Various appsec fixes (#2742)
This commit is contained in:
parent
e452dc80bd
commit
6acbcb0a33
|
@ -353,14 +353,18 @@ func (w *AppsecSource) appsecHandler(rw http.ResponseWriter, r *http.Request) {
|
||||||
w.InChan <- parsedRequest
|
w.InChan <- parsedRequest
|
||||||
|
|
||||||
response := <-parsedRequest.ResponseChannel
|
response := <-parsedRequest.ResponseChannel
|
||||||
|
statusCode := http.StatusOK
|
||||||
|
|
||||||
if response.InBandInterrupt {
|
if response.InBandInterrupt {
|
||||||
|
statusCode = http.StatusForbidden
|
||||||
AppsecBlockCounter.With(prometheus.Labels{"source": parsedRequest.RemoteAddrNormalized, "appsec_engine": parsedRequest.AppsecEngine}).Inc()
|
AppsecBlockCounter.With(prometheus.Labels{"source": parsedRequest.RemoteAddrNormalized, "appsec_engine": parsedRequest.AppsecEngine}).Inc()
|
||||||
}
|
}
|
||||||
|
|
||||||
appsecResponse := w.AppsecRuntime.GenerateResponse(response, logger)
|
appsecResponse := w.AppsecRuntime.GenerateResponse(response, logger)
|
||||||
logger.Debugf("Response: %+v", appsecResponse)
|
logger.Debugf("Response: %+v", appsecResponse)
|
||||||
rw.WriteHeader(appsecResponse.HTTPStatus)
|
|
||||||
body, err := json.Marshal(BodyResponse{Action: appsecResponse.Action})
|
rw.WriteHeader(statusCode)
|
||||||
|
body, err := json.Marshal(appsecResponse)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Errorf("unable to marshal response: %s", err)
|
logger.Errorf("unable to marshal response: %s", err)
|
||||||
rw.WriteHeader(http.StatusInternalServerError)
|
rw.WriteHeader(http.StatusInternalServerError)
|
||||||
|
|
|
@ -119,6 +119,11 @@ func (r *AppsecRunner) processRequest(tx appsec.ExtendedTransaction, request *ap
|
||||||
defer func() {
|
defer func() {
|
||||||
request.Tx.ProcessLogging()
|
request.Tx.ProcessLogging()
|
||||||
//We don't close the transaction here, as it will reset coraza internal state and break variable tracking
|
//We don't close the transaction here, as it will reset coraza internal state and break variable tracking
|
||||||
|
|
||||||
|
err := r.AppsecRuntime.ProcessPostEvalRules(request)
|
||||||
|
if err != nil {
|
||||||
|
r.logger.Errorf("unable to process PostEval rules: %s", err)
|
||||||
|
}
|
||||||
}()
|
}()
|
||||||
|
|
||||||
//pre eval (expr) rules
|
//pre eval (expr) rules
|
||||||
|
@ -182,11 +187,6 @@ func (r *AppsecRunner) processRequest(tx appsec.ExtendedTransaction, request *ap
|
||||||
r.logger.Debugf("rules matched for body : %d", in.RuleID)
|
r.logger.Debugf("rules matched for body : %d", in.RuleID)
|
||||||
}
|
}
|
||||||
|
|
||||||
err = r.AppsecRuntime.ProcessPostEvalRules(request)
|
|
||||||
if err != nil {
|
|
||||||
r.logger.Errorf("unable to process PostEval rules: %s", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -272,7 +272,7 @@ func (r *AppsecRunner) handleOutBandInterrupt(request *appsec.ParsedRequest) {
|
||||||
r.logger.Errorf("unable to accumulate tx to event : %s", err)
|
r.logger.Errorf("unable to accumulate tx to event : %s", err)
|
||||||
}
|
}
|
||||||
if in := request.Tx.Interruption(); in != nil {
|
if in := request.Tx.Interruption(); in != nil {
|
||||||
r.logger.Debugf("inband rules matched : %d", in.RuleID)
|
r.logger.Debugf("outband rules matched : %d", in.RuleID)
|
||||||
r.AppsecRuntime.Response.OutOfBandInterrupt = true
|
r.AppsecRuntime.Response.OutOfBandInterrupt = true
|
||||||
|
|
||||||
err = r.AppsecRuntime.ProcessOnMatchRules(request, evt)
|
err = r.AppsecRuntime.ProcessOnMatchRules(request, evt)
|
||||||
|
|
|
@ -174,7 +174,8 @@ func (a *APIKey) MiddlewareFunc() gin.HandlerFunc {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if bouncer.IPAddress != c.ClientIP() && bouncer.IPAddress != "" {
|
//Don't update IP on HEAD request, as it's used by the appsec to check the validity of the API key provided
|
||||||
|
if bouncer.IPAddress != c.ClientIP() && bouncer.IPAddress != "" && c.Request.Method != http.MethodHead {
|
||||||
log.Warningf("new IP address detected for bouncer '%s': %s (old: %s)", bouncer.Name, c.ClientIP(), bouncer.IPAddress)
|
log.Warningf("new IP address detected for bouncer '%s': %s (old: %s)", bouncer.Name, c.ClientIP(), bouncer.IPAddress)
|
||||||
|
|
||||||
if err := a.DbClient.UpdateBouncerIP(c.ClientIP(), bouncer.ID); err != nil {
|
if err := a.DbClient.UpdateBouncerIP(c.ClientIP(), bouncer.ID); err != nil {
|
||||||
|
|
Loading…
Reference in a new issue