search

p0pr0ck5 / lua-resty-waf

High-performance WAF built on the OpenResty stack
GNU General Public License v3.0
1.28k stars 305 forks source link

ngx.req.get_uri_args() can't get more than 100 request arguments #280

Open lua-study opened 7 years ago

lua-study commented 7 years ago

ngx.req.get_uri_args() some note from https://github.com/openresty/lua-nginx-module#ngxreqget_uri_args “Note that a maximum of 100 request arguments are parsed by default (including those with the same name) and that additional request arguments are silently discarded to guard against potential denial of service attacks.” Testing by me: 1) rule checking ”information_schema“ 2) request: /test.php?&a0=0&a1=1&a2=2&a3=3&a4=4&a5=5&a6=6&a7=7&a8=8&a9=9&a10=10&a11=11&a12=12&a13=13&a14=14&a15=15&a16=16&a17=17&a18=18&a19=19&a20=20&a21=21&a22=22&a23=23&a24=24&a25=25&a26=26&a27=27&a28=28&a29=29&a30=30&a31=31&a32=32&a33=33&a34=34&a35=35&a36=36&a37=37&a38=38&a39=39&a40=40&a41=41&a42=42&a43=43&a44=44&a45=45&a46=46&a47=47&a48=48&a49=49&a50=50&a51=51&a52=52&a53=53&a54=54&a55=55&a56=56&a57=57&a58=58&a59=59&a60=60&a61=61&a62=62&a63=63&a64=64&a65=65&a66=66&a67=67&a68=68&a69=69&a70=70&a71=71&a72=72&a73=73&a74=74&a75=75&a76=76&a77=77&a78=78&a79=79&a80=80&a81=81&a82=82&a83=83&a84=84&a85=85&a86=86&a87=87&a88=88&a89=89&a90=90&a91=91&a92=92&a93=93&a94=94&a95=95&a96=96&a97=97&a98=98&a=information_schemas

3) result: the request can bypass the rule

The other APIs are same for example: ngx.req.get_post_args() ngx.req.get_headers()

harston commented 7 years ago

AFAIK You can change it in ngx_http_lua_common.h but i haven't test how increasing this value will affect performance.

I think that good idea is to limit or alert on high (unnatural) number of arguments and headers.

94 95 #ifndef NGX_HTTP_LUA_MAX_ARGS 96 #define NGX_HTTP_LUA_MAX_ARGS 100 97 #endif 98 99 100 #ifndef NGX_HTTP_LUA_MAX_HEADERS 101 #define NGX_HTTP_LUA_MAX_HEADERS 100 102 #endif 103

p0pr0ck5 commented 7 years ago

@harston no, editing the lua-nginx-module source is patently the wrong solution :) these functions all take a param to limit the number of elements returned.

I think the proper solution here is configurable soft/hard limits for these elements; wherein we warn or set TX vars if these thresholds are passed. This will likely make lua-resty-core a hard dependency as we'll need to leverage some of the FFI functions to get request element count.

p0pr0ck5 commented 6 years ago

related: https://github.com/openresty/lua-nginx-module/pull/1306