Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restricts MatchedRule list to rules with log directive #840

Closed
wants to merge 4 commits into from
Closed

Restricts MatchedRule list to rules with log directive #840

wants to merge 4 commits into from

Conversation

M4tteoP
Copy link
Member

@M4tteoP M4tteoP commented Jul 6, 2023

closes #839

@M4tteoP M4tteoP changed the title only rules with log are added to matchdata Restricts matchdata list to rules with log directive Jul 6, 2023
M4tteoP
M4tteoP commented Jul 6, 2023
View reviewed changes
internal/seclang/rules_test.go Outdated
@@ -171,7 +171,8 @@ func TestRuleLogging(t *testing.T) {
tx.AddGetRequestArgument("test1", "123")
tx.AddGetRequestArgument("test2", "456")
tx.ProcessRequestHeaders()
if len(tx.MatchedRules()) != 3 {
// Only rules with log action are added to the matched rules, therefore we expect 2 occurrences
if len(tx.MatchedRules()) != 2 {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test was testing that 3 rules were triggered (and added to matched rules, but only 2 logged something. With the new logic, also the intent of it changes a bit

M4tteoP
M4tteoP commented Jul 6, 2023
View reviewed changes
internal/corazawaf/transaction.go Outdated
tx.WAF.ErrorLogCb(mr)
if r.Log {
// Only rules with log data will added to the matchedRules list
tx.matchedRules = append(tx.matchedRules, mr)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Main change

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we not return from the top ... if r.Log is not there why to do even some processing (a debug log will help for those cases where a rule has an action but log -- possibly will be atypo only :)) -- cannot see anything obvious breaking here if we exit right from start

jptosso
jptosso approved these changes Jul 6, 2023
View reviewed changes
Copy link
Member

@jptosso jptosso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I expected more difficulties for this change 😅 lgtm

@M4tteoP
Copy link
Member Author

M4tteoP commented Jul 6, 2023

@jptosso That's why I opened it as a draft, I want to double-check that it is "just this" 😂

@jptosso
Copy link
Member

jptosso commented Jul 6, 2023

We should work on the concepts
Matched rules are all rules that were triggered and matched an operator, including sec actions.
But it is a waste of resources, as most crs rules are just settings, wasting a lot of allocations. Maybe we should rename matched rules into something like LoggedRules.
In the meantime I'm ok with ignoring nolog rules.

@codecov
Copy link

codecov bot commented Jul 6, 2023
edited
Loading

Codecov Report

Patch coverage: 79.84% and project coverage change: +0.06 🎉

Comparison is base (1b8a007) 81.51% compared to head (c315df8) 81.58%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #840      +/-   ##
==========================================
+ Coverage   81.51%   81.58%   +0.06%     
==========================================
  Files         158      159       +1     
  Lines        8947     9007      +60     
==========================================
+ Hits         7293     7348      +55     
- Misses       1408     1412       +4     
- Partials      246      247       +1
Flag Coverage Δ
default 76.63% <81.74%> (+0.45%) ⬆️
examples 25.53% <17.07%> (+0.01%) ⬆️
ftw 46.87% <41.46%> (-0.22%) ⬇️
ftw-multiphase 48.99% <41.46%> (-0.24%) ⬇️
tinygo 74.84% <96.47%> (+2.61%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
http/e2e/cmd/httpe2e/main.go 0.00% <ø> (ø)
internal/actions/allow.go 100.00% <ø> (ø)
internal/actions/auditlog.go 72.72% <ø> (ø)
internal/actions/block.go 100.00% <ø> (ø)
internal/actions/capture.go 100.00% <ø> (ø)
internal/actions/chain.go 100.00% <ø> (ø)
internal/actions/ctl.go 92.87% <ø> (ø)
internal/actions/deny.go 84.21% <ø> (ø)
internal/actions/drop.go 84.21% <ø> (ø)
internal/actions/exec.go 70.00% <ø> (ø)
... and 32 more

... and 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@jcchavezs
Copy link
Member

Can we turn this into ready for review? also would like to have a second eye from @airween @dune73

@M4tteoP M4tteoP marked this pull request as ready for review July 7, 2023 07:59
@M4tteoP M4tteoP requested a review from a team as a code owner July 7, 2023 07:59
@dune73
Copy link

dune73 commented Jul 7, 2023

I can not contribute with a code review, but if you can explain me what's up, I can at least comment from a conceptional perspective. Please start by explaining "matchdata list".

@M4tteoP M4tteoP changed the title Restricts matchdata list to rules with log directive Restricts MatchedRule list to rules with log directive Jul 7, 2023
@M4tteoP
Copy link
Member Author

M4tteoP commented Jul 7, 2023

Hey @dune73, thanks for chiming in. "matchdata list" in the title was actually not the right term (updated now), it rather is currently the MatchedRule list, a list of all the rules that matched during a transaction.
A user running CRS v4.0 rc1 reported that this list (which can be accessed by the connector) is filled by many rules related to setting variables and configuring CRS elements (E.g. any rule related to checking the TX:EXECUTING_PARANOIA_LEVEL).
The idea which this PR implements, is to include in this list only the rules marked with a log action. Just like @jptosso told a few comments above : this list would become a list of logged rules rather than the full list of matched rules

@dune73
Copy link

dune73 commented Jul 7, 2023

Got you. I presume this list is coraza-specific and that's why I do not know it?

Based on your explanation, I presume that a blocking rule with nolog would not make it into the list. Could that lead to problems?

@jcchavezs
Copy link
Member

@M4tteoP could you please backchannel @dune73 on this?

@M4tteoP M4tteoP mentioned this pull request Jul 20, 2023
Merged
@M4tteoP
Copy link
Member Author

M4tteoP commented Jul 20, 2023

Giving to it a second thought, I don't think that adding an exception like this altering the concept of the MatchedRule list is great. Just like Christian's corner case, there might be others that we might don't take into account leading to misunderstandings or wrong behaviors.

Following an offline conversation with @jptosso, this PR is going to be superseded by #848. We aim to keep MatchedRule as it is but rather provide ways to filter the matched rules for advanced use cases. Looking forward to feedback on it!

@M4tteoP M4tteoP closed this Jul 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshi-mohit joshi-mohit joshi-mohit left review comments

@jcchavezs jcchavezs jcchavezs approved these changes

@jptosso jptosso jptosso approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

MatchedRules filled by rules without log directive
5 participants
@M4tteoP @jptosso @jcchavezs @dune73 @joshi-mohit