Potential Issue with Phase 2 Skipping in Coraza for Requests without Body

[dvershinin]

I’ve encountered a behavior difference between Coraza and libmodsecurity regarding phase processing, and I’d like to clarify if this is expected behavior or possibly a bug.

SecRule ARGS:test "@streq <some string>" "id:12345,msg:'Custom WAF: Testing custom ruleset||User:%{PATH_INFO}||T:NGINX||',phase:2,deny,log,status:406,t:none,t:lowercase,severity:2,tag:'custom_tag'"

Here's the context: When sending a form with the parameter test=<some string>, the request includes the Content-Type header, and the rule triggers correctly in phase 2 in Coraza, as expected.

However, in libmodsecurity, the same rule seems to trigger in phase 2 for both POST and GET requests, regardless of whether the request body exists. This means that in libmodsecurity, one rule covers both cases (with and without a body), while in Coraza, the rule only works when there is a request body (like in POST requests).

The documentation I’ve reviewed doesn’t suggest that phases should be entirely skipped if certain conditions (such as the absence of a request body) aren't met. My understanding of the concept of "phases" is that they represent processing stages that the request should always pass through, even if no actions are taken in a particular phase. However, in Coraza, it seems that phase 2 is being completely skipped if there is no request body.

This raises the question: Is this behavior by design in Coraza, or could this be a bug? Shouldn’t phase 2 still be processed, even if there’s no body, as it is in libmodsecurity?

[jcchavezs]

Hi @dvershinin thanks for coming by. Where are you seeing this behavior is it coraza http connector?

Long story short, rules that are designed to be triggered in phase 2 will be triggered in phase 2 (unless coraza.rule.multiphase_valuation build tag is passed). However depending on the connector the bug might be that the connector skips the phase 2 evaluation if no body which shouldn't be the case.