Merge branch 'main' into feature/SecRuleUpdateActionByID

corazawaf · Jun 15, 2024 · b0e5c10 · b0e5c10
2 parents 776ef38 + e42dcd5
commit b0e5c10
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 8 deletions.
diff --git a/go.sum b/go.sum
@@ -1,7 +1,5 @@
 github.com/anuraaga/go-modsecurity v0.0.0-20220824035035-b9a4099778df h1:YWiVl53v0R8Knj/k+4slO0SXPL67Y4dXWiOIWNzrkew=
 github.com/anuraaga/go-modsecurity v0.0.0-20220824035035-b9a4099778df/go.mod h1:7jguE759ADzy2EkxGRXigiC0ER1Yq2IFk2qNtwgzc7U=
-github.com/corazawaf/libinjection-go v0.1.3 h1:PUplAYho1BBl0tIVbhDsNRuVGIeUYSiCEc9oQpb2rJU=
-github.com/corazawaf/libinjection-go v0.1.3/go.mod h1:OP4TM7xdJ2skyXqNX1AN1wN5nNZEmJNuWbNPOItn7aw=
 github.com/corazawaf/libinjection-go v0.2.0 h1:Bjuy4s3xO9TSkp3GruliP7rFqNUmPI6rl5trsqipPno=
 github.com/corazawaf/libinjection-go v0.2.0/go.mod h1:OP4TM7xdJ2skyXqNX1AN1wN5nNZEmJNuWbNPOItn7aw=
 github.com/corazawaf/libinjection-go v0.2.1 h1:vNJ7L6c4xkhRgYU6sIO0Tl54TmeCQv/yfxBma30Dy/Y=
@@ -10,8 +8,6 @@ github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7Dlme
 github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk=
 github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg=
 github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
-github.com/mccutchen/go-httpbin/v2 v2.13.4 h1:KjUeehEAcWG+ce5WJVtP3cyquL0Qe/jQ4UWe/N1BVDw=
-github.com/mccutchen/go-httpbin/v2 v2.13.4/go.mod h1:f4DUXYlU6yH0V81O4lJIwqpmYdTXXmYwzxMnYEimFPk=
 github.com/mccutchen/go-httpbin/v2 v2.14.0 h1:9N7GUf8+JunYMFd+yHPIVYApC6KYgqtF0pHIcTGYcVQ=
 github.com/mccutchen/go-httpbin/v2 v2.14.0/go.mod h1:f4DUXYlU6yH0V81O4lJIwqpmYdTXXmYwzxMnYEimFPk=
 github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=

diff --git a/internal/corazawaf/transaction.go b/internal/corazawaf/transaction.go
@@ -946,6 +946,7 @@ func (tx *Transaction) ReadRequestBodyFrom(r io.Reader) (*types.Interruption, in
 	}
 
 	if tx.requestBodyBuffer.length == tx.RequestBodyLimit {
+		tx.variables.inboundDataError.Set("1")
 		if tx.WAF.RequestBodyLimitAction == types.BodyLimitActionReject {
 			return setAndReturnBodyLimitInterruption(tx)
 		}
@@ -1121,7 +1122,6 @@ func (tx *Transaction) WriteResponseBody(b []byte) (*types.Interruption, int, er
 		runProcessResponseBody = false
 	)
 	if tx.responseBodyBuffer.length+writingBytes >= tx.ResponseBodyLimit {
-		// TODO: figure out ErrorData vs DataError: https://github.com/corazawaf/coraza/issues/564
 		tx.variables.outboundDataError.Set("1")
 		if tx.WAF.ResponseBodyLimitAction == types.BodyLimitActionReject {
 			// We interrupt this transaction in case ResponseBodyLimitAction is Reject
@@ -1173,7 +1173,6 @@ func (tx *Transaction) ReadResponseBodyFrom(r io.Reader) (*types.Interruption, i
 	if l, ok := r.(ByteLenger); ok {
 		writingBytes = int64(l.Len())
 		if tx.responseBodyBuffer.length+writingBytes >= tx.ResponseBodyLimit {
-			// TODO: figure out ErrorData vs DataError: https://github.com/corazawaf/coraza/issues/564
 			tx.variables.outboundDataError.Set("1")
 			if tx.WAF.ResponseBodyLimitAction == types.BodyLimitActionReject {
 				return setAndReturnBodyLimitInterruption(tx)
@@ -1194,6 +1193,7 @@ func (tx *Transaction) ReadResponseBodyFrom(r io.Reader) (*types.Interruption, i
 	}
 
