Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Process HTTP abs_path and query separately #1276

Open
4 tasks
krizhanovsky opened this issue Jun 26, 2019 · 0 comments
Open
4 tasks

Process HTTP abs_path and query separately #1276

krizhanovsky opened this issue Jun 26, 2019 · 0 comments
Assignees
@krizhanovsky
Labels
enhancement security
Milestone
1.1: TBD

Comments

@krizhanovsky
Copy link
Contributor

krizhanovsky commented Jun 26, 2019
edited
Loading

Currently we process both the URI parts in the same Req_UriAbsPath parser state and validate input against the same alphabet. However, if we process them separately and explicitly parse splitting ?, then we can mitigate many RCE globbing attacks. Trickier cases like /[[:alpha:]][[:alpha:]][[:alpha:]]/[[:alpha:]]s or /[a-z][a-z][a-z]/[a-z]s must be blocked by array syntax checking.

For the caching (e.g. #1391) and WAF features we need to put the GET parameters to some map, ideally with dynamic size (e.g. using TfwStr if it doesn't impact performance) or choose some reasonable limit say 1024 and put the rest arguments at once to the last item with some flag that the item compound.

TBD: Probably we can tokenize the parameters with SIMD (see discussion in #2 ).

Only strict and log (default) modes of the content_security_mode option (see #2) must be supported for now.

Arrays must be treated as compound, probably duplicate, TfwStrs. Examples:

  1. ?a=0&files[0]=1&files[1]=2 produces a TfwStr of 6 TfwStr's (which can be compound in case of chunked data): even indexes are with flag TFW_STR_NAME (a, files[0], files[1]) and odd indexes with TFW_STR_VALUE (0, 1, 2).
  2. files[]=1&files[]=2 or files[a][]=1&files[a][]=2 generates one TFW_STR_DUPLICATE duplicate TfwStr with four sub-TfwStrs (2 names and 2 values). Empty [] prevents generation of parameter pollution error.
  3. ?myarray=value1&myarray=value2&myarray=value3 since myarray has no [], then the query string isn't accepted in strict mode or generates duplicate TfwStr in log mode.
  4. ?cars=Saab&cars=Audi is blocked in strict and duplicate in log.
  5. ?cars[a]=Saab,Audi one TfwStr with name cars[a] and value Saab,Audi. The same for foo=1|2|3 or any other custom, but allowed, separator, e.g. in ?fields=-*,+foo,+bar the whole -*,+foo,+bar goes as value. ?fields=kind,items(title,characteristics/length) also keeps the whole right part as value.

The last example also continues to objects. While ?foo={bar:0} (which can be represented as ?foo=%7Bbar%3A0%7D) is typically equal to ?foo.bar=0 or ?foo[bar]=0 or application layer,

It is supposed that the parameters mapping takes place after percent-decoding #2 , so the TfwStr's must point to a contiguous memory location

Documentation

Please update the Wiki with description of the enhanced functionality, reference to the original blog post and example of the attacks.

Tests
@krizhanovsky krizhanovsky added the good to start Start form this tasks if you're new in Tempesta FW label Feb 4, 2021
@krizhanovsky krizhanovsky mentioned this issue Aug 22, 2021
Open
@krizhanovsky krizhanovsky removed the good to start Start form this tasks if you're new in Tempesta FW label Aug 22, 2021
@krizhanovsky krizhanovsky mentioned this issue Dec 5, 2021
Open
@krizhanovsky krizhanovsky self-assigned this Dec 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@krizhanovsky krizhanovsky

Labels
enhancement security
Projects
None yet
Milestone
1.1: TBD
Development

No branches or pull requests
1 participant
@krizhanovsky