feat(appsec): Handle multipart request (#25)

* feat(appsec): Handle raw body for uploads

* test(end to end): Add test for AppSec upload

* test(end to end): Add test for AppSec too big body post

* style(*): Pass through code format tools

* feat(appsec): Use lib helper to build raw body from superglobals

* feat(*): Prepare release 1.3.0

Author: julienloizelet

.github/workflows/coding-standards.yml

@@ -114,5 +114,5 @@ jobs:
         if: github.event.inputs.coverage_report == 'true'
         run: |
           ddev xdebug
-          ddev exec XDEBUG_MODE=coverage BOUNCER_KEY=${{ env.BOUNCER_KEY }} AGENT_TLS_PATH=/var/www/html/cfssl LAPI_URL=https://crowdsec:8080 MEMCACHED_DSN=memcached://memcached:11211 REDIS_DSN=redis://redis:6379 /usr/bin/php ./${{env.EXTENSION_PATH}}/tools/coding-standards/vendor/bin/phpunit --configuration ./${{env.EXTENSION_PATH}}/tools/coding-standards/phpunit/phpunit.xml --coverage-text=./${{env.EXTENSION_PATH}}/coding-standards/phpunit/code-coverage/report.txt
+          ddev exec XDEBUG_MODE=coverage BOUNCER_KEY=${{ env.BOUNCER_KEY }} APPSEC_URL=http://crowdsec:7422 AGENT_TLS_PATH=/var/www/html/cfssl LAPI_URL=https://crowdsec:8080 MEMCACHED_DSN=memcached://memcached:11211 REDIS_DSN=redis://redis:6379 /usr/bin/php ./${{env.EXTENSION_PATH}}/tools/coding-standards/vendor/bin/phpunit --configuration ./${{env.EXTENSION_PATH}}/tools/coding-standards/phpunit/phpunit.xml --coverage-text=./${{env.EXTENSION_PATH}}/coding-standards/phpunit/code-coverage/report.txt
           cat ${{env.EXTENSION_PATH}}/coding-standards/phpunit/code-coverage/report.txt   

.github/workflows/test-suite.yml

@@ -503,6 +503,38 @@ jobs:
             exit 1
           fi
 
+      - name: Run "AppSec upload" test
+        run: |
+          cd ${{ github.workspace }}/${{env.EXTENSION_PATH}}
+          # Set block as AppSec action
+          sed -i  's/\x27appsec_body_size_exceeded_action\x27 => \x27headers_only\x27/\x27appsec_body_size_exceeded_action\x27 => \x27block\x27/g' scripts/settings.php
+          cat scripts/settings.php
+          cd ${{ github.workspace }}/${{env.EXTENSION_PATH}}/tests/end-to-end/
+          ./__scripts__/run-tests.sh ci "./__tests__/12-appsec-upload.js"
+          PENDING_TESTS=$(grep -oP '"numPendingTests":\K(.*),"numRuntimeErrorTestSuites"' .test-results.json | sed  's/,"numRuntimeErrorTestSuites"//g')
+          if [[ $PENDING_TESTS == "0" ]]
+          then
+            echo "No pending tests: OK"
+          else
+            echo "There are pending tests: $PENDING_TESTS (KO)"
+            exit 1
+          fi
+
+      - name: Run "AppSec POST too big body" test
+        run: |
+          cd ${{ github.workspace }}/${{env.EXTENSION_PATH}}
+          sed -i  's/\x27appsec_max_body_size_kb\x27 => 1024/\x27appsec_max_body_size_kb\x27 => 1/g' scripts/settings.php
+          cat scripts/settings.php
+          cd ${{ github.workspace }}/${{env.EXTENSION_PATH}}/tests/end-to-end/
+          ./__scripts__/run-tests.sh ci "./__tests__/11-appsec-max-body-ban.js"
+          PENDING_TESTS=$(grep -oP '"numPendingTests":\K(.*),"numRuntimeErrorTestSuites"' .test-results.json | sed  's/,"numRuntimeErrorTestSuites"//g')
+          if [[ $PENDING_TESTS == "0" ]]
+          then
+            echo "No pending tests: OK"
+          else
+            echo "There are pending tests: $PENDING_TESTS (KO)"
+            exit 1
+          fi    
 
