search

maxlerebourg / crowdsec-bouncer-traefik-plugin

Traefik plugin for Crowdsec - WAF and IP protection
Apache License 2.0
260 stars 14 forks source link

[BUG] 1.5.3 Bouncer key does not pass regex #114

Closed LaurenceJJones closed 1 year ago

LaurenceJJones commented 1 year ago

Describe the bug 🐛 Hello from CrowSec team we didnt realize you had a regex that is testing people bouncer keys. We have increased the cipher suite so they now have = at the end. However, this is now causing an issue with your regex test.

Expected behavior 👀 Update your regex to contain the new cipher suite.

Context 🔎 Before posting, make sure to use the logLevel: DEBUG of the plugin and see if you can fix the error yourself. If not, post your plugin configuration file (anonimize IP and secret key) and a partial logs file where the error is encountered.

To Reproduce Steps to reproduce the behavior:

  1. Upgrade or install 1.5.3
  2. Generate bouncer key
  3. Insert bouncer key
LaurenceJJones commented 1 year ago

I reported on behalf of a user here are the logs

ERROR: CrowdsecBouncerTraefikPlugin: 2023/09/19 12:04:09 New:validateParams CrowdsecLapiKey doesn't valid this regexp: '/^[a-zA-Z0-9 !#$%!&(MISSING)'*+-.^_`|~]*$/'
time="2023-09-19T12:04:09+01:00" level=error msg="CrowdsecLapiKey doesn't valid this regexp: '/^[a-zA-Z0-9 !#$%&'*+-.^_`|~]*$/'" routerName=whoami@docker entryPointName=https

A workaround for user you can define your own key via

cscli bouncers add mytraefik -k {RANDOM_DIGITS_HERE}
mathieuHa commented 1 year ago

Hey @LaurenceJJones,

Thanks for letting us know so shortly.

I think just adding "=" to our validation regex will do the trick.

I Updated some docker-compose.local.yml to test with version 1.5.3 and plugin version 1.1.14

make run_local

I got the same validation erreur with a crowdsec_lapi_key='40796d93c2958f9e58345514e67740e5='

After editing the regex it's seems to be working fine.

2023-09-19 19:20:05 time="2023-09-19T17:20:05Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"router-bar\":{\"entryPoints\":[\"web\"],\"middlewares\":[\"crowdsec-bar@docker\"],\"service\":\"service-bar\",\"rule\":\"Path(`/bar`)\"},\"router-foo\":{\"entryPoints\":[\"web\"],\"middlewares\":[\"crowdsec-foo@docker\"],\"service\":\"service-foo\",\"rule\":\"Path(`/foo`)\"}},\"services\":{\"service-bar\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.21.0.4:80\"}],\"passHostHeader\":true}},\"service-foo\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.21.0.2:80\"}],\"passHostHeader\":true}}},\"middlewares\":{\"crowdsec-bar\":{\"plugin\":{\"bouncer\":{\"crowdseclapikey\":\"40796d93c2958f9e58345514e67740e5=\",\"enabled\":\"true\"}}},\"crowdsec-foo\":{\"plugin\":{\"bouncer\":{\"crowdseclapikey\":\"40796d93c2958f9e58345514e67740e5=\",\"enabled\":\"true\"}}}}},\"tcp\":{},\"udp\":{}}" providerName=docker

Our regex now contains:

reg := regexp.MustCompile("^[a-zA-Z0-9 !#$%&'*+-.^_`|~=]*$")

I will release version 1.1.15 to support 1.5.3+ out of the box.

Do you see anything we should add in the regex ?

Subbeh commented 1 year ago

Adding on to this, the / character is present in LAPI Keys as well and not supported within the regex

mathieuHa commented 1 year ago

@Subbeh Thanks for the feedback, I added the / and released v1.1.16