feat(appsec): Handle max body action and multipart (upload) requests (#…

…158) * feat(appsec): Handle max body size and upload request * docs(user guide): Update AppSec component doc * ci(test): Remove api debug as it cause failure when filling large input * fix(multisite): Add missing appsec settings for multisite * ci(multisite): Fix for site 2 and appsec
crowdsecurity · Oct 24, 2024 · 3a54ee6 · 3a54ee6
1 parent ed00caa
commit 3a54ee6
Show file tree

Hide file tree

Showing 50 changed files with 902 additions and 145 deletions.
diff --git a/.github/workflows/end-to-end-auto-prepend-test-suite.yml b/.github/workflows/end-to-end-auto-prepend-test-suite.yml
@@ -96,7 +96,9 @@ jobs:
       - name: Prepare for playwright test
         run: |
           ddev exec -s crowdsec apk add iproute2
+          cp .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/php/wp_appsec_custom_upload.php wp_appsec_custom_upload.php
           cat .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/html/appsec-post.html | ddev wp post create --post_type=page --post_status=publish --post_title="AppSec" - 
+          cat .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/html/appsec-upload.html | ddev wp post create --post_type=page --post_status=publish --post_title="AppSec Upload" -
           ddev wp rewrite structure "/%postname%/"
           mkdir -p crowdsec/tls
           mkdir -p crowdsec/geolocation

diff --git a/.github/workflows/end-to-end-multisite.yml b/.github/workflows/end-to-end-multisite.yml
@@ -109,6 +109,9 @@ jobs:
       - name: Prepare for playwright test
         run: |
           ddev exec -s crowdsec apk add iproute2
+          cp .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/php/wp_appsec_custom_upload.php wp_appsec_custom_upload.php
+          cat .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/html/appsec-upload.html | ddev wp post create --url='https://${{ env.WP_VERSION_CODE }}.ddev.site/site1' --post_type=page --post_status=publish --post_title="AppSec Upload" -
+          cat .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/html/appsec-upload.html | ddev wp post create --url='https://${{ env.WP_VERSION_CODE }}.ddev.site/site2' --post_type=page --post_status=publish --post_title="AppSec Upload" -
           cat .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/html/appsec-post.html | ddev wp post create --url='https://${{ env.WP_VERSION_CODE }}.ddev.site/site1' --post_type=page --post_status=publish --post_title="AppSec" - 
           cat .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/html/appsec-post.html | ddev wp post create --url='https://${{ env.WP_VERSION_CODE }}.ddev.site/site2' --post_type=page --post_status=publish --post_title="AppSec" - 
           ddev wp rewrite structure "/%postname%/" --url='https://${{ env.WP_VERSION_CODE }}.ddev.site/site1'

diff --git a/.github/workflows/end-to-end-test-suite.yml b/.github/workflows/end-to-end-test-suite.yml
@@ -113,7 +113,9 @@ jobs:
       - name: Prepare for playwright test
         run: |
           ddev exec -s crowdsec apk add iproute2
+          cp .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/php/wp_appsec_custom_upload.php wp_appsec_custom_upload.php
           cat .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/html/appsec-post.html | ddev wp post create --post_type=page --post_status=publish --post_title="AppSec" - 
+          cat .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/html/appsec-upload.html | ddev wp post create --post_type=page --post_status=publish --post_title="AppSec Upload" -
           ddev wp rewrite structure "/%postname%/"
           mkdir -p crowdsec/tls
           mkdir -p crowdsec/geolocation

diff --git a/.github/workflows/release-test.yml b/.github/workflows/release-test.yml
@@ -133,6 +133,8 @@ jobs:
       - name: Prepare for playwright test
         run: |
           ddev exec -s crowdsec apk add iproute2
+          cp .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/php/wp_appsec_custom_upload.php wp_appsec_custom_upload.php
+          cat .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/html/appsec-upload.html | ddev wp post create --post_type=page --post_status=publish --post_title="AppSec Upload" -
           cat .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/html/appsec-post.html | ddev wp post create --post_type=page --post_status=publish --post_title="AppSec" -
           ddev wp rewrite structure "/%postname%/"
           mkdir -p crowdsec/tls

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -261,6 +261,8 @@ jobs:
             - name: Prepare for playwright test
               run: |
                   ddev exec -s crowdsec apk add iproute2
+                  cp .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/php/wp_appsec_custom_upload.php wp_appsec_custom_upload.php
+                  cat .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/html/appsec-upload.html | ddev wp post create --post_type=page --post_status=publish --post_title="AppSec Upload" -
                   cat .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/html/appsec-post.html | ddev wp post create --post_type=page --post_status=publish --post_title="AppSec" -
                   ddev wp rewrite structure "/%postname%/"
                   mkdir -p crowdsec/tls

diff --git a/composer.json b/composer.json
@@ -19,7 +19,7 @@
 		}
 	},
 	"require": {
-		"crowdsec/bouncer": "^3.0.0",
+		"crowdsec/bouncer": "^3.2.0",
 		"symfony/cache": "5.4.40",
 		"symfony/polyfill-mbstring": "^1.31.0",
 		"symfony/service-contracts": "^2.5.3"

diff --git a/composer.lock b/composer.lock
diff --git a/docs/DEVELOPER.md b/docs/DEVELOPER.md
@@ -161,11 +161,14 @@ tar -xf GeoLite2-Country.tar.gz
 tar -xf GeoLite2-City.tar.gz
 ```
 
-For AppSec post request test, we are using a custom page. You have to create this page in your WordPress site: 
+For AppSec post request test, we are using a custom pages. You have to create these page in your WordPress site: 
 