       - name: Run "AppSec with timeout (captcha fallback) and file_get_contents" test
         run: |

.gitignore

@@ -13,4 +13,7 @@ scripts/settings.php
 .cache
 
 # MaxMind databases
-*.mmdb
+*.mmdb
+
+# Uploads test
+tests/scripts/public/uploads/*

CHANGELOG.md

@@ -10,6 +10,14 @@ protected methods, properties and constants belonging to the `src` folder and of
 
 ---
 
+## [1.3.0](https://github.com/crowdsecurity/cs-standalone-php-bouncer/releases/tag/v1.3.0) - 2024-10-23
+[_Compare with previous release_](https://github.com/crowdsecurity/cs-standalone-php-bouncer/compare/v1.2.0...v1.3.0)
+
+### Added
+- Add multipart request support for AppSec
+
+---
+
 ## [1.2.0](https://github.com/crowdsecurity/cs-standalone-php-bouncer/releases/tag/v1.2.0) - 2024-10-04
 [_Compare with previous release_](https://github.com/crowdsecurity/cs-standalone-php-bouncer/compare/v1.1.0...v1.2.0)
 

composer.json

@@ -41,7 +41,7 @@
     ],
     "require": {
         "php": ">=7.2.5",
-        "crowdsec/bouncer": "^3.0.0"
+        "crowdsec/bouncer": "^3.2.0"
     },
     "require-dev": {
         "phpunit/phpunit": "^8.5.30 || ^9.3",

scripts/settings.php.dist

@@ -50,6 +50,23 @@ return [
      * If true, the AppSec URL must be set in the 'appsec_url' setting below.
      */
     'use_appsec' => false,
+    /**
+     * Maximum size of request body (in kilobytes) which, if exceeded,
+     * will trigger the action defined by the "appsec_body_size_exceeded_action" setting below.
+     *
+     * This setting is not required. By default, the maximum body size is set to 1024KB (1MB).
+     */
+    'appsec_max_body_size_kb' => Constants::APPSEC_DEFAULT_MAX_BODY_SIZE,
+    /**
+     * Action to take when the request body size exceeds the maximum size defined by the "appsec_max_body_size_kb" setting above.
+     *
+     * Select from:
+     * - `headers_only` (recommended and default value): only the headers of the original request are forwarded to AppSec,
+     * not the body.
+     * - `allow` (not recommended): the request is considered as safe and a bypass remediation is returned, without calling AppSec.
+     * - `block`: the request is considered as malicious and a ban remediation is returned, without calling AppSec.
+     */
+    'appsec_body_size_exceeded_action' => Constants::APPSEC_ACTION_HEADERS_ONLY,
     /**
      * array of URIs that will not be bounced.
      */

src/Bouncer.php

@@ -95,6 +95,13 @@ public function getRequestHeaders(): array
             $allHeaders = getallheaders();
         // @codeCoverageIgnoreEnd
         } else {
+            $this->logger->warning(
+                'getallheaders() function is not available',
+                [
+                    'type' => 'GETALLHEADERS_NOT_AVAILABLE',
+                    'message' => 'Resulting headers may not be accurate',
+                ]
+            );
             foreach ($_SERVER as $name => $value) {
                 if ('HTTP_' == substr($name, 0, 5)) {
                     $name = str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($name, 5)))));
@@ -104,8 +111,6 @@ public function getRequestHeaders(): array
                 }
             }
         }
-        // Remove Content-Length header for AppSec
-        unset($allHeaders['Content-Length']);
 
         return $allHeaders;
     }
@@ -118,12 +123,9 @@ public function getRequestHost(): string
         return $_SERVER['HTTP_HOST'] ?? '';
     }
 
-    /**
-     * Get current request raw body.
-     */
     public function getRequestRawBody(): string
     {
-        return file_get_contents('php://input');
+        return $this->buildRequestRawBody(fopen('php://input', 'rb'));
     }
 
