corazawaf / coraza-spoa

EXPERIMENTAL: A wrapper around the OWASP Coraza WAF for HAProxy's SPOE filters
Apache License 2.0
87 stars 18 forks source link

Runtime error checking header user-agent #95

Closed jvinolas closed 1 year ago

jvinolas commented 1 year ago

When I apply this exception:

SecRule REQUEST_HEADERS:User-Agent "@beginsWith myappi-sdk-go" \
   "id:1300,\
   phase:2,\
   pass,\
   nolog,\
   ctl:ruleRemoveTargetById=932237;REQUEST_HEADERS:User-Agent,\
   ctl:ruleRemoveByTag=attack-disclosure"

there is a runtime error:

time="2023-11-11T10:19:39+01:00" level=info msg="spoe: listening on [::]:9000"
panic: runtime error: slice bounds out of range [:-1]

goroutine 175 [running]:
github.com/corazawaf/coraza/v3/internal/corazawaf.(*Transaction).GetField(0xc003517b48?, {0x0, 0x36, 0x0, {0xc00057c980, 0xa}, {0xc00364dbf0, 0x2, 0x2}})
  /go/pkg/mod/github.com/corazawaf/coraza/v3@v3.0.1/internal/corazawaf/transaction.go:574 +0x405
github.com/corazawaf/coraza/v3/internal/corazawaf.(*Rule).doEvaluate(0xc001aae530, 0xc003610c90?, 0xc001929800, 0xc000768ab0?, 0x0, 0x40cd45?)
  /go/pkg/mod/github.com/corazawaf/coraza/v3@v3.0.1/internal/corazawaf/rule.go:234 +0xd3b
github.com/corazawaf/coraza/v3/internal/corazawaf.(*Rule).Evaluate(...)
  /go/pkg/mod/github.com/corazawaf/coraza/v3@v3.0.1/internal/corazawaf/rule.go:171
github.com/corazawaf/coraza/v3/internal/corazawaf.(*RuleGroup).Eval(0xc00021a010, 0x2, 0xc001929800)
  /go/pkg/mod/github.com/corazawaf/coraza/v3@v3.0.1/internal/corazawaf/rulegroup.go:219 +0x358
github.com/corazawaf/coraza/v3/internal/corazawaf.(*Transaction).ProcessRequestBody(0xc001929800)
  /go/pkg/mod/github.com/corazawaf/coraza/v3@v3.0.1/internal/corazawaf/transaction.go:1003 +0x3a5
github.com/corazawaf/coraza-spoa/internal.(*SPOA).processRequest(0xc001670b58?, 0xc003517248?)
  /build/internal/spoa.go:316 +0xe1a
github.com/corazawaf/coraza-spoa/internal.(*SPOA).Start.func1(0xc004c2f740)
  /build/internal/spoa.go:49 +0xc5
github.com/criteo/haproxy-spoe-go.(*conn).handleNotify(0xc004f3d180, {0x3, 0x1, 0xee9, 0x1, {0xc0037e8009, 0x3af, 0x3ff3}, {0xc0037e8000, 0x3ffc, ...}}, ...)
  /go/pkg/mod/github.com/criteo/haproxy-spoe-go@v1.0.6/notify.go:109 +0xce
github.com/criteo/haproxy-spoe-go.(*conn).runWorker(0xc004f3d180, {0x3, 0x1, 0xee9, 0x1, {0xc0037e8009, 0x3af, 0x3ff3}, {0xc0037e8000, 0x3ffc, ...}}, ...)
  /go/pkg/mod/github.com/criteo/haproxy-spoe-go@v1.0.6/conn.go:153 +0x6c
created by github.com/criteo/haproxy-spoe-go.(*conn).run in goroutine 237
  /go/pkg/mod/github.com/criteo/haproxy-spoe-go@v1.0.6/conn.go:136 +0xaec

UPDATE: Even this rule throws error:

SecRule REQUEST_HEADERS:User-Agent "@pm myappi-sdk-go v1.5.1" \
   "id:1300,\
   phase:2,\
   pass,\
   nolog,\
   ctl:ruleRemoveTargetById=932237;REQUEST_HEADERS:User-Agent,\
   ctl:ruleRemoveByTag=attack-disclosure"
panic: runtime error: slice bounds out of range [:-1]

goroutine 13 [running]:
github.com/corazawaf/coraza/v3/internal/corazawaf.(*Transaction).GetField(0xc001d3adf8?, {0x0, 0x36, 0x0, {0xc0001724c0, 0xa}, {0xc00174e930, 0x2, 0x2}})
    /go/pkg/mod/github.com/corazawaf/coraza/v3@v3.0.1/internal/corazawaf/transaction.go:574 +0x405
github.com/corazawaf/coraza/v3/internal/corazawaf.(*Rule).doEvaluate(0xc0024943d8, 0xc0004fb140?, 0xc000681c00, 0xc0021bef90?, 0x0, 0x40cd45?)
    /go/pkg/mod/github.com/corazawaf/coraza/v3@v3.0.1/internal/corazawaf/rule.go:234 +0xd3b
github.com/corazawaf/coraza/v3/internal/corazawaf.(*Rule).Evaluate(...)
    /go/pkg/mod/github.com/corazawaf/coraza/v3@v3.0.1/internal/corazawaf/rule.go:171
github.com/corazawaf/coraza/v3/internal/corazawaf.(*RuleGroup).Eval(0xc000206010, 0x2, 0xc000681c00)
    /go/pkg/mod/github.com/corazawaf/coraza/v3@v3.0.1/internal/corazawaf/rulegroup.go:219 +0x358
github.com/corazawaf/coraza/v3/internal/corazawaf.(*Transaction).ProcessRequestBody(0xc000681c00)
    /go/pkg/mod/github.com/corazawaf/coraza/v3@v3.0.1/internal/corazawaf/transaction.go:1003 +0x3a5
github.com/corazawaf/coraza-spoa/internal.(*SPOA).processRequest(0xc0022ca228?, 0xc001d3a948?)
    /build/internal/spoa.go:316 +0xe1a
github.com/corazawaf/coraza-spoa/internal.(*SPOA).Start.func1(0xc0013fe0c0)
    /build/internal/spoa.go:49 +0xc5
github.com/criteo/haproxy-spoe-go.(*conn).handleNotify(0xc0016a1ae0, {0x3, 0x1, 0x142a, 0x1, {0xc0016b2009, 0x3af, 0x3ff3}, {0xc0016b2000, 0x3ffc, ...}}, ...)
    /go/pkg/mod/github.com/criteo/haproxy-spoe-go@v1.0.6/notify.go:109 +0xce
github.com/criteo/haproxy-spoe-go.(*conn).runWorker(0xc0016a1ae0, {0x3, 0x1, 0x142a, 0x1, {0xc0016b2009, 0x3af, 0x3ff3}, {0xc0016b2000, 0x3ffc, ...}}, ...)
    /go/pkg/mod/github.com/criteo/haproxy-spoe-go@v1.0.6/conn.go:153 +0x6c
created by github.com/criteo/haproxy-spoe-go.(*conn).run in goroutine 53
    /go/pkg/mod/github.com/criteo/haproxy-spoe-go@v1.0.6/conn.go:136 +0xaec
jvinolas commented 1 year ago

Sorry, I've seen it's a bug already fixed in coraza.