 	if tx.responseBodyBuffer.length == tx.ResponseBodyLimit {
+		tx.variables.outboundDataError.Set("1")
 		if tx.WAF.ResponseBodyLimitAction == types.BodyLimitActionReject {
 			return setAndReturnBodyLimitInterruption(tx)
 		}

diff --git a/internal/corazawaf/transaction_test.go b/internal/corazawaf/transaction_test.go
@@ -171,17 +171,20 @@ func TestWriteRequestBody(t *testing.T) {
 		requestBodyLimitAction          types.BodyLimitAction
 		avoidRequestBodyLimitActionInit bool
 		shouldInterrupt                 bool
+		limitReached                    bool // If the limit is reached, INBOUND_DATA_ERROR should be set
 	}{
 		{
 			name:                   "LimitNotReached",
 			requestBodyLimit:       urlencodedBodyLen + 2,
 			requestBodyLimitAction: types.BodyLimitAction(-1),
+			limitReached:           false,
 		},
 		{
 			name:                   "LimitReachedAndRejects",
 			requestBodyLimit:       urlencodedBodyLen - 3,
 			requestBodyLimitAction: types.BodyLimitActionReject,
 			shouldInterrupt:        true,
+			limitReached:           true,
 		},
 		{
 			name:             "LimitReachedAndRejectsDefaultValue",
@@ -190,11 +193,13 @@ func TestWriteRequestBody(t *testing.T) {
 			// requestBodyLimitAction: types.BodyLimitActionReject,
 			avoidRequestBodyLimitActionInit: true,
 			shouldInterrupt:                 true,
+			limitReached:                    true,
 		},
 		{
 			name:                   "LimitReachedAndPartialProcessing",
 			requestBodyLimit:       urlencodedBodyLen - 3,
 			requestBodyLimitAction: types.BodyLimitActionProcessPartial,
+			limitReached:           true,
 		},
 	}
 
@@ -232,7 +237,9 @@ func TestWriteRequestBody(t *testing.T) {
 									t.Fatalf("Failed to write body buffer: %s", err.Error())
 								}
 							}
-
+							if testCase.limitReached && tx.variables.inboundDataError.Get() != "1" {
+								t.Fatalf("Expected INBOUND_DATA_ERROR to be set")
+							}
 							if testCase.shouldInterrupt {
 								if it == nil {
 									t.Fatal("Expected interruption, got nil")
@@ -485,28 +492,33 @@ func TestWriteResponseBody(t *testing.T) {
 		responseBodyLimit       int
 		responseBodyLimitAction types.BodyLimitAction
 		shouldInterrupt         bool
+		limitReached            bool // If the limit is reached, OUTBOUND_DATA_ERROR should be set
 	}{
 		{
 			name:                    "LimitNotReached",
 			responseBodyLimit:       urlencodedBodyLen + 2,
 			responseBodyLimitAction: types.BodyLimitAction(-1),
+			limitReached:            false,
 		},
 		{
 			name:                    "LimitReachedAndRejects",
 			responseBodyLimit:       urlencodedBodyLen - 3,
 			responseBodyLimitAction: types.BodyLimitActionReject,
 			shouldInterrupt:         true,
+			limitReached:            true,
 		},
 		{
 			name:                    "LimitReachedAndPartialProcessing",
 			responseBodyLimit:       urlencodedBodyLen - 3,
 			responseBodyLimitAction: types.BodyLimitActionProcessPartial,
+			limitReached:            true,
 		},
 		{
 			name:              "LimitReachedAndPartialProcessingDefaultValue",
 			responseBodyLimit: urlencodedBodyLen - 3,
 			// Omitting requestBodyLimitAction defaults to ProcessPartial
 			// responseBodyLimitAction: types.BodyLimitActionProcessPartial,
+			limitReached: true,
 		},
 	}
 
@@ -548,7 +560,9 @@ func TestWriteResponseBody(t *testing.T) {
 									t.Fatalf("Failed to write body buffer: %s", err.Error())
 								}
 							}
-
+							if testCase.limitReached && tx.variables.outboundDataError.Get() != "1" {
+								t.Fatalf("Expected OUTBOUND_DATA_ERROR to be set")
+							}
 							if testCase.shouldInterrupt {
 								if it == nil {
 									t.Fatal("Expected interruption, got nil")