search

corazawaf / coraza-caddy

OWASP Coraza middleware for Caddy. It provides Web Application Firewall capabilities
https://www.coraza.io/
Apache License 2.0
290 stars 35 forks source link

Requesting release of a new version #64

Closed ishanjain28 closed 1 year ago

ishanjain28 commented 1 year ago

Please release a new version of this module. It currently uses https://github.com/corazawaf/coraza commit id, 8b909c7fc This commit in that repo was released on January 17, Last release in this repo was on January 19.

This commit in corazawaf/coraza has a bug because of which it crashes on some inputs. 

May 24 21:01:12 delbgp caddy[798842]: panic: runtime error: slice bounds out of range [177:0]
May 24 21:01:12 delbgp caddy[798842]: goroutine 52252 [running]:
May 24 21:01:12 delbgp caddy[798842]: github.com/corazawaf/coraza/v3/internal/corazawaf.(*bodyBufferReader).Read(0xc000f7c6f0, {0xc00044a000?, 0xa6?, 0x41786d?})
May 24 21:01:12 delbgp caddy[798842]:         github.com/corazawaf/coraza/v3@v3.0.0-20230117071831-8b909c7fc345/internal/corazawaf/body_buffer.go:98 +0x139
May 24 21:01:12 delbgp caddy[798842]: io.discard.ReadFrom({}, {0x260ada0, 0xc000f7c6f0})
May 24 21:01:12 delbgp caddy[798842]:         io/io.go:651 +0x72
May 24 21:01:12 delbgp caddy[798842]: io.copyBuffer({0x26139a0, 0x36c5ae0}, {0x260ada0, 0xc000f7c6f0}, {0xc0008c0000, 0x8000, 0x8000})
May 24 21:01:12 delbgp caddy[798842]:         io/io.go:413 +0x14b
May 24 21:01:12 delbgp caddy[798842]: io.(*multiReader).writeToWithBuffer(0xc000c3e1f8, {0x26139a0, 0x36c5ae0}, {0xc0008c0000, 0x8000, 0x8000})
May 24 21:01:12 delbgp caddy[798842]:         io/multi.go:54 +0xe5
May 24 21:01:12 delbgp caddy[798842]: io.(*multiReader).WriteTo(0x1fa9120?, {0x26139a0, 0x36c5ae0})
May 24 21:01:12 delbgp caddy[798842]:         io/multi.go:45 +0x56
May 24 21:01:12 delbgp caddy[798842]: io.copyBuffer({0x26139a0, 0x36c5ae0}, {0x7fb28b212b38, 0xc0011151d0}, {0x0, 0x0, 0x0})
May 24 21:01:12 delbgp caddy[798842]:         io/io.go:409 +0x16e
May 24 21:01:12 delbgp caddy[798842]: io.Copy(...)
May 24 21:01:12 delbgp caddy[798842]:         io/io.go:386
May 24 21:01:12 delbgp caddy[798842]: net/http.(*transferWriter).doBodyCopy(0xc0007ee140, {0x26139a0?, 0x36c5ae0?}, {0x7fb28b212b38?, 0xc0011151d0?})
May 24 21:01:12 delbgp caddy[798842]:         net/http/transfer.go:412 +0x4d
May 24 21:01:12 delbgp caddy[798842]: net/http.(*transferWriter).writeBody(0xc0007ee140, {0x26094a0, 0xc00067de00})
May 24 21:01:12 delbgp caddy[798842]:         net/http/transfer.go:375 +0x428
May 24 21:01:12 delbgp caddy[798842]: net/http.(*Request).write(0xc001087a00, {0x26094a0, 0xc00067de00}, 0x0, 0x0, 0x0)
May 24 21:01:12 delbgp caddy[798842]:         net/http/request.go:705 +0xb46
May 24 21:01:12 delbgp caddy[798842]: net/http.(*persistConn).writeLoop(0xc0006399e0)
May 24 21:01:12 delbgp caddy[798842]:         net/http/transport.go:2413 +0x171
May 24 21:01:12 delbgp caddy[798842]: created by net/http.(*Transport).dialConn
May 24 21:01:12 delbgp caddy[798842]:         net/http/transport.go:1766 +0x173d
May 24 21:01:12 delbgp systemd[1]: caddy.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
May 24 21:01:12 delbgp systemd[1]: caddy.service: Failed with result 'exit-code'.
May 24 21:01:12 delbgp systemd[1]: caddy.service: Consumed 6.991s CPU time.

This read method in that commit and the most recent commit look almost the same. I tried running fuzzers on the new code and the old code for a few minutes and couldn't find a valid input that will break this code and I'll try running fuzzer overnight again.

For now, Please consider releasing a new version of this module which uses an updated version of corazawaf/coraza. Thanks!

jcchavezs commented 1 year ago

Done https://github.com/corazawaf/coraza-caddy/releases/tag/v2.0.0-rc.1. Please do try it and all the feedback is more than welcome.