Fix 933160-21 and 942500-1 tests broken due to invalid URIs #2168
Conversation
|
Hi @nullpo-head ! Thanks for your PR, will check it soon. Just remember sometimes we are precisely trying to break specs/rfcs :) |
1 similar comment
|
Hi @nullpo-head ! Thanks for your PR, will check it soon. Just remember sometimes we are precisely trying to break specs/rfcs :) |
|
Thanks for your so quick response, fzipi!
As for these tests, they are not intentionally violating RFCs. They are a test for php function and SQLi respectively, and what they want to test are the values of their parameters, not an invalid HTTP path request. Thanks for the note! |
|
@airween : You are usually keeping an eye on broken NGINX tests. This PR seems to fix something that is quite obviously broken. Could you take a look, please? |
|
Sure, I'll check these soon. |
|
Meeting decision August 2021: @airween will review this PR. |
Yes, it does, but I'm curious what your expectations are for Nginx's tests: it sounds like you're expecting all tests to pass on Nginx. However, in fact, 126 tests fail on Nginx (modec3-nginx), and this PR only fixes 2 of them. Do you normally expect all tests to pass on Nginx? IIUC, to fix the all failing tests,
|
|
Thanks for you comments. We know that some tests fail in nginx because of problems in the connector, and disimilar behavior patterns. My idea was to use the feature available in go-ftw to skip well known failing tests, once we are happy with the actual testing pipeline and we declare it stable. |
|
The idea is clearly for ModSec3 to pass all the tests. We know that the engine / NGINX platform has shortcomings and we keep a close eye on those. Your PR fixes things where our close eye did not see sharp enough. That's why I called @airween to join us here. It's unfortunate that ModSec3 is lacking several years after they declared it production ready, but there is relatively little we can do outside of providing patches (what we've done in the past). The very thing we won't be doing is making CRS weaker in order to make ModSec3 pass 100% of the tests. CRS is meant to be the full functionality. |
|
Hi @nullpo-head, thanks again for your pull request. I did some research, now please let me summarize my ideas. I've reviewed the RFC, and as I interpret, it allows the empty URI - but this is just my opinion, please check it someone else as well. Even so I think in these cases, when the request can be adjusted for more valid test results, we can change it. There is only one small note from me: the first test's rule checks the My opinions for your other observations:
you are right, but I'm not sure anybody will be more happier if there will be two less faulty test from the 126 :).
it's a good idea, and as @fzipi wrote above, our new regression test framework will know this feature
sorry, could you help me to clarify which "Apache-specific UTF-8 character escapes" are you thinking about?
Unfortunately I know what are you feeling - but sorry to say, this is a known libmodsecurity3 bug. There are two separated issues, we really hope that the developers will fix them soon. Please note, that the reference shows: This variable is available only if the URLENCODED request body processor was used, which will occur by default when the application/x-www-form-urlencoded content type is detected, or if the use of the URLENCODED request body parser was forced. Please accept our viewpoint, that we need a reference system - not only for the mod_security2 (and Apache) users, but all of our customers. Summed up so far: we can merge this PR without any risk. |
I didn't realize that there's go version. Faster and supporting more features. It sounds awesome! I feel it may be even nicer if we could maintain |
Thanks for clarification, @dune73! It sounds awesome.
Yes, I understand it and I didn't mean it, either. I just wondered if the status of Nginx tests is tracked, but it seems that was a completely unnecessary concern. Thanks for your great work! |
|
I really appreciate the detailed discussion, @airween.
Thanks! It's of course OK to merge this PR anytime. As for the RFC, thanks for taking your time to check it and I'm sorry if I was wrong. It seems that another section says abs_path in a request cannot be empty, but I'm not a HTTP lawyer and that would be a bit off-topic, so no problem.
I'm talking about the regular expression of the rule 920460 and 941330, which seems to have too-many backslashes. It seems to depend on the fact that Apaches do escaping like
Oops, I didn't notice that the guy in the discussion was you. Thanks so much for your effort on that. |
|
hi @nullpo-head,
thanks :)
sure, that's why I asked someone to review that part. No problem.
oh, I see - sorry to say, but this is also a know libmodsecurity3 bug (if I understand you correctly). Here is a small summary, how the escape char handling works.
no problem :). I've sent a very ugly PR to fix that, but I was just curious - that's not a real fix. Rather I devoted it to start a discussion. |
|
Hey guys, I only skimmed through your conversation above. Can you give me a status report and a confirmation this PR is ready to be merged? |
|
@dune73 Hi, we were discussing another topic, but I think the conclusion of this PR itself is this PR can be merged. |
|
Agreed, merging 😄 |
Hi CRS team. Thanks for the great product!
Here is a pull request to fix broken tests on Nginx. Let me know if it's better to open an issue first.
Issue
The regression test cases, 933160-21 and 942500-1, are failing on Nginx.
Reason
The
uriparameters in tests cases933160-21and942500-1start with?param=without the actual path such as/. This is an ill-formed path in terms of the HTTP protocol spec, because it lacks the absoluteURI, abs_path nor authority. (Link to the spec fyi.)Thus, the generated requests are rejected by Nginx before WAF sees them, which is not an expected behavior.
JFYI, this happens on Envoy server as well.
Logs
Before my fix, Nginx rejects the requests by the test cases with the following log.
With my fix, the test cases pass.