Transformation `hexDecode` should not allow badly encoded inputs, or documentation should be updated #3325

fzipi · 2025-01-09T15:10:20Z

Describe the bug

This comes from this discussion: corazawaf/coraza#1253.

Technically, there is one test that accepts a string that could not be generated by hexEncode.

👉 Is this the expected behavior?

I think accepting a broken input is just prone to more errors. Don't know how this affects a possible chain of transformations.

The text was updated successfully, but these errors were encountered:

marcstern · 2025-01-09T16:05:14Z

hexDecode should indeed check if characters are valid.
Question is what to do in case of an invalid one ...

airween · 2025-01-13T19:44:57Z

hexDecode should indeed check if characters are valid.

Characters come from user as a payload, right? (Or they can come as output of another transformation?)

Can we set the REQBODY_ERROR variable?

marcstern · 2025-01-14T15:48:36Z

Can we set the REQBODY_ERROR variable?

Pay attention that hexEncode could be used on something else than the request body

fzipi added 2.x Related to ModSecurity version 2.x 3.x Related to ModSecurity version 3.x labels Jan 9, 2025

Provide feedback