nogiiihhmk
commented
2 months ago Please check all relaxation types of more complex type against this issue. I assume this issue is also happening for cmdinjection and all the corresponding json, xml checks.
Terraform Core Version
Terraform v1.9.0 on darwin_arm64
citrixadc Provider Version
1.39.0
Operating system
Mac OS Sonoma 14.5 (23F79)
Affected Resource(s)
citrixadc_appfwprofile_crosssitescripting_binding
Equivalent NetScaler CLI Command
CLI for adding crossitescripting relaxation rule via GUI: bind appfw profile appfw-profile-tf-tfi-fbt-smaragd-tcm-webcheck-htmlwaf -isRegex NOTREGEX -isRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -crossSiteScripting name "https://url" -isRegex NOTREGEX -location FORMFIELD -valueType Attribute value -isValueRegex NOTREGEX -comment comment -state ENABLED -isAutoDeployed NOTAUTODEPLOYED -RuleType ALLOW
CLI for changing that crossitescripting relaxation rule via GUI: unbind appfw profile appfw-profile-tf-tfi-fbt-smaragd-tcm-webcheck-htmlwaf -location FORMFIELD -location FORMFIELD -crossSiteScripting name "https://url" -location FORMFIELD -valueType Attribute value -RuleType ALLOW "bind appfw profile appfw-profile-tf-tfi-fbt-smaragd-tcm-webcheck-htmlwaf -isRegex NOTREGEX -isRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -crossSiteScripting namexxx "https://url" -isRegex NOTREGEX -location FORMFIELD -valueType Attribute valuexxx -isValueRegex NOTREGEX -comment comment -state ENABLED -isAutoDeployed NOTAUTODEPLOYED -resourceId 8cd78c2da17fd13cd7d21d0006bfd9b705c73fe4a95d32f28fc8fbe6e2289ea4 -RuleType ALLOW
What terrraform does when adding a crossitescripting relaxation rule: bind appfw profile appfw-profile-tf-tfi-fbt-smaragd-tcm-webcheck-htmlwaf -isRegex NOTREGEX -isRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -crossSiteScripting name "https://url" -isRegex NOTREGEX -location FORMFIELD -valueType Attribute value -isValueRegex NOTREGEX -state ENABLED -isAutoDeployed NOTAUTODEPLOYED -RuleType ALLOW
What terrraform does when chaning a crossitescripting relaxation rule: Jul 3 14:50:22 172.31.3.151 07/03/2024:12:50:22 GMT vacnstfi31 0-PPE-0 : default API CMD_EXECUTED 23602308 0 : User svc_adc_terraform - ADM_User NONE - Remote_ip 172.31.120.161 - Command "bind appfw profile appfw-profile-tf-tfi-fbt-smaragd-tcm-webcheck-htmlwaf -isRegex NOTREGEX -isRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -crossSiteScripting namexxx "https://urlxxx" -isRegex NOTREGEX -location FORMFIELD -valueType Attribute valuexxx -isValueRegex NOTREGEX -state ENABLED -isAutoDeployed NOTAUTODEPLOYED -RuleType ALLOW" - Status "Success"
Jul 3 14:50:22 172.31.3.151 07/03/2024:12:50:22 GMT vacnstfi31 0-PPE-0 : default API CMD_EXECUTED 23602336 0 : User svc_adc_terraform - ADM_User NONE - Remote_ip 172.31.120.161 - Command "unbind appfw profile appfw-profile-tf-tfi-fbt-smaragd-tcm-webcheck-htmlwaf -location FORMFIELD -location FORMFIELD -crossSiteScripting name "https://url" -location FORMFIELD -RuleType ALLOW" - Status "ERROR: No such CrossSiteScripting check"
Jul 3 14:50:23 172.31.3.151 07/03/2024:12:50:23 GMT vacnstfi31 0-PPE-0 : default SNMP TRAP_SENT 0 0 : netScalerConfigChange (nsUserName = "svc_adc_terraform", configurationCmd = "unbind appfw profile appfw-profile-tf-tfi-fbt-...", authorizationStatus = authorized, commandExecutionStatus = failed, nsClientIPAddr = 172.31.120.161, commandFailureReason = "ERROR: No such CrossSiteScripting check", nsPartitionName = default)
--> terraform log: │ Error: [INFO] delete failed: 599 Netscaler specific error ({ "errorcode": 3128, "message": "No such CrossSiteScripting check", "severity": "ERROR" })
