fix!: Allow GenericLFI_Body matches for known upload paths. (TBE-137) (#28)

Author: jamesiarmes

README.md

@@ -13,7 +13,7 @@ to match your desired configuration. For example, to create a new distribution
 
 ```hcl
 module "cloudfront_waf" {
-  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.8.2"
+  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.9.0"
 
   project     = "my-project"
   environment = "dev"
@@ -76,7 +76,7 @@ distribution at `www.my-project.org`, you could use the following:
 
 ```hcl
 module "cloudfront_waf" {
-  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.8.2"
+  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.9.0"
 
   project     = "my-project"
   environment = "dev"
@@ -107,7 +107,12 @@ number is too low.
 > > WAFInvalidParameterException: Error reason: You exceeded the capacity limit
 > > for a rule group or web ACL.
 >
-> this is a good indication that you may need to set the capacity manually.
+> this is a good indication that you may need to set the capacity manually. At
+> the end of this message you should see something like:
+>
+> > field: RULE_GROUP, parameter: **92**
+>
+> In this case, the minimum capacity for the rule group should be `92`.
 
 In order to override the capacity for a rule group, you can specify the WCUs
 through an appropriate variable. For example, to set the capacity for the
@@ -155,7 +160,7 @@ Simply specify the headers you want to add in a map. For example:
 
 ```hcl
 module "cloudfront_waf" {
-  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.8.2"
+  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.9.0"
 
   project     = "my-project"
   environment = "dev"
@@ -191,7 +196,7 @@ resource "aws_wafv2_ip_set" "security_scanners" {
 }
 
 module "cloudfront_waf" {
-  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.8.2"
+  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.9.0"
 
   project     = "my-project"
   environment = "staging"
@@ -230,7 +235,7 @@ For example, to rate limit requests to 300 over a 5-minute period:
 
 ```hcl
 module "cloudfront_waf" {
-  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.8.2"
+  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.9.0"
 
   project     = "my-project"
   environment = "staging"
@@ -276,7 +281,7 @@ ensure it comes after the common and SQLi rule sets.
 
 ```hcl
 module "cloudfront_waf" {
-  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.8.2"
+  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.9.0"
 
   project     = "my-project"
   environment = "staging"
@@ -318,7 +323,7 @@ conditions that must be met for the request to be allowed through.
 
 ```hcl
 module "cloudfront_waf" {
-  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.8.2"
+  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.9.0"
 
   project     = "my-project"
   environment = "staging"

main.tf

@@ -270,6 +270,18 @@ resource "aws_wafv2_web_acl" "waf" {
             }
           }
         }
+
+        dynamic "rule_action_override" {
+          for_each = length(var.upload_paths) > 0 ? [true] : []
+
+          content {
+            name = "GenericLFI_BODY"
+
+            action_to_use {
+              count {}
+            }
+          }
+        }
       }
     }
 

uploads.tf

@@ -3,7 +3,7 @@ resource "aws_wafv2_rule_group" "uploads" {
 
   name_prefix = "${local.prefix}-waf-uploads-"
   scope       = "CLOUDFRONT"
-  capacity    = var.upload_rules_capacity == null ? 9 * length(var.upload_paths) : var.upload_rules_capacity
+  capacity    = var.upload_rules_capacity == null ? 12 * length(var.upload_paths) : var.upload_rules_capacity
 
   visibility_config {
     cloudwatch_metrics_enabled = true
@@ -171,6 +171,60 @@ resource "aws_wafv2_rule_group" "uploads" {
     }
   }
 
+  # Block local file inclusion (LFI) requests, unless it was triggered by a file
+  # upload.
+  rule {
+    name     = "${local.prefix}-waf-request-lfi"
+    priority = 4
+
+    action {
+      block {}
+    }
+
+    statement {
+      and_statement {
+        statement {
+          label_match_statement {
+            key   = "awswaf:managed:aws:core-rule-set:GenericLFI_Body"
+            scope = "LABEL"
+          }
+        }
+
+        # Create a NOT statement for each of the upload paths. We'll block the
+        # request if it doesn't match any of the paths.
+        dynamic "statement" {
+          for_each = var.upload_paths
+
+          content {
+            not_statement {
+              statement {
+                byte_match_statement {
+                  positional_constraint = statement.value.constraint
+                  search_string         = statement.value.path
+
+                  field_to_match {
+                    uri_path {}
+                  }
+
+                  text_transformation {
+                    priority = 0
+                    type     = "NONE"
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "${local.prefix}-waf-request-lfi"
+      sampled_requests_enabled   = true
+    }
+  }
+
   lifecycle {
     create_before_destroy = true
   }