nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Improperly parsing JSON objects for processing. #418

Closed z0r0 closed 6 years ago

z0r0 commented 6 years ago

{"error": "ERROR_REPORT:{\"request\":{\"bar\":\"\"},\"response\":{\"bar\":[{\"schema_id\":\"foo\"}]}}"} is actually valid JSON. it's a key, with a value that's a string. Currently, Naxsi attempts to parse this string in a nested fashion, when it should not.

curl -i -s -k  -X 'POST' 'http://127.0.0.1:80/foo.php' -H 'Host:server.com' -H 'User-Agent: foobar' -H 'Content-Type: application/json; charset=UTF-8' -H 'Content-Length: 102' -d '{\"error\":\"ERROR_REPORT:{\\\"request\\\":{\\\"bar\\\":\\\"\\\"},\\\"response\\\":{\\\"bar\\\":[{\\\"schema_id\\\":\\\"foo\\\"}]}}\"}'

The following is the response:

2018/04/17 15:59:09 [error] 16293#0: *165 NAXSI_FMT: ip=127.0.0.1&server=server.com&uri=/foo.php&learning=1&vers=0.55.3&total_processed=70&total_blocked=62&block=1&zone0=BODY&id0=15&var_name0=&zone1=BODY&id1=15&var_name1=, client: 127.0.0.1, server: server.com, request: "POST /foo.php HTTP/1.1", host: "server.com"
buixor commented 6 years ago

Thanks for the bug report, I'm looking into it :)

z0r0 commented 6 years ago
FILE: csp_report_body.json
----------------------------
{
    "csp-report": {
        "document-uri": "http://example.com/signup.html",
        "referrer": "",
        "blocked-uri": "http://example.com/css/style.css",
        "violated-directive": "style-src cdn.example.com",
        "original-policy": "default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reports",
        "disposition": "report"
    }
}
---------------------------
Execute:  curl --data csp_report_body.json --header "Content-Type: application/json" http://127.0.0.1:80/foo.php

---------------------------
To test:
Paste the body in here: https://jsonlint.com/
buixor commented 6 years ago

Hello,

First of all, really sorry for the delay of my answer, I've been busy on other topics :) So, I looked a bit at the bug. The correct curl request is

curl -v --data-binary "@csp.json" --header "Content-Type: application/json" http://127.0.0.1:4242/ (else the data would simply be the filename). I did the tests locally and it is correctly parsed (for the CSP case at leat).

I'm now looking at the first blob you pasted !

buixor commented 6 years ago

Hello,

I fixed the bug in https://github.com/nbs-system/naxsi/commit/2868972a00fdd950a505e88b1bcdcc75fa4ddd7b.

I just need to add some extra tests, and merging into master.

buixor commented 6 years ago

Merge request pending.