Response headers leakage during block in phase 4

[romko11l]

Coraza module for Caddy pass reponse headers, even if it should not give the response to the user.

Example of a protected backend:

package main

import (
    "fmt"
    "log"
    "net/http"
)

func example(w http.ResponseWriter, req *http.Request) {
    res := `
#! /usr/bin/python3

a = 2
b = 3
c = a + b
print(c)
`
    w.Header().Add("X-romko11l", "123")
    log.Println(123)
    fmt.Fprintf(w, res)
}

func main() {
    http.HandleFunc("/", example)
    http.ListenAndServe(":8090", nil)
}

Caddyfile:

{
    order coraza_waf first
}

:8080 {
    coraza_waf {
        load_owasp_crs
        directives `
          SecRule RESPONSE_BODY "@rx ^#\!\s?/"  "id:1,phase:4,deny,log,t:none"
          SecResponseBodyMimeType text/plain
          SecResponseBodyAccess On
          SecRuleEngine On
        `
    }

    reverse_proxy 0.0.0.0:8090
}

Coraza-caddy do not pass response body, but pass response headers:

curl -vvv http://127.0.0.1:8080
*   Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Content-Type: text/plain; charset=utf-8
< Date: Mon, 06 May 2024 10:40:51 GMT
< Server: Caddy
< X-Romko11l: 123 <------- leaked header
< Content-Length: 0
< 
* Connection #0 to host 127.0.0.1 left intact

Steps to reproduce:

1. Start protected backend.
2. Start Caddy server with the provided Caddyfile configuration.
3. Send a request:

   curl -vvv http://127.0.0.1:8080

4. Check the reponse header :)

Expected Behavior: Caddy server should not pass response headers from backend.

Actual Behavior: Caddy server pass response headers from backend.

Additional Information:

• Build Caddy with command: xcaddy build v2.7.6 --with github.com/corazawaf/coraza-caddy/v2
• Build info:

  ./caddy build-info
  go      go1.22.2
  path    caddy
  mod     caddy   (devel)
  ...
  dep     github.com/corazawaf/coraza-caddy/v2    v2.0.0-rc.3     h1:1oLZjJ500oUTaTH68Qurz6a3M/s0juMMkvV0WtO/RXc=
  dep     github.com/corazawaf/coraza-coreruleset v0.0.0-20230723190514-7bdcbcff3d5a      h1:Lkmz2UckkFg86P65Xzet+bkt8jPMwNbIUtq73Z5Te9w=
  dep     github.com/corazawaf/coraza/v3  v3.0.3  h1:VmUFZ7ep74DmtF9bwOaLKUC6AEaXtI80S2I6BQenRs0=
  dep     github.com/corazawaf/libinjection-go    v0.1.2  h1:oeiV9pc5rvJ+2oqOqXEAMJousPpGiup6f7Y3nZj5GoM=
  ...
  build   -buildmode=exe
  build   -compiler=gc
  build   -tags=nobadger
  build   CGO_ENABLED=0
  build   GOARCH=amd64
  build   GOOS=linux
  build   GOAMD64=v1

[M4tteoP]

Hi @romko11l, thanks a lot for the detailed report. I managed to reproduce it and propose an initial fix: https://github.com/corazawaf/coraza/pull/1062. Any feedback is welcomed. After being merged, we will have to port the fix also to coraza-caddy.