping a full XML schema+elements the whole time: 3.7 seconds e2e on a 450kb payload for me.
With the > and < chars in the place of the actual < >'s: 40+ seconds e2e 549kb payload
Unsure currently what rule its hanging on, I suppose DEBUG mode would give us some insight on where eats the most time.
Steps to reproduce
Non-issue case HTTP Post body example:
WorkingPayload.txt
Issue case HTTP Post body example:
ShrektPayload.txt
Expected behaviour
Would have not expected WAF to hang and process on the XML body this long.
Actual behaviour
Additional context
Your Environment