Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make multipart/mixed an OWASP-allowed content type #2002

Closed
HeikoTheissen opened this issue Sep 26, 2024 · 6 comments
Closed

Make multipart/mixed an OWASP-allowed content type #2002

HeikoTheissen opened this issue Sep 26, 2024 · 6 comments
Assignees
@HeikoTheissen

Comments

@HeikoTheissen
Copy link
Contributor

HeikoTheissen commented Sep 26, 2024
edited
Loading

OWASP maintains a set of core rules which, among others, contains a list of "allowed content types for requests"

https://github.com/coreruleset/coreruleset/blob/a2f477d9d3171ac23cde3a3fc719356bc3db55db/rules/REQUEST-901-INITIALIZATION.conf#L200

which is then used in another rule

https://github.com/coreruleset/coreruleset/blob/a2f477d9d3171ac23cde3a3fc719356bc3db55db/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L1013.

This list is not set in stone, for example, multipart/related was added as a result of coreruleset/coreruleset#1721.

To support OData multipart $batch requests, should the OData TC raise another issue to have multipart/mixed included?
@ralfhandl ralfhandl moved this to Open in OData TC Sep 26, 2024
@ralfhandl ralfhandl moved this from Open to Resolved in OData TC Oct 2, 2024
@ralfhandl
Copy link
Contributor

@HeikoTheissen to approach OWASP

@HeikoTheissen
Copy link
Contributor Author

@HeikoTheissen to approach OWASP

@mikepizzo offered to ask a colleague at Microsoft, I'd like to await his response first so that I can better judge what impact the rule 901162 (which we want modified) actually has.

@HeikoTheissen HeikoTheissen mentioned this issue Oct 10, 2024
Closed
@HeikoTheissen
Copy link
Contributor Author

OWASP closed the PR and, instead of allowing multipart/mixed, decided to disallow multipart/related (coreruleset/coreruleset#3905). Both content types cannot be parsed by the ModSecurity WAF engine.

@ralfhandl
Copy link
Contributor

Should we then deprecate the multipart batch format and move it to a separate specification?

@HeikoTheissen
Copy link
Contributor Author

owasp-modsecurity/ModSecurity#3296

@ralfhandl
Copy link
Contributor

No further action needed at this point. Whoever puts a WAF in front of an OData API has to make sure that all requests they need processed are passed on.

@ralfhandl ralfhandl closed this as not planned Won't fix, can't repro, duplicate, stale Nov 20, 2024
@github-project-automation github-project-automation bot moved this from Open to Closed in OData TC Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@HeikoTheissen HeikoTheissen

Labels
None yet
Projects
OData TC
Status: Closed
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Allow multipart/mixed as request content type in rule 901162 HeikoTheissen/coreruleset
2 participants
@ralfhandl @HeikoTheissen