     /**

tests/Integration/IpVerificationTest.php

@@ -30,6 +30,7 @@
  * @covers \CrowdSecStandalone\Bouncer::getRequestHost
  * @covers \CrowdSecStandalone\Bouncer::getRequestRawBody
  * @covers \CrowdSecStandalone\Bouncer::getRequestUserAgent
+ *
  */
 final class IpVerificationTest extends TestCase
 {

tests/end-to-end/.gitignore

@@ -4,3 +4,4 @@ node_modules
 *.lock
 *.log
 *.jpg
+!assets/*.jpg

tests/end-to-end/__scripts__/run-tests.sh

@@ -49,6 +49,8 @@ CLEAN_CACHE_DURATION=$(ddev exec grep -E "'clean_ip_cache_duration'.*,$" /var/ww
 STREAM_MODE=$(ddev exec grep -E "'stream_mode'.*,$" /var/www/html/my-code/standalone-bouncer/scripts/settings.php | sed 's/stream_mode//g' | sed -e 's|[=>,"'\'']||g'  | sed s/'\s'//g)
 APPSEC_ENABLED=$(ddev exec grep -E "'use_appsec'.*,$" /var/www/html/my-code/standalone-bouncer/scripts/settings.php | sed 's/use_appsec//g' | sed -e 's|[=>,"'\'']||g'  | sed s/'\s'//g)
 APPSEC_FALLBACK=$(ddev exec grep "'appsec_fallback_remediation'" /var/www/html/my-code/standalone-bouncer/scripts/settings.php | tail -1 | sed 's/appsec_fallback_remediation//g' | sed -e 's|[=>,"'\'']||g'  | sed s/'\s'//g)
+APPSEC_ACTION=$(ddev exec grep "'appsec_body_size_exceeded_action'" /var/www/html/my-code/standalone-bouncer/scripts/settings.php | tail -1 | sed 's/appsec_body_size_exceeded_action//g' | sed -e 's|[=>,"'\'']||g'  | sed s/'\s'//g)
+APPSEC_MAX_BODY_SIZE=$(ddev exec grep "'appsec_max_body_size_kb'" /var/www/html/my-code/standalone-bouncer/scripts/settings.php | tail -1 | sed 's/appsec_max_body_size_kb//g' | sed -e 's|[=>,"'\'']||g'  | sed s/'\s'//g)
 DEBUG_MODE=$(ddev exec grep -E "'debug_mode'.*,$" /var/www/html/my-code/standalone-bouncer/scripts/settings.php | sed 's/debug_mode//g' | sed -e 's|[=>,"'\'']||g'  | sed s/'\s'//g)
 JEST_PARAMS="--bail=true  --runInBand --verbose"
 # If FAIL_FAST, will exit on first individual test fail
@@ -117,6 +119,8 @@ PROXY_IP="$PROXY_IP"  \
 GEOLOC_ENABLED="$GEOLOC_ENABLED" \
 APPSEC_ENABLED="$APPSEC_ENABLED" \
 APPSEC_FALLBACK="$APPSEC_FALLBACK" \
+APPSEC_ACTION="$APPSEC_ACTION" \
+APPSEC_MAX_BODY_SIZE="$APPSEC_MAX_BODY_SIZE" \
 STREAM_MODE="$STREAM_MODE" \
 CLEAN_CACHE_DURATION="$CLEAN_CACHE_DURATION" \
 DEBUG_MODE="$DEBUG_MODE" \

