Welcome! Log In Create A New Profile

Advanced

Funny ngy_lua outcome

Nginx User
October 23, 2011 10:22AM
SETUP
***CONF FILE***
server {
location @proxy {
access_by_lua_file '/etc/nginx/firewall.lua';
proxy_cache proxy.capture360.net;
proxy_pass http://127.0.0.1:8080;
include /etc/nginx/proxy.default;
}
location /error_docs {
internal;
alias /usr/share/nginx/html;

sub_filter '<!-- SubTag -->' '$host';
sub_filter_once off;
}
location @pretty_urls {
# -- Several rewrite X Y break lines

rewrite_by_lua 'ngx.exec("@proxy");';
}
location / {
try_files $uri $uri/ @pretty_urls;
}
location ~ .+\.php$ {
location ~ \..*/.*\.php$ { return 400; }
rewrite_by_lua 'ngx.exec("@proxy");';
}
}


***FIREWALL.LUA***
-- F. Check "GET" Args
if ngx.var.request_method == "GET" then
local args = ngx.req.get_uri_args()
for key, val in pairs(args) do
if type(val) == "table" then
my_arg = table.concat(val, " ")
else
my_arg = val
end
if my_arg and my_arg ~= "" and type(my_arg) ~= "boolean" then
rule_id = regex_rules.check()
if rule_id then
ngx.log(ngx.INFO, "Firewall Match: Rule " .. rule_id .. " on
POST: " .. my_arg)
ngx.exit(ngx.HTTP_BAD_REQUEST)
end
end
end
end

-- G. Check "POST" Args
if ngx.var.request_method == "POST" then
ngx.req.read_body()
local args = ngx.req.get_post_args()
for key, val in pairs(args) do
if type(val) == "table" then
my_arg = table.concat(val, " ")
else
my_arg = val
end
if my_arg and my_arg ~= "" and type(my_arg) ~= "boolean" then
rule_id = regex_rules.check()
if rule_id then
ngx.log(ngx.INFO, "Firewall Match: Rule " .. rule_id .. " on
POST: " .. my_arg)
ngx.exit(ngx.HTTP_BAD_REQUEST)
end
end
end
ngx.req.discard_body()
end

***REGEX_RULES.LUA***
module("regex_rules", package.seeall)
function check()
-- <id>00</id>
local query_string = "//"
local query_match = ngx.re.match(my_arg, query_string, "io")
-- generic attacks
-- <impact>9</impact>
if query_match then
return "00"
end
-- <id>01</id>
local query_string = "(?:\"[^\"]*[^-]?>)|(?:[^\\\w\\\s]\\\s*\\\/>)|(?:>\")"
local query_match = ngx.re.match(my_arg, query_string, "io")
-- finds html breaking injections including whitespace attacks -- xss -- csrf
-- <impact>4</impact>
if query_match then
return "01"
end
......


ISSUES
1. A googlebot visit while testing a post string designed to be
blocked "language=vbscript" is also blocked as the googlebot request
is also tested against the same string.

2. Despite the "return id" line, the regex rules are run to the end.
I.E., if there is a match on Rule 02, the rest are still run anyway
and only after the last is evaluated is the 400 error returned.

3. The log from "ngx.log" does not seem to be produced.


COMMENTARY
Abridged debug log with commentary here: http://pastebin.com/A0cXpHwg
(Lost the one with thegooglebot issue)

Issue 1 seems to be a variable scope issue with "my_arg" but when I
use"local" regex_rules.check() gets fed a blank.

Could the log thing be a level issue? I.E. "ngx.INFO" is too low??

Thanks

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Funny ngy_lua outcome

Nginx User October 23, 2011 10:22AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 160
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready