Closed kkrupka closed 2 days ago
same issue here for similar payload
Agree, the message should explain correctlyu the problem
A side note: same behavior on libmodsecurity3:
2024/03/11 18:39:54 [info] 30127#30127: *1 ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against variable `REQBODY_ERROR' (Value: `1' ) [file "/etc/nginx/modsecurity.conf"] [line "57"] [id "200002"] [rev ""] [msg "Failed to parse request body."] [data "JSON parsing error: parse error: client cancelled parse via callback return value\x0a"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "::1"] [uri "/"] [unique_id "171017879429.633491"] [ref "v125,1"], client: ::1, server: _, request: "PUT / HTTP/1.1", host: "localhost"
I also ran into this problem. Thanks to findgin this Github issue, I was able to fix that problem. A more specific error message would be appreciated.
What also confused me at first, was that the SecArgumentsLimit
was not in the modsecurity.conf-recommended
, (I use modsecurity-crs/stable,now 3.3.4-1
and libapache2-mod-security2/stable,now 2.9.7-1+b1 amd64
). According PR https://github.com/owasp-modsecurity/ModSecurity/pull/2738 it seems, that the functionality is available in earlier versions than the change being included in its corresponding modsecurity.conf-recommended
.
Closed as completed via #3139.
Describe the bug
I came accross the issue, when I was sending data as JSON string: Send a JSON string with a specific array length (>1000 items) leads to a http status code 400 including the message "JSON parsing error: parse error: client cancelled parse via callback return value". If less than that threshold, JSON string can be parsed.
ModSecurity for Apache/2.9.7 Apache/2.4.57 (Debian 12)
Logs and dumps
Error message in modsec_audit.log
To Reproduce
Contact resource taking a JSON string
If you remove one list item
{"param1":123456789}
from the curl above the request works. So, instead of 1001 use 1000 items.Expected behavior
The log statement should be more precise that SecArgumentsLimit (default 1000) is the problem and not stating a JSON parsing error. As in ModSecurity for Apache/2.9.7 SecArgumentsLimit is NOT in the modsecurity.conf by default, it's getting even more difficult. You have to add it manually.
Rule Set (please complete the following information): OWASP_CRS/3.3.5.
Additional context
The current message is misleading, at least it was to me. Especially, if your array does not contain one parameter per list item. In my case it was three parameters in one list item and the issue occurred at 334 list items. So, that is a strange number and you do not immediately combine it with the limit 1000 in SecArgumentsLimit. After longer testing I reduced it to one parameter per list item and found 1000 is the limit. After that I searched for the limit 1000 anywhere and found SecArguemtnsLimit.