diff --git a/examples/http-server/go.mod b/examples/http-server/go.mod index c64566c48..674dd31f3 100644 --- a/examples/http-server/go.mod +++ b/examples/http-server/go.mod @@ -13,7 +13,7 @@ require ( github.com/tidwall/match v1.1.1 // indirect github.com/tidwall/pretty v1.2.1 // indirect github.com/valllabh/ocsf-schema-golang v1.0.3 // indirect - golang.org/x/net v0.50.0 // indirect + golang.org/x/net v0.51.0 // indirect golang.org/x/sync v0.19.0 // indirect golang.org/x/tools v0.41.0 // indirect google.golang.org/protobuf v1.35.1 // indirect diff --git a/examples/http-server/go.sum b/examples/http-server/go.sum index 45f04145b..5a46e116e 100644 --- a/examples/http-server/go.sum +++ b/examples/http-server/go.sum @@ -27,8 +27,8 @@ github.com/valllabh/ocsf-schema-golang v1.0.3 h1:eR8k/3jP/OOqB8LRCtdJ4U+vlgd/gk5 github.com/valllabh/ocsf-schema-golang v1.0.3/go.mod h1:sZ3as9xqm1SSK5feFWIR2CuGeGRhsM7TR1MbpBctzPk= golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c= golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU= -golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60= -golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM= +golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo= +golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y= golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4= golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k= diff --git a/go.sum b/go.sum index ff57489d8..6e661b969 100644 --- a/go.sum +++ b/go.sum @@ -67,8 +67,6 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ= -golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60= -golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM= golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo= golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= diff --git a/internal/bodyprocessors/json.go b/internal/bodyprocessors/json.go index 4a913b255..5176d9369 100644 --- a/internal/bodyprocessors/json.go +++ b/internal/bodyprocessors/json.go @@ -14,10 +14,6 @@ import ( "github.com/corazawaf/coraza/v3/experimental/plugins/plugintypes" ) -// responseBodyRecursionLimit is the default recursion depth limit for response body JSON parsing. -// Uses the same default as request bodies (1024) to protect against deeply nested structures. -const responseBodyRecursionLimit = 1024 - type jsonBodyProcessor struct{} var _ plugintypes.BodyProcessor = &jsonBodyProcessor{} @@ -31,7 +27,6 @@ func (js *jsonBodyProcessor) ProcessRequest(reader io.Reader, v plugintypes.Tran return err } ss := s.String() - // Process with recursion limit col := v.ArgsPost() data, err := readJSON(ss, bpo.RequestBodyRecursionLimit) @@ -52,6 +47,8 @@ func (js *jsonBodyProcessor) ProcessRequest(reader io.Reader, v plugintypes.Tran return nil } +const ignoreJSONRecursionLimit = -1 + func (js *jsonBodyProcessor) ProcessResponse(reader io.Reader, v plugintypes.TransactionVariables, _ plugintypes.BodyProcessorOptions) error { // Read the entire body to store it and process it s := strings.Builder{} @@ -59,10 +56,9 @@ func (js *jsonBodyProcessor) ProcessResponse(reader io.Reader, v plugintypes.Tra return err } ss := s.String() - - // Process with recursion limit + // Process with no recursion limit as we don't have a directive for response body col := v.ResponseArgs() - data, err := readJSON(ss, responseBodyRecursionLimit) + data, err := readJSON(ss, ignoreJSONRecursionLimit) if err != nil { return err } diff --git a/internal/corazawaf/transaction.go b/internal/corazawaf/transaction.go index e00f837c1..20c056f22 100644 --- a/internal/corazawaf/transaction.go +++ b/internal/corazawaf/transaction.go @@ -71,7 +71,6 @@ type Transaction struct { ForceRequestBodyVariable