Skip to content
This repository has been archived by the owner on Nov 8, 2023. It is now read-only.

Escaping rules via NULL value in json. #525

Merged
merged 3 commits into from
Sep 25, 2020
Merged

Escaping rules via NULL value in json. #525

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
715accc
formatting.
Sep 25, 2020
a9dc7cd
Removing null bytes from json value.
Sep 25, 2020
0da22ff
Avoid searching for null if you know the length.
Sep 25, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 10 additions & 5 deletions naxsi_src/naxsi_json.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -276,20 +276,24 @@ ngx_http_nx_json_obj(ngx_json_t* js)
case '{': /* sub-object */
js->depth++;
ngx_http_nx_json_obj(js);
if (js->c != '}')
if (js->c != '}') {
return (NGX_ERROR);
}
js->off++;
js->depth--;
break;
case '"': /* key : value, extract and parse. */
if (ngx_http_nx_json_quoted(js, &(js->ckey)) != NGX_OK)
if (ngx_http_nx_json_quoted(js, &(js->ckey)) != NGX_OK) {
return (NGX_ERROR);
if (ngx_http_nx_json_seek(js, ':'))
}
if (ngx_http_nx_json_seek(js, ':')) {
return (NGX_ERROR);
}
js->off++;
ngx_http_nx_json_forward(js);
if (ngx_http_nx_json_val(js) != NGX_OK)
if (ngx_http_nx_json_val(js) != NGX_OK) {
return (NGX_ERROR);
}
}
ngx_http_nx_json_forward(js);
/* another element ? */
Expand Down Expand Up @@ -341,7 +345,8 @@ ngx_http_naxsi_json_parse(ngx_http_request_ctx_t* ctx,
"nx_json_val returned error, apply invalid_json.");
}
ngx_http_nx_json_forward(js);
if (js->off != js->len)
if (js->off != js->len) {
ngx_http_apply_rulematch_v_n(&nx_int__invalid_json, ctx, r, NULL, NULL, BODY, 1, 0);
}
return;
}
2 changes: 2 additions & 0 deletions naxsi_src/naxsi_runtime.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1836,6 +1836,8 @@ ngx_http_basestr_ruleset_n(ngx_pool_t* pool,
ngx_int_t nb_match = 0;
ngx_http_custom_rule_location_t* location;

naxsi_escape_nullbytes(value);

NX_DEBUG(_debug_basestr_ruleset,
NGX_LOG_DEBUG_HTTP,
req->connection->log,
Expand Down
22 changes: 14 additions & 8 deletions naxsi_src/naxsi_utils.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,19 +14,23 @@ char*
strnchr(const char* s, int c, int len)
{
int cpt;
for (cpt = 0; cpt < len && s[cpt]; cpt++)
if (s[cpt] == c)
for (cpt = 0; cpt < len; cpt++) {
if (s[cpt] == c) {
return ((char*)s + cpt);
}
}
return (NULL);
}

static char*
strncasechr(const char* s, int c, int len)
{
int cpt;
for (cpt = 0; cpt < len && s[cpt]; cpt++)
if (tolower(s[cpt]) == c)
for (cpt = 0; cpt < len; cpt++) {
if (tolower(s[cpt]) == c) {
return ((char*)s + cpt);
}
}
return (NULL);
}

Expand All @@ -44,13 +48,15 @@ strfaststr(unsigned char* haystack, unsigned int hl, unsigned char* needle, unsi
end = (char*)haystack + hl;
while (cpt < end) {
found = strncasechr((const char*)cpt, (int)needle[0], hl);
if (!found)
if (!found) {
return (NULL);
if (nl == 1)
}
if (nl == 1) {
return (found);
if (!strncasecmp((const char*)found + 1, (const char*)needle + 1, nl - 1))
}
if (!strncasecmp((const char*)found + 1, (const char*)needle + 1, nl - 1)) {
return ((char*)found);
else {
} else {
if (found + nl >= end)
break;
if (found + nl < end) {
Expand Down
80 changes: 72 additions & 8 deletions t/14json.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -782,14 +782,14 @@ include /tmp/naxsi_ut/naxsi_core.rules;
set $naxsi_extensive_log 1;
location / {
SecRulesEnabled;
DeniedUrl "/RequestDenied";
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
root $TEST_NGINX_SERVROOT/html/;
index index.html index.htm;
error_page 405 = $uri;
DeniedUrl "/RequestDenied";
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
root $TEST_NGINX_SERVROOT/html/;
index index.html index.htm;
error_page 405 = $uri;
}
location /RequestDenied {
return 412;
Expand All @@ -803,3 +803,67 @@ use URI::Escape;
\"number\": -2.806683719414e-14
}"
--- error_code: 200


=== JSON15 : JSON with XSS.
--- main_config
load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
--- http_config
include /tmp/naxsi_ut/naxsi_core.rules;
--- config
set $naxsi_extensive_log 1;
location / {
SecRulesEnabled;
DeniedUrl "/RequestDenied";
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
root $TEST_NGINX_SERVROOT/html/;
index index.html index.htm;
error_page 405 = $uri;
}
location /RequestDenied {
return 412;
}
--- more_headers
Content-Type: application/json
--- request eval
use URI::Escape;
"POST /
{
\"MyKey\": \"MyValue <script>alert('1')</script>\"
}"
--- error_code: 412


=== JSON16 : Null char in JSON with XSS.
--- main_config
load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
--- http_config
include /tmp/naxsi_ut/naxsi_core.rules;
--- config
set $naxsi_extensive_log 1;
location / {
SecRulesEnabled;
DeniedUrl "/RequestDenied";
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
root $TEST_NGINX_SERVROOT/html/;
index index.html index.htm;
error_page 405 = $uri;
}
location /RequestDenied {
return 412;
}
--- more_headers
Content-Type: application/json
--- request eval
use URI::Escape;
"POST /
{
\"MyKey\": \"MyValue \0 <script>alert('1')</script>\"
}"
--- error_code: 412