fix: BodyLimit related documented default values, default RequestBodyLimitAction, adds some tests #895
Conversation
M4tteoP
changed the title
M4tteoP
changed the title
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #895 +/- ##
==========================================
+ Coverage 82.72% 83.22% +0.50%
==========================================
Files 162 162
Lines 9080 7552 -1528
==========================================
- Hits 7511 6285 -1226
+ Misses 1319 1019 -300
+ Partials 250 248 -2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
| @@ -276,6 +277,7 @@ func NewWAF() *WAF { | |||
| RuleEngine: types.RuleEngineOn, | |||
| RequestBodyAccess: false, | |||
| RequestBodyLimit: _1gb, | |||
| RequestBodyLimitAction: types.BodyLimitActionReject, | |||
There was a problem hiding this comment.
As per https://coraza.io/docs/seclang/directives/#secrequestbodylimitaction, the default value for the request body limit action is Reject. We can't rely on the zero value of the BodyLimit action because we want to have two different default values for RequestBodyLimitAction (reject) and ResponseBodyLimitAction (processPartial). The first one has been explicited here
internal/seclang/directives.go
Outdated
| @@ -229,7 +229,7 @@ func directiveSecResponseBodyAccess(options *DirectiveOptions) error { | |||
| } | |||
|
|
|||
| // Description: Configures the maximum request body size Coraza will accept for buffering. | |||
| // Default: 134217728 (131072 KB) | |||
| // Default: 1073741824 (1024 MiB) | |||
There was a problem hiding this comment.
See
coraza/internal/corazawaf/waf.go
Line 278 in 4b1b82d
There was a problem hiding this comment.
Some confusion here. _1gb is the hard limit and not the default one (1gb for the default one is cray IMO). Maybe it is better to set to -1 and fail if not set? cc @anuraaga
There was a problem hiding this comment.
Since 6482ab1, seems like it is effectively not just the hard limit, but also the default one. Here I wanted to at least align the doc with the implementation.
I agree that it is not the best default value: I'm okay with both setting the default value to the one that users are used from ModSec, or making it a requirement.
This is basically the evolution of #612 (comment)
There was a problem hiding this comment.
I agree about aligning code to doc
| @@ -448,7 +448,7 @@ func directiveSecRequestBodyLimitAction(options *DirectiveOptions) error { | |||
| } | |||
|
|
|||
| // Description: Configures the maximum request body size that Coraza will store in memory. | |||
| // Default: 131072 (128 KB) | |||
| // Default: defaults to RequestBodyLimit | |||
There was a problem hiding this comment.
See
coraza/internal/corazawaf/waf.go
Lines 183 to 187 in 4b1b82d
M4tteoP
force-pushed
the
fix_bodylimits_doc
branch
from
eee0aa9 to
6be7862
Compare
M4tteoP
changed the title
| @@ -45,7 +45,7 @@ SecRequestBodyLimit 13107200 | |||
|
|
|||
| SecRequestBodyInMemoryLimit 131072 | |||
|
|
|||
| SecRequestBodyNoFilesLimit 131072 | |||
| # SecRequestBodyNoFilesLimit 131072 | |||
There was a problem hiding this comment.
Being not implemented, I think we should at least comment it out, not letting users think that it is an enforced configuration
There was a problem hiding this comment.
Let's add a comment too, # Coraza currently does not read this parameter I think
There was a problem hiding this comment.
Could you also open an issue for this? Are we supporting it @jptosso ?
There was a problem hiding this comment.
I added the following comment: # SecRequestBodyNoFilesLimit is currently not supported by Coraza. As far as I can see, we actually just read the parameter, but we do not enforce any logic based on this.
Opened issue #896 about it.
| @@ -45,7 +45,7 @@ SecRequestBodyLimit 13107200 | |||
|
|
|||
| SecRequestBodyInMemoryLimit 131072 | |||
|
|
|||
| SecRequestBodyNoFilesLimit 131072 | |||
| # SecRequestBodyNoFilesLimit 131072 | |||
There was a problem hiding this comment.
Let's add a comment too, # Coraza currently does not read this parameter I think
…a.conf-recommended
M4tteoP
force-pushed
the
fix_bodylimits_doc
branch
from
b8c0246 to
9ee9745
Compare
|
Anyone PTAL, I think it is ready to be merged |
internal/seclang/directives.go
Outdated
| @@ -876,6 +876,8 @@ func directiveSecUploadDir(options *DirectiveOptions) error { | |||
| return nil | |||
| } | |||
|
|
|||
| // Not implemented yet | |||
There was a problem hiding this comment.
Not sure this will work for autogeneration. Everything not being key:value (e.g. Description: Configures....) should go after the
// ---
There was a problem hiding this comment.
Thanks, moved as // Note: not implemented yet as the last line
This PR:
SecRequestBodyLimit,SecRequestBodyInMemoryLimit, andSecResponseBodyLimitdocumented default values.RequestBodyLimitActionSecRequestBodyNoFilesLimitis not implementedEven if relying on the provided
coraza.conf-recommendedfile makes all these default values not used, we should still keep consistency between the actual code and its documentation