bool RequestBodyAccess bool RequestBodyLimit int64 - RequestBodyJsonDepthLimit int ForceResponseBodyVariable bool ResponseBodyAccess bool ResponseBodyLimit int64 @@ -80,7 +79,7 @@ type Transaction struct { HashEnforcement bool // Stores the last phase that was evaluated - // Used by allow to skip phasesx + // Used by allow to skip phases lastPhase types.RulePhase // Handles request body buffers diff --git a/internal/corazawaf/waf.go b/internal/corazawaf/waf.go index ef65d9cb2..0217025a2 100644 --- a/internal/corazawaf/waf.go +++ b/internal/corazawaf/waf.go @@ -190,7 +190,6 @@ func (w *WAF) newTransaction(opts Options) *Transaction { tx.ForceRequestBodyVariable = false tx.RequestBodyAccess = w.RequestBodyAccess tx.RequestBodyLimit = w.RequestBodyLimit - tx.RequestBodyJsonDepthLimit = w.RequestBodyJsonDepthLimit tx.ResponseBodyAccess = w.ResponseBodyAccess tx.ResponseBodyLimit = w.ResponseBodyLimit tx.RuleEngine = w.RuleEngine diff --git a/internal/seclang/directives.go b/internal/seclang/directives.go index 999485b76..7c79b8a59 100644 --- a/internal/seclang/directives.go +++ b/internal/seclang/directives.go @@ -297,6 +297,11 @@ func directiveSecRequestBodyJsonDepthLimit(options *DirectiveOptions) error { if err != nil { return err } + + if limit <= 0 { + return errors.New("limit must be a positive integer") + } + options.WAF.RequestBodyJsonDepthLimit = limit return nil } diff --git a/testing/coraza_test.go b/testing/coraza_test.go index 8edaff198..4d3d33323 100644 --- a/testing/coraza_test.go +++ b/testing/coraza_test.go @@ -24,8 +24,9 @@ func TestEngine(t *testing.T) { t.Run(p.Meta.Name, func(t *testing.T) { tt, err := testList(t, &p) if err != nil { - t.Error(err) + t.Fatal(err) } + for _, test := range tt { t.Run(test.Name, func(t *testing.T) { if err := test.RunPhases(); err != nil { diff --git a/testing/coreruleset/go.sum b/testing/coreruleset/go.sum index 7ce49db54..7bd6ec765 100644 --- a/testing/coreruleset/go.sum +++ b/testing/coreruleset/go.sum @@ -8,10 +8,6 @@ github.com/bmatcuk/doublestar/v4 v4.9.1 h1:X8jg9rRZmJd4yRy7ZeNDRnM+T3ZfHv15JiBJ/ github.com/bmatcuk/doublestar/v4 v4.9.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= github.com/corazawaf/coraza-coreruleset v0.0.0-20240226094324-415b1017abdc h1:OlJhrgI3I+FLUCTI3JJW8MoqyM78WbqJjecqMnqG+wc= github.com/corazawaf/coraza-coreruleset v0.0.0-20240226094324-415b1017abdc/go.mod h1:7rsocqNDkTCira5T0M7buoKR2ehh7YZiPkzxRuAgvVU= -github.com/corazawaf/coraza-coreruleset/v4 v4.22.0 h1:rQhJ1+2+TZsoVBXlRWn+AVteECot3pIF8tSVDjjhkUc= -github.com/corazawaf/coraza-coreruleset/v4 v4.22.0/go.mod h1:tRjsdtj39+at47dLCpE8ChoDa2FK2IAwTWIpDT8Z62g= -github.com/corazawaf/coraza-coreruleset/v4 v4.23.0 h1:e7f2tRhOBFN8YtL72wqy2cMPS6o64XyMgS81dRbw2/c= -github.com/corazawaf/coraza-coreruleset/v4 v4.23.0/go.mod h1:tRjsdtj39+at47dLCpE8ChoDa2FK2IAwTWIpDT8Z62g= github.com/corazawaf/coraza-coreruleset/v4 v4.24.0 h1:7Ys2vZegaDIwDeDcRuCQNjMzNaDLklqXogJsucoE1tk= github.com/corazawaf/coraza-coreruleset/v4 v4.24.0/go.mod h1:tRjsdtj39+at47dLCpE8ChoDa2FK2IAwTWIpDT8Z62g= github.com/corazawaf/libinjection-go v0.3.2 h1:9rrKt0lpg4WvUXt+lwS06GywfqRXXsa/7JcOw5cQLwI= @@ -119,8 +115,6 @@ golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts= golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos= golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c= golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU= -golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60= -golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM= golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo= golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y= golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=