Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add support for MULTIPART_PART_HEADERS #452

Merged
merged 6 commits into from
Oct 2, 2022
Merged

add support for MULTIPART_PART_HEADERS #452

merged 6 commits into from
Oct 2, 2022

Conversation

jptosso
Copy link
Member

@jptosso jptosso commented Oct 1, 2022
edited
Loading

Add support for MULTIPART_PART_HEADERS

This variable is a collection of all part headers found within the request body with Content-Type multipart/form-data. The key of each item in the collection is the name of the part in which it was found, while the value is the entire part-header line -

  • including both the part-header name and the part-header value.
SecRule MULTIPART_PART_HEADERS:parm1 "@rx content-type:.*jpeg" "phase:2,deny,status:403,id:500074,t:lowercase"

From: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.8

Closes #451

@jptosso jptosso marked this pull request as draft October 1, 2022 16:39
@jptosso jptosso changed the title DRAFT: add base for MULTIPART_PART_HEADERS add base for MULTIPART_PART_HEADERS Oct 1, 2022
@jptosso jptosso marked this pull request as ready for review October 1, 2022 16:57
@jptosso
Copy link
Member Author

jptosso commented Oct 1, 2022

It seems like http.Header is not "sorted". Index for the multiparts headers won't be consistent.

@codecov-commenter
Copy link

Codecov Report

Base: 73.10% // Head: 73.13% // Increases project coverage by +0.03% 🎉

Coverage data is based on head (1d503df) compared to base (5408fcd).
Patch coverage: 100.00% of modified lines in pull request are covered.

Additional details and impacted files 
@@            Coverage Diff             @@
##           v3/dev     #452      +/-   ##
==========================================
+ Coverage   73.10%   73.13%   +0.03%     
==========================================
  Files         143      143              
  Lines        6584     6593       +9     
==========================================
+ Hits         4813     4822       +9     
  Misses       1494     1494              
  Partials      277      277
Flag Coverage Δ
no-tinygo 73.18% <100.00%> (+0.03%) ⬆️
overall 73.13% <100.00%> (+0.03%) ⬆️
tinygo 72.03% <100.00%> (+0.04%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
internal/corazawaf/transaction.go 65.34% <ø> (ø)
types/variables/variables.go 93.33% <ø> (ø)
bodyprocessors/multipart.go 71.25% <100.00%> (+2.75%) ⬆️
internal/corazawaf/waf.go 96.27% <100.00%> (+0.02%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@jptosso jptosso changed the title add base for MULTIPART_PART_HEADERS add support for MULTIPART_PART_HEADERS Oct 1, 2022
@jptosso jptosso enabled auto-merge (squash) October 1, 2022 17:15
@fzipi
Copy link
Member

fzipi commented Oct 1, 2022

It seems like http.Header is not "sorted". Index for the multiparts headers won't be consistent.

This makes sense based on the implementation. Do we need them to be consistent?

@jptosso
Copy link
Member Author

jptosso commented Oct 1, 2022

Not really, modsecurity doesn't support ordered inputs neither.

Unpredictable Hpp could be performed though

fzipi
fzipi reviewed Oct 1, 2022
View reviewed changes
bodyprocessors/multipart.go Outdated Show resolved Hide resolved
fzipi
fzipi reviewed Oct 1, 2022
View reviewed changes
testing/engine/multipart.go Outdated Show resolved Hide resolved
@jptosso jptosso requested a review from fzipi October 2, 2022 14:48
fzipi
fzipi approved these changes Oct 2, 2022
View reviewed changes
Copy link
Member

@fzipi fzipi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM now!

@jptosso jptosso merged commit 008a3f3 into v3/dev Oct 2, 2022
@jptosso jptosso deleted the v3/implement-multipart-headers branch October 2, 2022 15:05
jcchavezs
jcchavezs reviewed Oct 2, 2022
View reviewed changes
types/variables.go
@@ -5,4 +5,4 @@ package types

// VariablesCount contains the number of variables handled by the variables package
// It is used to create arrays of the correct size
const VariablesCount = 91
const VariablesCount = 92
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this file should be generated, what do you think? Wanna give a try @M4tteoP ?

jcchavezs pushed a commit that referenced this pull request Oct 3, 2022
@jptosso @jcchavezs
add support for MULTIPART_PART_HEADERS (#452)
491dcc5 
* add support for MULTIPART_PART_HEADERS
* Add MULTIPART_PART_HEADERS tests
@jptosso jptosso mentioned this pull request Oct 25, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jcchavezs jcchavezs jcchavezs left review comments

@fzipi fzipi fzipi approved these changes

@anuraaga anuraaga Awaiting requested review from anuraaga

@piyushroshan piyushroshan Awaiting requested review from piyushroshan

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Errors when parsing two CRS files
4 participants
@jptosso @codecov-commenter @fzipi @jcchavezs