search

corazawaf / coraza

OWASP Coraza WAF is a golang modsecurity compatible web application firewall library
https://www.coraza.io
Apache License 2.0
2.24k stars 222 forks source link

Coraza WAF SecResponseBodyLimit Bug: Incomplete Response Handling #891

Closed peasfarmer closed 11 months ago

peasfarmer commented 1 year ago

Description

I'm encountering an issue with the Coraza WAF. When I set the SecResponseBodyLimit to 100K and also set SecResponseBodyLimitAction to ProcessPartial, I expected the WAF to check only the first 100K of the response and send the complete body to the client when the response is large. However, I observed that Coraza WAF is only sending 100K to the client and not delivering the exceeding portion. Similarly, I've also encountered a problem with the SecRequestBodyLimitAction parameter.

Steps to reproduce

  1. Configure Coraza WAF with SecResponseBodyLimit set to 100K and SecResponseBodyLimitAction set to ProcessPartial.
  2. Trigger a request that generates a response larger than 100K.

Expected result

The expected behavior is that Coraza WAF should process only the first 100K of the response content but still deliver the complete body to the client when the response is larger.

Actual result

The actual result is that Coraza WAF restricts the response to 100K and does not provide the exceeding portion to the client.

jcchavezs commented 1 year ago

Hi @peasfarmer thanks for coming by. I wonder what connector of coraza are you using, if it is the http one we do check that the response body is the expected one in this test https://github.com/corazawaf/coraza/blob/main/http/middleware_test.go#L467.

peasfarmer commented 1 year ago

I use caddy+coraza_waf, the caddyfile is as follows:

http://xx345.test.com:80 {
     coraza_waf {
         #load_owasp_crs
         directives `
             Include rules/@coraza.conf-recommended
             Include rules/@crs-setup.conf.example
             Include rules/@owasp_crs/*.conf

             SecRuleEngine on
             SecResponseBodyLimit 1024
             SecResponseBodyLimitAction ProcessPartial
         `
     }

     reverse_proxy {
         to https://www.baidu.com
         header_up Host www.baidu.com
         header_up Accept-Encoding identity
     }
}

you can see from the screenshot, the html has no and the bytes received is much less than the Content-Length

screenshot-20231020-202256

I'm not sure if the problem is here: https://github.com/corazawaf/coraza/blob/2624bf31de378fffc793bdc738240062f7fdf6f1/internal/corazawaf/transaction.go#L1101 screenshot-20231020-202937

peasfarmer commented 11 months ago

I'd like to know of any progress on this issue, the unavailability of the ProcessPartial option affects us quite a bit.

peasfarmer commented 11 months ago

I made a mistake, I didn't notice the configuration in Include rules/@coraza.conf-recommended. I will close this issues

jcchavezs commented 11 months ago

Thank you!

On Tue, 21 Nov 2023, 04:22 种豆得豆, @.***> wrote:

Closed #891 https://github.com/corazawaf/coraza/issues/891 as completed.

— Reply to this email directly, view it on GitHub https://github.com/corazawaf/coraza/issues/891#event-11018907614, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXOYAS5PTW3SSB2M62IGCLYFQM55AVCNFSM6AAAAAA6ISD53KVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJRGAYTQOJQG43DCNA . You are receiving this because you commented.Message ID: @.***>