8000 fix: ignore checking compressed response body by azurit · Pull Request #3712 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix: ignore checking compressed response body #3712

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jun 19, 2024
Merged

fix: ignore checking compressed response body #3712

merged 5 commits into from
Jun 19, 2024

Conversation

azurit
Copy link
Member
@azurit azurit commented May 23, 2024
edited
Loading

As we decided on last monthy chat, we are going to trust Content-Encoding response header. This fix was supposed to deal only with rule 953120 but i think there no sense searching for any patterns in compressed data at all, so we should skip all rules dealing with RESPONSE_BODY. Current PR fixes this for 953* rules but i suggest to add similar skipping rule into all files with response rules (i can update this PR).

Fixes #2751.

@azurit
Copy link
Member Author
azurit commented May 23, 2024

Is SecDisableBackendCompression also updating/removing Content-Encoding header?

@azurit azurit requested review from dune73 and fzipi May 23, 2024 08:58
@azurit
Copy link
Member Author
azurit commented May 23, 2024
edited
Loading

Just to be sure, i tested usage of Content-Encoding on Apache (should be also tested at least on nginx):

  • when a compression is activated on Apache level, RESPONSE_BODY is not compressed and header Content-Encoding is added after modsecurity (so modsec don't see it)
  • when a compression is activated on PHP level, RESPONSE_BODY is compressed and header Content-Encoding is visible to modsecurity

I can't test SecDisableBackendCompression though.

@fzipi
Copy link
Member
fzipi commented May 23, 2024

What SecDisableBackendCompression does is just removing the Accept-Encoding and TE headers. See https://github.com/owasp-modsecurity/ModSecurity/blob/v2/master/apache2/mod_security2.c#L1114-L1117

@fzipi
Copy link
Member
fzipi commented May 23, 2024

Note: because of howlibmodsecurity3 works, the exact same thing can be achieved by the connector itself. Meaning you can remove those headers in nginx for example before passing it to modsec3, and it should have the same effect.

@dune73 dune73 mentioned this pull request Jun 3, 2024
Closed
fzipi
fzipi approved these changes Jun 17, 2024
View reviewed changes
Copy link
Member
@fzipi fzipi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, it doesn't make sense to run this if content is compressed.

@fzipi fzipi changed the title fix: resolving FPs with compressed response body fix: ignore checking compressed response body Jun 17, 2024
@fzipi fzipi added the release:new-feature This PR introduces a new feature label Jun 19, 2024
@fzipi fzipi added this pull request to the merge queue Jun 19, 2024
Merged via the queue into coreruleset:main with commit 818b31d Jun 19, 2024
6 checks passed
@fzipi fzipi mentioned this pull request Jul 1, 2024
Closed
@azurit azurit deleted the PHPFP branch November 2, 2024 11:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fzipi fzipi fzipi approved these changes

@dune73 dune73 Awaiting requested review from dune73

Assignees

@fzipi fzipi

Labels
release:new-feature This PR introduces a new feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

FPs with rule 953120 for gzip data
2 participants
@azurit @fzipi
0