nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Lack of support for PATCH method #358

Closed scottybrisbane closed 6 years ago

scottybrisbane commented 7 years ago

Despite the official statement that "Naxsi filters only GET and POST requests" I have been able to perform a basic experiment observing that PUT and DELETE (as well as HEAD and OPTIONS) are filtered as expected. PATCH seems to be an exception though, and isn't filtered based on its body contents. Is this something that can be fixed?

In more detail, I modified the hex encoding rule to be MainRule "str:0x" "msg:0x, possible hex encoding" "mz:RAW_BODY|BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:DROP" id:1002; and removed a majority of the other rules. I then issued the following request: curl --request PATCH -d '{"test":"0x"}' localhost and saw Naxsi allow the request to pass to the backend. The request curl --request PATCH -d '{"test":"abc"}' localhost/0x was correctly blocked however, indicating there is some basic support for the PATCH method.

buixor commented 7 years ago

Yes, that sounds like a good idea :)