nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

IgnoreIP directive does not work for some IP addresses #584

Closed iseriser closed 11 months ago

iseriser commented 2 years ago

I noticed that directive IgnoreIP "XX.XXX.XXX.XX"; works if this IP supplied as X-Forwarded-For header, but does not if it goes as remote address without X-Forwarded-For header. It was bad idea to treat r->connection->addr_text.data as (const char*) inside nx_can_ignore_ip without checking its length. In my case 0x7F byte was after the last digit which broke the thing.

--- naxsi_runtime.c.orig    2022-02-06 19:42:59.208657012 +0100
+++ naxsi_runtime.c 2022-02-06 19:42:15.176237290 +0100
@@ -2902,14 +2902,17 @@ ngx_http_naxsi_update_current_ctx_status
     } else
 #endif
     {
-      ngx_str_t* ip = &r->connection->addr_text;
+      ngx_str_t ip;
+      ip.len  = r->connection->addr_text.len;
+      ip.data = ngx_pcalloc(r->pool, ip.len + 1);
+      memcpy(ip.data, r->connection->addr_text.data, ip.len);
       NX_DEBUG(_debug_whitelist_ignore,
                NGX_LOG_DEBUG_HTTP,
                r->connection->log,
                0,
                "XX- lookup ignore client ip: %s",
-               ip->data);
-      ignore = nx_can_ignore_ip(ip, cf) || nx_can_ignore_cidr(ip, cf);
+               ip.data);
+      ignore = nx_can_ignore_ip(&ip, cf) || nx_can_ignore_cidr(&ip, cf);
     }

     NX_DEBUG(_debug_custom_score,
wargio commented 2 years ago

can you open a PR?

iseriser commented 2 years ago

Sure in working hours.