Please release a new version of this module. It currently uses https://github.com/corazawaf/coraza commit id, 8b909c7fc
This commit in that repo was released on January 17, Last release in this repo was on January 19.
This commit in corazawaf/coraza has a bug because of which it crashes on some inputs.
May 24 21:01:12 delbgp caddy[798842]: panic: runtime error: slice bounds out of range [177:0]
May 24 21:01:12 delbgp caddy[798842]: goroutine 52252 [running]:
May 24 21:01:12 delbgp caddy[798842]: github.com/corazawaf/coraza/v3/internal/corazawaf.(*bodyBufferReader).Read(0xc000f7c6f0, {0xc00044a000?, 0xa6?, 0x41786d?})
May 24 21:01:12 delbgp caddy[798842]: github.com/corazawaf/coraza/v3@v3.0.0-20230117071831-8b909c7fc345/internal/corazawaf/body_buffer.go:98 +0x139
May 24 21:01:12 delbgp caddy[798842]: io.discard.ReadFrom({}, {0x260ada0, 0xc000f7c6f0})
May 24 21:01:12 delbgp caddy[798842]: io/io.go:651 +0x72
May 24 21:01:12 delbgp caddy[798842]: io.copyBuffer({0x26139a0, 0x36c5ae0}, {0x260ada0, 0xc000f7c6f0}, {0xc0008c0000, 0x8000, 0x8000})
May 24 21:01:12 delbgp caddy[798842]: io/io.go:413 +0x14b
May 24 21:01:12 delbgp caddy[798842]: io.(*multiReader).writeToWithBuffer(0xc000c3e1f8, {0x26139a0, 0x36c5ae0}, {0xc0008c0000, 0x8000, 0x8000})
May 24 21:01:12 delbgp caddy[798842]: io/multi.go:54 +0xe5
May 24 21:01:12 delbgp caddy[798842]: io.(*multiReader).WriteTo(0x1fa9120?, {0x26139a0, 0x36c5ae0})
May 24 21:01:12 delbgp caddy[798842]: io/multi.go:45 +0x56
May 24 21:01:12 delbgp caddy[798842]: io.copyBuffer({0x26139a0, 0x36c5ae0}, {0x7fb28b212b38, 0xc0011151d0}, {0x0, 0x0, 0x0})
May 24 21:01:12 delbgp caddy[798842]: io/io.go:409 +0x16e
May 24 21:01:12 delbgp caddy[798842]: io.Copy(...)
May 24 21:01:12 delbgp caddy[798842]: io/io.go:386
May 24 21:01:12 delbgp caddy[798842]: net/http.(*transferWriter).doBodyCopy(0xc0007ee140, {0x26139a0?, 0x36c5ae0?}, {0x7fb28b212b38?, 0xc0011151d0?})
May 24 21:01:12 delbgp caddy[798842]: net/http/transfer.go:412 +0x4d
May 24 21:01:12 delbgp caddy[798842]: net/http.(*transferWriter).writeBody(0xc0007ee140, {0x26094a0, 0xc00067de00})
May 24 21:01:12 delbgp caddy[798842]: net/http/transfer.go:375 +0x428
May 24 21:01:12 delbgp caddy[798842]: net/http.(*Request).write(0xc001087a00, {0x26094a0, 0xc00067de00}, 0x0, 0x0, 0x0)
May 24 21:01:12 delbgp caddy[798842]: net/http/request.go:705 +0xb46
May 24 21:01:12 delbgp caddy[798842]: net/http.(*persistConn).writeLoop(0xc0006399e0)
May 24 21:01:12 delbgp caddy[798842]: net/http/transport.go:2413 +0x171
May 24 21:01:12 delbgp caddy[798842]: created by net/http.(*Transport).dialConn
May 24 21:01:12 delbgp caddy[798842]: net/http/transport.go:1766 +0x173d
May 24 21:01:12 delbgp systemd[1]: caddy.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
May 24 21:01:12 delbgp systemd[1]: caddy.service: Failed with result 'exit-code'.
May 24 21:01:12 delbgp systemd[1]: caddy.service: Consumed 6.991s CPU time.
This read method in that commit and the most recent commit look almost the same. I tried running fuzzers on the new code and the old code for a few minutes and couldn't find a valid input that will break this code and I'll try running fuzzer overnight again.
For now, Please consider releasing a new version of this module which uses an updated version of corazawaf/coraza. Thanks!
Please release a new version of this module. It currently uses https://github.com/corazawaf/coraza commit id,
8b909c7fc
This commit in that repo was released on January 17, Last release in this repo was on January 19.This commit in corazawaf/coraza has a bug because of which it crashes on some inputs.
This read method in that commit and the most recent commit look almost the same. I tried running fuzzers on the new code and the old code for a few minutes and couldn't find a valid input that will break this code and I'll try running fuzzer overnight again.
For now, Please consider releasing a new version of this module which uses an updated version of corazawaf/coraza. Thanks!