feat: limit body buffering to avoid resource exhaustion (#8)

* Limit body buffering to avoid resource exhaustion

* Add documentation and examples for maxBodySize parameters

Author: Enrico204

.traefik.yml

@@ -7,6 +7,7 @@ summary: 'Traefik plugin to proxy requests to owasp/modsecurity-crs:apache'
 
 testData:
   ModsecurityUrl: http://waf:80
+  MaxBodySize: 10485760
 
 iconPath: ./img/icon.png
 bannerPath: ./img/banner.png

README.md

@@ -40,6 +40,15 @@ If it is > 400, then the error page is returned instead.
 
 The *dummy* service is created so the waf container forward the request to a service and respond with 200 OK all the time.
 
+## Configuration
+
+This plugin supports these configuration:
+
+* `modSecurityUrl`: (**mandatory**) it's the URL for the owasp/modsecurity container.
+* `maxBodySize`: (optional) it's the maximum limit for requests body size. Requests exceeding this value will be rejected using `HTTP 413 Request Entity Too Large`.
+  The default value for this parameter is 10MB. Zero means "use default value".
+
+**Note**: body of every request will be buffered in memory while the request is in-flight (i.e.: during the security check and during the request processing by traefik and the backend), so you may want to tune `maxBodySize` depending on how much RAM you have.
 
 ## Local development (docker-compose.local.yml)
 

docker-compose.local.yml

@@ -22,6 +22,7 @@ services:
       - traefik.enable=true
       - traefik.http.services.traefik.loadbalancer.server.port=8080
       - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.modSecurityUrl=http://waf:80
+      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.maxBodySize=10485760
 
   waf:
     image: owasp/modsecurity-crs:apache

docker-compose.yml

@@ -22,6 +22,7 @@ services:
       - traefik.enable=true
       - traefik.http.services.traefik.loadbalancer.server.port=8080
       - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.modSecurityUrl=http://waf:80
+      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.maxBodySize=10485760
 
   waf:
     image: owasp/modsecurity-crs:apache

modsecurity.go

@@ -21,6 +21,7 @@ var httpClient = &http.Client{
 // Config the plugin configuration.
 type Config struct {
 	ModSecurityUrl string `json:"modSecurityUrl,omitempty"`
+	MaxBodySize    int64  `json:"maxBodySize,omitempty"`
 }
 
 // CreateConfig creates the default plugin configuration.
@@ -32,6 +33,7 @@ func CreateConfig() *Config {
 type Modsecurity struct {
 	next           http.Handler
 	modSecurityUrl string
+	maxBodySize    int64
 	name           string
 	logger         *log.Logger
 }
@@ -42,6 +44,13 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 		return nil, fmt.Errorf("modSecurityUrl cannot be empty")
 	}
 
+	// Safe default: if the max body size was not specified, use 10MB
+	// Note that this will break any file upload with files > 10MB. Hopefully
+	// the user will configure this parameter during the installation.
+	if config.MaxBodySize == 0 {
+		config.MaxBodySize = 10 * 1024 * 1024
+	}
+
 	return &Modsecurity{
 		modSecurityUrl: config.ModSecurityUrl,
 		next:           next,
@@ -60,10 +69,15 @@ func (a *Modsecurity) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 
 	// we need to buffer the body if we want to read it here and send it
 	// in the request.
-	body, err := ioutil.ReadAll(req.Body)
+	body, err := ioutil.ReadAll(http.MaxBytesReader(rw, req.Body, a.maxBodySize))
 	if err != nil {
-		a.logger.Printf("fail to read incoming request: %s", err.Error())
-		http.Error(rw, "", http.StatusBadGateway)
+		if err.Error() == "http: request body too large" {
+			a.logger.Printf("body max limit reached: %s", err.Error())
+			http.Error(rw, "", http.StatusRequestEntityTooLarge)
+		} else {
+			a.logger.Printf("fail to read incoming request: %s", err.Error())
+			http.Error(rw, "", http.StatusBadGateway)
+		}
 		return
 	}
 

modsecurity_test.go

@@ -76,6 +76,32 @@ func TestModsecurity_ServeHTTP(t *testing.T) {
 			expectBody:      "Response from service",
 			expectStatus:    200,
 		},
+		{
+			name: "Accept payloads smaller than limits",
+			request: http.Request{
+				Body: generateLargeBody(1024),
+			},
+			wafResponse: response{
+				StatusCode: 200,
+				Body:       "Response from waf",
+			},
+			serviceResponse: serviceResponse,
+			expectBody:      "Response from service",
+			expectStatus:    http.StatusOK,
+		},
+		{
+			name: "Reject too big payloads",
+			request: http.Request{
+				Body: generateLargeBody(1025),
+			},
+			wafResponse: response{
+				StatusCode: 200,
+				Body:       "Response from waf",
+			},
+			serviceResponse: serviceResponse,
+			expectBody:      "\n",
+			expectStatus:    http.StatusRequestEntityTooLarge,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -101,7 +127,9 @@ func TestModsecurity_ServeHTTP(t *testing.T) {
 			middleware := &Modsecurity{
 				next:           httpServiceHandler,
 				modSecurityUrl: modsecurityMockServer.URL,
+				maxBodySize:    1024,
 				name:           "modsecurity-middleware",
+				logger:         log.New(io.Discard, "", log.LstdFlags),
 			}
 
 			rw := httptest.NewRecorder()
@@ -116,3 +144,8 @@ func TestModsecurity_ServeHTTP(t *testing.T) {
 		})
 	}
 }
+
+func generateLargeBody(size int) io.ReadCloser {
+	var str = make([]byte, size)
+	return io.NopCloser(bytes.NewReader(str))
+}