nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Valid JSON is blocked by Rule ID 15 #457

Closed Punamu closed 4 years ago

Punamu commented 5 years ago

Hi,

I have noticed, that the internal rule ID 15 blocks valid JSON bodies.

The following POST-bodies were tested on naxsi version 0.56 (nginx 1.10.3):

null, true, 1337, "some string", ["array", "of", "strings"], [{"test":123},{"test":123}]

It seems that only JSON objects like {"test":123} are passed through.

buixor commented 5 years ago

Hey @Punamu thanks for the issue, gonna have a quick look into it :)

buixor commented 5 years ago

I did some tests and can confirm the issue. I will keep you posted as soon as I have time to work on it.

In the meanwhile, if you feel diving into the json parser, feel free to do so, the code is in a separate file and rather trivial naxsi_json.c

phoenixstudiodz commented 1 year ago

Hello, I found another bug in the same file, it seems that it also cause blocking valid JSON, file was naxsi_json.c, in my case it was Number inside JSON sent from an Android app, the Number had values like 1.2E-10, it seems that the code checks only for 'e' and not 'E', the fix in my case was changing this line *(js->src + js->off) == 'e') && to *(js->src + js->off) == 'e' || *(js->src + js->off) == 'E') &&

wargio commented 1 year ago

nice find. i will fix it!

wargio commented 1 year ago

@phoenixstudiodz this has been fixed here: https://github.com/wargio/naxsi/commit/a96f12ca914ae5e5ab55845a92c49ae89ddae67b Please beware that if you are using this repo, the current code is very broken and abandoned. If you want to keep receiving support and bugfixes please use my fork/repo.

phoenixstudiodz commented 1 year ago

OK, great, Thank you @wargio