fix: do not forward webscoket requests to ModSecurity

owasp-modsecurity/ModSecurity#1368

Currently ModSecurity is not capable to inspect WebSockets. It is only capable to understand the http requests.

Author: acouvreur

modsecurity.go

@@ -47,6 +47,12 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 
 func (a *Modsecurity) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 
+	// Webscoket not supported
+	if isWebsocket(req) {
+		a.next.ServeHTTP(rw, req)
+		return
+	}
+
 	// we need to buffer the body if we want to read it here and send it
 	// in the request.
 	body, err := ioutil.ReadAll(req.Body)
@@ -84,3 +90,12 @@ func (a *Modsecurity) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 
 	a.next.ServeHTTP(rw, req)
 }
+
+func isWebsocket(req *http.Request) bool {
+	for _, header := range req.Header["Upgrade"] {
+		if header == "websocket" {
+			return true
+		}
+	}
+	return false
+}