tests/end-to-end/__tests__/11-appsec-max-body-ban.js

@@ -0,0 +1,85 @@
+const {
+    goToPublicPage,
+    removeAllDecisions,
+    runCacheAction,
+    computeCurrentPageRemediation,
+    fillInput,
+    clickById,
+    getTextById,
+    wait,
+} = require("../utils/helpers");
+const {
+    APPSEC_ENABLED,
+    APPSEC_MAX_BODY_SIZE,
+    APPSEC_ACTION,
+    STREAM_MODE,
+    CLEAN_CACHE_DURATION,
+} = require("../utils/constants");
+
+describe(`Should work with ban as max body`, () => {
+    beforeAll(async () => {
+        await removeAllDecisions();
+        await runCacheAction("clear");
+    });
+
+    it("Should have correct settings", async () => {
+        if (!APPSEC_ENABLED) {
+            const errorMessage = `AppSec must be enabled for this test`;
+            console.error(errorMessage);
+            throw new Error(errorMessage);
+        }
+        if (STREAM_MODE) {
+            const errorMessage = `Stream mode must be disabled for this test`;
+            console.error(errorMessage);
+            throw new Error(errorMessage);
+        }
+        if (CLEAN_CACHE_DURATION !== "3") {
+            const errorMessage = `clean_ip_cache_duration setting must be exactly 3 for this test (current is ${CLEAN_CACHE_DURATION})`;
+            console.error(errorMessage);
+            throw new Error(errorMessage);
+        }
+        if (APPSEC_ACTION !== "block") {
+            const errorMessage = `AppSec action must be "block" for this test (got ${APPSEC_ACTION})`;
+            console.error(errorMessage);
+            throw new Error(errorMessage);
+        }
+    });
+
+    it("Should ban when access home page page with POST and too big body", async () => {
+        await goToPublicPage();
+        const remediation = await computeCurrentPageRemediation();
+        await expect(remediation).toBe("bypass");
+
+        let appsecResult = await getTextById("appsec-result");
+        await expect(appsecResult).toBe("INITIAL STATE");
+
+        await fillInput(
+            "request-body",
+            "a".repeat(APPSEC_MAX_BODY_SIZE * 1024 + 1),
+        );
+        await clickById("appsec-post-button");
+        await wait(1000);
+
+        appsecResult = await getTextById("appsec-result");
+        await expect(appsecResult).toBe("Response status: 403");
+    });
+
+    it("Should bypass when access home page page with POST and short body", async () => {
+        await goToPublicPage();
+        const remediation = await computeCurrentPageRemediation();
+        await expect(remediation).toBe("bypass");
+
+        let appsecResult = await getTextById("appsec-result");
+        await expect(appsecResult).toBe("INITIAL STATE");
+
+        await fillInput(
+            "request-body",
+            "a".repeat(APPSEC_MAX_BODY_SIZE * 1024),
+        );
+        await clickById("appsec-post-button");
+        await wait(1000);
+
+        appsecResult = await getTextById("appsec-result");
+        await expect(appsecResult).toBe("Response status: 200");
+    });
+});

