acouvreur
commented
2 years ago Its a good idea indeed, even though I believe we could mitigate this using another middleware.
But this middleware shouldm't include some vulnerabilities.
Closed Enrico204 closed 2 years ago
acouvreur
commented
2 years ago Its a good idea indeed, even though I believe we could mitigate this using another middleware.
But this middleware shouldm't include some vulnerabilities.
Here the code is reading the body of the request: https://github.com/acouvreur/traefik-modsecurity-plugin/blob/19cdb477b8cee1966ad95278d168ae90a93df663/modsecurity.go#L63
The problem of this technique is that an attacker can issue a request using an arbitrary body size (1 terabyte) and crash the server, creating a Denial-of-Service.
A possible mitigation is reading the body while using
http.MaxBytesReader()function, to limit the maximum body size. Possibly, the maximum size should be configurable.I'm not aware of any other solution (with this middleware architecture, see https://github.com/acouvreur/traefik-modsecurity-plugin/issues/2#issuecomment-1205788329).