Skip to content
This repository has been archived by the owner on Nov 2, 2023. It is now read-only.

Enable partial instrumentation of Echo #152

Merged
merged 1 commit into from
Sep 21, 2020
Merged

Enable partial instrumentation of Echo #152

merged 1 commit into from
Sep 21, 2020

Conversation

Julio-Guerra
Copy link
Collaborator

Enable partial instrumentation of Echo in order to run the In-App WAF when the body is parsed into a Go object. This is achieved thanks to a security rule dynamically attaching the In-App WAF to Echo's Bind() method.

@Julio-Guerra Julio-Guerra added the enhancement New feature or request label Sep 21, 2020
@Julio-Guerra Julio-Guerra added this to the v0.16.0 milestone Sep 21, 2020
@Julio-Guerra Julio-Guerra merged commit bc2b88f into dev Sep 21, 2020
@Julio-Guerra Julio-Guerra deleted the feature/echo-instrumentation branch September 21, 2020 15:28
Julio-Guerra pushed a commit that referenced this pull request Sep 22, 2020
v0.16.0
d43b63d 
New Feature:

- (#152, #155) Add In-App WAF protection to Echo's request parameter parser:
  [`Context`](https://pkg.go.dev/github.com/labstack/echo/v4#Context)'s method
  `Bind()` is now protected by the In-App WAF. The Go value it parses from the
  HTTP request is made available to the In-App WAF rules via the
  `GET/POST parameters` field.
  When blocked, `Bind()` returns a non-nil [`SqreenError` value](https://godoc.org/github.com/sqreen/go-agent/sdk/types#SqreenError)
  and its caller should immediately return.
  Read more about the blocking behavior of Sqreen for Go at <https://docs.sqreen.com/go/integration>.

Fix:

- (#153) RASP shellshock: properly handle environment variables containing
  variable definitions (eg. `TERMCAP`).
Julio-Guerra pushed a commit that referenced this pull request Sep 22, 2020
v0.16.0
aa6946d 
New Feature:

- (#152, #155) Add In-App WAF protection to Echo's request parameter parser:
  [`Context`](https://pkg.go.dev/github.com/labstack/echo/v4#Context)'s method
  `Bind()` is now protected by the In-App WAF. The Go value it parses from the
  HTTP request is made available to the In-App WAF rules via the
  `GET/POST parameters` field.
  When blocked, `Bind()` returns a non-nil [`SqreenError` value](https://godoc.org/github.com/sqreen/go-agent/sdk/types#SqreenError)
  and its caller should immediately return.
  Read more about the blocking behavior of Sqreen for Go at <https://docs.sqreen.com/go/integration>.

Fix:

- (#153) RASP shellshock: properly handle environment variables containing
  variable definitions (eg. `TERMCAP`).
@Julio-Guerra Julio-Guerra self-assigned this Sep 29, 2020
Julio-Guerra pushed a commit to amnay-mo/go-agent that referenced this pull request Sep 30, 2020
v0.16.0
d4b71a5 
New Feature:

- (sqreen#152, sqreen#155) Add In-App WAF protection to Echo's request parameter parser:
  [`Context`](https://pkg.go.dev/github.com/labstack/echo/v4#Context)'s method
  `Bind()` is now protected by the In-App WAF. The Go value it parses from the
  HTTP request is made available to the In-App WAF rules via the
  `GET/POST parameters` field.
  When blocked, `Bind()` returns a non-nil [`SqreenError` value](https://godoc.org/github.com/sqreen/go-agent/sdk/types#SqreenError)
  and its caller should immediately return.
  Read more about the blocking behavior of Sqreen for Go at <https://docs.sqreen.com/go/integration>.

Fix:

- (sqreen#153) RASP shellshock: properly handle environment variables containing
  variable definitions (eg. `TERMCAP`).
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@Julio-Guerra Julio-Guerra

Labels
enhancement New feature or request
Projects
None yet
Milestone
v0.16.0
Development

Successfully merging this pull request may close these issues.
1 participant
@Julio-Guerra