tests/end-to-end/__tests__/12-appsec-upload.js

@@ -0,0 +1,91 @@
+const {
+    goToPublicPage,
+    removeAllDecisions,
+    runCacheAction,
+    computeCurrentPageRemediation,
+    getHtmlById,
+    clickById,
+    getTextById,
+    wait,
+} = require("../utils/helpers");
+const {
+    APPSEC_ENABLED,
+    APPSEC_MAX_BODY_SIZE,
+    APPSEC_ACTION,
+    STREAM_MODE,
+    CLEAN_CACHE_DURATION,
+    APPSEC_UPLOAD_TEST_URL,
+} = require("../utils/constants");
+
+describe(`Should work with ban as max body`, () => {
+    beforeAll(async () => {
+        await removeAllDecisions();
+        await runCacheAction("clear");
+    });
+
+    it("Should have correct settings", async () => {
+        if (!APPSEC_ENABLED) {
+            const errorMessage = `AppSec must be enabled for this test`;
+            console.error(errorMessage);
+            throw new Error(errorMessage);
+        }
+        if (STREAM_MODE) {
+            const errorMessage = `Stream mode must be disabled for this test`;
+            console.error(errorMessage);
+            throw new Error(errorMessage);
+        }
+        if (CLEAN_CACHE_DURATION !== "3") {
+            const errorMessage = `clean_ip_cache_duration setting must be exactly 3 for this test (current is ${CLEAN_CACHE_DURATION})`;
+            console.error(errorMessage);
+            throw new Error(errorMessage);
+        }
+        if (APPSEC_ACTION !== "block") {
+            const errorMessage = `AppSec action must be "block" for this test (got ${APPSEC_ACTION})`;
+            console.error(errorMessage);
+            throw new Error(errorMessage);
+        }
+        if (APPSEC_MAX_BODY_SIZE > 1024) {
+            const errorMessage = `AppSec max size must greater than "1024" for this test (got ${APPSEC_MAX_BODY_SIZE})`;
+            console.error(errorMessage);
+            throw new Error(errorMessage);
+        }
+    });
+
+    it("Should ban when upload a too big image", async () => {
+        await goToPublicPage(APPSEC_UPLOAD_TEST_URL);
+        const remediation = await computeCurrentPageRemediation("Image Upload");
+        await expect(remediation).toBe("bypass");
+
+        let appsecResult = await getTextById("appsec-result");
+        await expect(appsecResult).toBe("INITIAL STATE");
+
+        await page
+            .locator('input[name="image"]')
+            .setInputFiles("./assets/too-big.jpg");
+        await clickById("imageUpload");
+        await wait(2000);
+
+        appsecResult = await getTextById("appsec-result");
+        await expect(appsecResult).toBe("403");
+    });
+
+    it("Should bypass when upload a small enough image", async () => {
+        await goToPublicPage(APPSEC_UPLOAD_TEST_URL);
+        const remediation = await computeCurrentPageRemediation("Image Upload");
+        await expect(remediation).toBe("bypass");
+
+        let appsecResult = await getTextById("appsec-result");
+        await expect(appsecResult).toBe("INITIAL STATE");
+
+        await page
+            .locator('input[name="image"]')
+            .setInputFiles("./assets/small-enough.jpg");
+        await clickById("imageUpload");
+        await wait(2000);
+
+        appsecResult = await getHtmlById("appsec-result");
+        await expect(appsecResult).toBe(
+            '<img src="uploads/small-enough.jpg" alt="Uploaded Image">',
+        );
+    });
+});

tests/end-to-end/assets/small-enough.jpg

@@ -30,6 +30,8 @@ return [
     'excluded_uris' => ['/favicon.ico'],
     'fallback_remediation' => Constants::REMEDIATION_CAPTCHA,
     'use_appsec' => false,
+    'appsec_max_body_size_kb' => 1024,
+    'appsec_body_size_exceeded_action' => 'headers_only',
     'appsec_fallback_remediation' => Constants::REMEDIATION_CAPTCHA,
     'trust_ip_forward_array' => ['REPLACE_PROXY_IP'],
     // Cache

tests/end-to-end/assets/too-big.jpg

@@ -2,6 +2,8 @@ const PUBLIC_URL =
     "/my-code/standalone-bouncer/tests/scripts/public/protected-page.php";
 const APPSEC_TEST_URL =
     "/my-code/standalone-bouncer/tests/scripts/public/testappsec.php";
+const APPSEC_UPLOAD_TEST_URL =
+    "/my-code/standalone-bouncer/tests/scripts/public/testappsec-upload.php";
 const APPSEC_MALICIOUS_BODY = "class.module.classLoader.resources.";
 const FORCED_TEST_FORWARDED_IP =
     process.env.FORCED_TEST_FORWARDED_IP !== ""
@@ -19,6 +21,8 @@ const WATCHER_PASSWORD = "watcherPassword";
 const {
     BOUNCER_KEY,
     APPSEC_FALLBACK,
+    APPSEC_ACTION,
+    APPSEC_MAX_BODY_SIZE,
     DEBUG,
     CURRENT_IP,
     LAPI_URL_FROM_PLAYWRIGHT,
@@ -35,9 +39,12 @@ const DEBUG_LOG_PATH = `${AGENT_TLS_PATH}/../my-code/standalone-bouncer/scripts/
 
 module.exports = {
     APPSEC_TEST_URL,
+    APPSEC_UPLOAD_TEST_URL,
     APPSEC_ENABLED,
     APPSEC_MALICIOUS_BODY,
     APPSEC_FALLBACK,
+    APPSEC_ACTION,
+    APPSEC_MAX_BODY_SIZE,
     PHP_URL,
     BOUNCER_KEY,
     CLEAN_CACHE_DURATION,