search

corazawaf / coraza-proxy-wasm

proxy-wasm filter based on Coraza WAF
Apache License 2.0
101 stars 23 forks source link

May lead to memory leak and poor performance #219

Open islamyakin opened 1 year ago

islamyakin commented 1 year ago

i have install coraza-proxy-wasm on envoy 1.27. i am build with go version 1.20 gotiny 0.28. but i have something error blocker [2023-08-10 16:17:37.729][81856][error][wasm] [source/extensions/common/wasm/context.cc:1154] wasm log coraza-filter my_vm_id: GC Warning: Out of Memory! Heap size: 830 MiB. Returning NULL! [2023-08-10 16:17:37.729][81856][info][wasm] [source/extensions/common/wasm/context.cc:1148] wasm log coraza-filter my_vm_id: panic: out of memory [2023-08-10 16:17:37.729][81856][error][wasm] [source/extensions/common/wasm/wasm_vm.cc:38] Function: proxy_on_response_body failed: Uncaught RuntimeError: unreachable Proxy-Wasm plugin in-VM backtrace: 0: 0xa3d25 - runtime._panic 1: 0xb40d9 - (bytes.Buffer).grow 2: 0xb1b41 - (bytes.Buffer).Write 3: 0xb21c0 - (*github.com/corazawaf/coraza/v3/internal/corazawaf.BodyBuffer).Write 4: 0x1d71ce - proxy_on_response_body

config envoy.yaml

"directives_map": {
                                  "rs1": [
                                    "Include @recommended-conf",
                                    "Include @crs-setup-conf",
                                    "SecDefaultAction \"phase:3,log,auditlog,pass\"",
                                    "SecDefaultAction \"phase:4,log,auditlog,pass\"",
                                    "SecDefaultAction \"phase:5,log,auditlog,pass\"",
                                    "SecDebugLogLevel 3",
                                    "Include @owasp_crs/*.conf",
                                    "SecRule REQUEST_URI \"@streq /.git\" \"id:101,phase:1,t:lowercase,deny\" \nSecRule REQUEST_BODY \"@rx maliciouspayload\" \"id:102,phase:2,t:lowercase,deny\" \nSecRule RESPONSE_HEADERS::status \"@rx 406\" \"id:103,phase:3,t:lowercase,deny\" \nSecRule RESPONSE_BODY \"@contains responsebodycode\" \"id:104,phase:4,t:lowercase,deny\""
                                  ],
                                  "rs2": [
                                    "Include @demo-conf",
                                    "Include @crs-setup-demo-conf",
                                    "SecDefaultAction \"phase:3,log,auditlog,pass\"",
                                    "SecDefaultAction \"phase:4,log,auditlog,pass\"",
                                    "SecDefaultAction \"phase:5,log,auditlog,pass\"",
                                    "SecDebugLogLevel 3",
                                    "Include @owasp_crs/*.conf",
                                    "SecRule REQUEST_URI \"@streq /example\" \"id:101,phase:1,t:lowercase,deny\" \nSecRule REQUEST_BODY \"@rx maliciouspayload\" \"id:102,phase:2,t:lowercase,deny\" \nSecRule RESPONSE_HEADERS::status \"@rx 406\" \"id:103,phase:3,t:lowercase,deny\" \nSecRule RESPONSE_BODY \"@contains responsebodycode\" \"id:104,phase:4,t:lowercase,deny\""
                                  ]
                              },
                              "default_directives": "rs1",
                              "metric_labels": {
                                "owner": "coraza",
                                "identifier": "global"
                              },
                              "per_authority_directives":{
                                  "staging.example.com":"rs2",
                                  "staging.example.com":"rs2"
                              }
                            }
                        vm_config:
                          runtime: "envoy.wasm.runtime.v8"
                          vm_id: "my_vm_id"
                          code:
                            local:
                              filename: "build/coraza-proxy-wasm.wasm"

image

jcchavezs commented 1 year ago

I see you are using two wafs. Could you please try this branch? https://github.com/corazawaf/coraza-proxy-wasm/pull/220

islamyakin commented 1 year ago

I see you are using two wafs. Could you please try this branch? #220

add another error xixixix image

this is build with branch #220

islamyakin commented 1 year ago

I see you are using two wafs. Could you please try this branch? #220

add another error xixixix image

this is build with branch #220

when open with incognito in browser example chrome and firefox