In nitro.log: Jul 3 14:52:37 vacnstfi31 httpd: [23369] Netscaler_ip 172.31.3.151 - User svc_adc_terraform -ADM_User NONE - Remote_ip 172.31.120.161 - Method DELETE - Command { "params": { "filter": [ ], "format": "json" } }{ "appfwprofile_crosssitescripting_binding": { "name": "appfw-profile-tf-tfi-fbt-smaragd-tcm-webcheck-htmlwaf", "crosssitescripting": "name", "formactionurl": "https:\/\/url", "location": "FORMFIELD" } }
Jul 3 14:52:37 vacnstfi31 httpd: [23369] Netscaler_ip 172.31.3.151 - User svc_adc_terraform - ADM_User NONE - Remote_ip 172.31.120.161 - Method DELETE - Command { "params": { "filter": [ ], "format": "json" } }{ "appfwprofile_crosssitescripting_binding": { "name": "appfw-profile-tf-tfi-fbt-smaragd-tcm-webcheck-htmlwaf", "crosssitescripting": "name", "formactionurl": "https:\/\/url", "location": "FORMFIELD" } } - Status "{ "errorcode": 3128, "message": "No such CrossSiteScripting check", "severity": "ERROR" }"
Expected Behavior
Just like with my previous bug. When changing a value in a CrossSiteScripting relaxation rule via terraform I expect that there is a rule reflecting the new value, and not the old value.
Actual Behavior
What I see is that after changing a rule both the old and the new rule is bound to the waf. Deletion (unbind) is not working because there is an issue with setting sufficent parameters for deletion.
Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
waf/main.tf snippet:
crosssitescripting
_resource "citrixadc_appfwprofile_crosssitescripting_binding" "this" { for_each = { for r in var.crosssitescripting.rules : r.crosssitescripting => r }
name = citrixadc_appfwprofile.this.name crosssitescripting = each.value.crosssitescripting isregex_xss = each.value.isregex_xss formactionurl_xss = each.value.formactionurl_xss as_scan_location_xss = each.value.as_scan_location_xss as_value_type_xss = each.value.as_value_type_xss as_value_expr_xss = each.value.as_value_expr_xss isvalueregex_xss = each.value.isvalueregexxss comment = each.value.comment state = each.value.state }
variables.tf snippet: _# crosssitescripting variable "crosssitescripting" { type = object({ options = optional(object({ enabled = optional(bool, true) actions = optional(list(string), ["block", "log", "stats", "learn"]) crosssitescriptingtransformunsafehtml = optional(string, "OFF") crosssitescriptingcheckcompleteurls = optional(string, "OFF") }), {}) rules = list(object({ crosssitescripting = string # The web form field name. isregex_xss = optional(string, "NOTREGEX") #Is the web form field name a regular expression?. Possible values: [ REGEX, NOTREGEX ] formactionurl_xss = string # The web form action URL. as_scan_location_xss = optional(string, "FORMFIELD") # (Optional) Location of cross-site scripting exception - form field, header, cookie or URL. Possible values: [ FORMFIELD, HEADER, COOKIE, URL ] as_value_type_xss = optional(string, null) # Optional) The web form value type. Possible values: [ Tag, Attribute, Pattern ] as_value_expr_xss = optional(string, "") # (Optional) The web form value expression. isvalueregex_xss = optional(string, "NOTREGEX") # (Optional) Is the web form field value a regular expression?. Possible values: [ REGEX, NOTREGEX ] comment = optional(string, "") state = optional(string, "ENABLED") })) }) description = "crosssitescripting settings and relaxations."
validation { error_message = "action for crosssitescripting can only contain block and or log and or stats and or learn." condition = alltrue([for a in var.crosssitescripting.options.actions : contains(["block", "log", "stats", "learn"], a)]) } validation { errormessage = "enabled can only be ENABLED or DISABLED for all rules." condition = alltrue([ for r in var.crosssitescripting.rules : contains(["ENABLED", "DISABLED"], r.state) ]) } }
Steps to Reproduce
do some initial deployment of citrixadc_appfwprofile_crosssitescripting_binding. Then apply and change values in tf for that ressource. You will see what is being described in Actual Behavior
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response