Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix error_page internal redirect false positive logging #204

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

jeremyjpj0916
Copy link

@jeremyjpj0916 jeremyjpj0916 commented May 22, 2020

Fixes: #182

Problem here was error_page redirects don't maintain original client request data. Hence ModSecurity has false information when evaluating the clients HTTP request a second time around during the request(HTTP Method Header is always reset to GET, URI is also not the original from client request). It is also inefficient to evaluate the request data a second time around after the internal redirect, hence cutting out those phases the second time around after the redirect makes sense and is a performance improvement.

To figure it out I was reviewing prior commits, specifically:

ce1d438

Which regarding this commit did indeed ensure the log phase still runs during error_page internal redirect, but just had not considered the implications of re-processing the NGX request phases(phases prior to the proxy_pass directive for instance) again.

Currently running these changes in our dev and stage environments personally. Will be pushing to our prod in the next week or so, will run as a fork until this is merged.

@jeremyjpj0916
Copy link
Author

jeremyjpj0916 commented May 28, 2020

@zimmerle @martinhsv @defanator @victorhora Any thoughts here?

Should be good to #ShipIt

@zimmerle zimmerle requested a review from defanator June 1, 2020 18:26
@jeremyjpj0916
Copy link
Author

still pending? oof.

@zimmerle
Copy link
Contributor

zimmerle commented Jul 3, 2020

@defanator Can you have a look at this?

@github-actions
Copy link

github-actions bot commented Aug 3, 2020

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days

@jeremyjpj0916
Copy link
Author

Github bot being bad again 💀.

@martinhsv martinhsv reopened this Aug 17, 2020
@martinhsv martinhsv added nostale The label to apply when an issue is exempt from being marked stale and removed no-pr-activity labels Aug 17, 2020
@jeremyjpj0916
Copy link
Author

Can say I have ran this in my fork of code for a long time 10/10 does indeed work 😆 .

@defanator
Copy link
Collaborator

@jeremyjpj0916 copying here as well - it is believed that 4f26b48 should resolve at least some of observed misbehaviours reported in #182.

If it doesn't, I would appreciate a test case demonstrating the issue with minimal configuration involved.

@jeremyjpj0916
Copy link
Author

jeremyjpj0916 commented May 30, 2024

What was wrong with the simple original change from my PR to ignore processings on error_page redirects since ModSecurity will have the wrong context post an error_page redirect?

From my OP this is still relevant:

Problem here was error_page redirects don't maintain original client request data. Hence ModSecurity has false information when evaluating the clients HTTP request a second time around during the request(HTTP Method Header is always reset to GET, URI is also not the original from client request). It is also inefficient to evaluate the request data a second time around after the internal redirect, hence cutting out those phases the second time around after the redirect makes sense and is a performance improvement.

cc @airween

Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
nostale The label to apply when an issue is exempt from being marked stale work-in-progress
Projects
None yet
4 participants