Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lua engine (SecRuleScript) issue accessing entire collection #2900

Closed
airween opened this issue May 14, 2023 · 4 comments · Fixed by #2915
Closed

Lua engine (SecRuleScript) issue accessing entire collection #2900

airween opened this issue May 14, 2023 · 4 comments · Fixed by #2915

Comments

@airween
Copy link
Member

airween commented May 14, 2023

Describe the bug

Seems like the Lua engine does not access to collections using with SecRuleScript.

Logs and dumps

debug.log:

[16840518365.411533] [/dump.php?a=<script] [4]  Executing script: /home/airween/src/coreruleset/test.lua.
[16840518365.411533] [/dump.php?a=<script] [1]

error.log:

terminate called after throwing an instance of 'std::invalid_argument'
  what():  Variable not found.
2023/05/14 10:17:00 [alert] 33634#33634: worker process 33636 exited on signal 6

curl's output:

* Empty reply from server
* Connection #0 to host localhost left intact
curl: (52) Empty reply from server

To Reproduce

  • copy the second Lua script from here, which extract ARGS: local d = m.getvars("ARGS", { "lowercase", "htmlEntityDecode" } );
  • add the example directive to your config (base on reference manual): 
    SecRuleScript "/home/airween/src/coreruleset/test.lua" "id:1009,block"
  • send a request: 
    curl -v "http://localhost/dump.php?a=<script"

Expected behavior

I tried this scenarios with the same configuration with mod_security2 on Apache, and it works as well. The debug.log says:

Recipe: Invoking rule 7f409cc130f0; [file "/etc/modsecurity/crs/temp.conf"] [line "199"] [id "1009"].
Rule 7f409cc130f0: SecRuleScript "@" "phase:2,log,auditlog,id:1009,block"
Lua: Executing script: /home/airween/src/coreruleset/test.lua
T (0) lowercase: "<script"
T (0) htmlEntityDecode: "<script"
Lua: Script completed in 398 usec, returning: Suspected XSS in variable ARGS:a..
Warning. Suspected XSS in variable ARGS:a. [file "/etc/modsecurity/crs/temp.conf"] [line "199"] [id "1009"]
Rule returned 1.

Server (please complete the following information):

  • libmodsecurity 3.0.9 (2121938)
  • ModSecurity-nginx 1.0.3
  • nginx-1.18.0
  • Debian 11

Additional context

The original issue was described here.
@udi-aharon
Copy link

I'm having the same problem.

@swzaaaaaaa
Copy link

I'm having the same problem,too.

@airween
Copy link
Member Author

airween commented May 26, 2023

I'm having the same problem.

@udi-aharon yes, this issue has been created based on your post on SO - see the link in the opening comment.

@martinhsv
Copy link
Contributor

Thanks for the report.

While accessing non-collection variables works, and accessing individual items (by name) within a collection works ...

... retrieving an entire collection is not functioning as I would have expected.

@martinhsv martinhsv changed the title Lua engine issue with SecRuleScript Lua engine (SecRuleScript) issue accessing entire collection Jun 12, 2023
@martinhsv martinhsv mentioned this issue Jun 13, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix: Lua scripts cannot read whole collection at once martinhsv/ModSecurity
4 participants
@airween @swzaaaaaaa @martinhsv @udi-aharon