 ```bash
 cd wp-sources
-cat .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/html/appsec-post.html | ddev wp post create --post_type=page --post_status=publish --post_title="AppSec" -   
+cp .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/php/wp_appsec_custom_upload.php wp_appsec_custom_upload.php
+cat .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/html/appsec-upload.html | ddev wp post create --post_type=page --post_status=publish --post_title="AppSec Upload" -
+cat .ddev/okaeli-add-on/wordpress/custom_files/crowdsec/html/appsec-post.html | ddev wp post create --post_type=page --post_status=publish --post_title="AppSec" -
+ddev wp rewrite structure "/%postname%/"
 ```  
 
 

diff --git a/docs/USER_GUIDE.md b/docs/USER_GUIDE.md
@@ -305,13 +305,13 @@ For more information on the AppSec component, please refer to the [documentation
 
 ---
 
-`AppSec component → AppSec Url `
+`AppSec component → Url `
 
 Your AppSec component url. Default to `http://localhost:7422`
 
 ---
 
-`AppSec component → AppSec request timeout`
+`AppSec component → Request timeout`
 
 Maximum execution time (in milliseconds) for an AppSec request.
 
@@ -321,14 +321,36 @@ Default to 400.
 
 ---
 
-`AppSec component → AppSec Fallback to`
+`AppSec component → Fallback to`
 
 What remediation to apply when AppSec call has failed due to a timeout.
 
 Recommended: `captcha`. Default: `bypass`.
 
 ---
 
+`AppSec component → Maximum body size`
+
+Maximum size of the request body (in KB). Default to 1024.
+
+If exceeded, the action defined below will be applied.
+
+---
+
+`AppSec component → Body size exceeded action`
+
+Action to take when the request body size exceeds the maximum body size.
+
+Default to `headers_only`.
+
+- `Headers Only`: (recommended) Only headers of the original request are sent to the AppSec component. The body is not sent.
+- `Block`: The request is considered as malicious and a ban remediation is returned, without calling AppSec.
+- `Allow`: (not recommended): The request is considered as clean and a bypass remediation is returned, without calling AppSec.
+
+---
+
+
+
 ![Remediation](images/screenshots/config-remediations.jpg)
 
 ***
@@ -528,9 +550,11 @@ Here are some examples of how to set options with the `WP-CLI` tool.
 | `Memcached DSN (if applicable)`:warning:                     | <code>echo -n &quot;memcached://localhost:11211&quot; \| wp option set crowdsec_memcached_dsn</code> |
 | **Advanced settings** → *AppSec component*                   |                                                              |
 | `Enable AppSec`                                              | - <code>wp option set crowdsec_use_appsec on</code><br />- <code>echo -n &quot;&quot; \| wp option set crowdsec_use_appsec</code> |
-| `AppSec Url`                                                 | `wp option set crowdsec_appsec_url http://localhost:7422`    |
-| `AppSec request timeout`                                     | `wp option set crowdsec_appsec_timeout_ms 150`               |
-| `AppSec Fallback to`                                         | - <code>wp option set crowdsec_appsec_fallback_remediation ban</code><br />- <code>wp option set crowdsec_appsec_fallback_remediation captcha</code><br />- <code>wp option set crowdsec_appsec_fallback_remediation bypass</code> |
+| `Url`                                                        | `wp option set crowdsec_appsec_url http://localhost:7422`    |
+| `Request timeout`                                            | `wp option set crowdsec_appsec_timeout_ms 150`               |
+| `Fallback to`                                                | - <code>wp option set crowdsec_appsec_fallback_remediation ban</code><br />- <code>wp option set crowdsec_appsec_fallback_remediation captcha</code><br />- <code>wp option set crowdsec_appsec_fallback_remediation bypass</code> |
+| `Maximum body size`                                          | `wp option set crowdsec_appsec_max_body_size_kb 2048`        |
+| `Body size exceeded action`                                  | - <code>wp option set crowdsec_appsec_body_size_exceeded_action headers_only</code><br />- <code>wp option set crowdsec_appsec_body_size_exceeded_action block</code><br />- <code>wp option set crowdsec_appsec_body_size_exceeded_action allow</code> |
 | **Advanced settings** → *Remediation*                        |                                                              |
 | `Fallback to`                                                | - <code>wp option set crowdsec_fallback_remediation ban</code><br />- <code>wp option set crowdsec_fallback_remediation captcha</code><br />- <code>wp option set crowdsec_fallback_remediation bypass</code> |
 | `Trust these CDN IPs (or Load Balancer, HTTP Proxy)`         | When the `crowdsec_trust_ip_forward` is set, the `crowdsec_trust_ip_forward_array` is populated with a serialized array of comparable IPs.<br />Thus, to maintain consistency between admin display and database data, you should update the 2 options: <br />`wp option set crowdsec_trust_ip_forward 1.2.3.4`<br />`wp option set crowdsec_trust_ip_forward_array --format=json '[["001.002.003.004","001.002.003.004"]]'` |

diff --git a/docs/images/screenshots/config-appsec.png b/docs/images/screenshots/config-appsec.png