-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inconsistent use of SecArgumentsLimit in Recommended Rules #3261
Comments
Hi @studersi, thanks for reporting this. You're completely right, it would be much better to make the both versions' default configuration files consistent. For the record: in libmodsecurity3 the initial set step of that variable is here. (This is a "compiled" code (by Bison), the original part is here). Would you mind to send a PR for v2 to fix this? My side note: I'm not sure this rule makes sense; if the engine is in |
I'm not sure I get your argument about the engine. All the blocking recommended rules do nothing unless you put the engine in - well - blocking mode. So what's the difference here? |
There is no difference, I just think it's a bit confuse that in the "recommended" configuration file we set the engine to "DetectionOnly" and add a rule without any notification that won't work after installation. My other comment regarding this rule that rule 200002 does (almost) the same (but in another way). If the I really don't know that rule |
@studersi, @dune73, @marcstern - what do you think guys, do we need rule 200007 in recommended |
I see the redundancy and keeping multiple values in sync is annoying. If we recommend 200007, then I think the comment for Also, I am not sure about the implications of the comment And is there any influence of the different body parsers on reqbody error and the argument limit behavior? |
SecArgumentsLimit + 200002 is better than 200007 because the former will stop the JSON parsing after X args (and JSON parsing is CPU-intensive). For other parsers, there's no difference (currently). |
Yes, for eg. JSON parser will stop too if it reaches the arglimit. (And the planned XML parser (under #3178) will follow this behavior too.) @marcstern is right, rule |
I agree that I wonder, whether this was added to log additional context for these requests as to why the request was blocked. If I remember correctly Having a dedicated error message might be very helpful when debugging these issues. |
That's a good thought. Would make sense. |
The REQBODY_ERROR is populated with the right error message ("SecArgumentsLimit exceeded" or "More than %ld JSON keys"). This variable should always be logged in case it's populated. |
In that case, I don't think I see any reason to keep |
Describe the bug
The limit
SecArgumentsLimit
is inconsistently used an documented.Logs and dumps
Not applicable.
To Reproduce
Not applicable.
Expected behavior
I would expect the recommended rules for v2.9.8 to also include the SecArgumentsLimit configuration, like 3.0.13.
Server (please complete the following information):
Rule Set (please complete the following information):
Additional context
The text was updated successfully, but these errors were encountered: