Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[appsec] seclang rules that makes crowdsec crash #3441

Open
sabban opened this issue Feb 4, 2025 · 3 comments
Open

[appsec] seclang rules that makes crowdsec crash #3441

sabban opened this issue Feb 4, 2025 · 3 comments
Labels
kind/bug Something isn't working needs/triage os/linux

Comments

@sabban
Copy link
Contributor

sabban commented Feb 4, 2025
edited
Loading

What happened?

Crowdsec crashes when tries to load a specific seclang rule:

SecRule &REQUEST_COOKIES_NAMES:wp_cookie  "@eq 1"     "id:1,phase:2,t:none,t:lowercase,t:urldecode,deny,log,msg:'wordpress: php eval()'"

error: attempted to use string with non-selectable collection: REQUEST_COOKIES_NAMES
version: v1.6.5~rc4-debian-pragmatic-amd64-bfed861b
BuildDate: 2025-01-31_14:53:28
GoVersion: 1.23.5
Platform: linux
goroutine 393 [running]:
runtime/debug.Stack()
runtime/debug/stack.go:26 +0x5e
github.com/crowdsecurity/go-cs-lib/trace.(*traceKeeper).writeStackTrace(0x383f140, {0x1eb93c0, 0xc001dfde80})
github.com/crowdsecurity/[email protected]/trace/trace.go:152 +0x16e
github.com/crowdsecurity/go-cs-lib/trace.(*traceKeeper).catchPanic(0x383f140, {0x2322b3a, 0x22})
github.com/crowdsecurity/[email protected]/trace/trace.go:168 +0x134
github.com/crowdsecurity/go-cs-lib/trace.CatchPanic(...)
github.com/crowdsecurity/[email protected]/trace/trace.go:37
panic({0x1eb93c0?, 0xc001dfde80?})
runtime/panic.go:785 +0x132
github.com/crowdsecurity/coraza/v3/internal/corazawaf.(*Transaction).GetField(0xc001dd2030?, {0x1, 0x3a, 0x0, {0xc00190a2a0, 0x9}, {0x393fdc0, 0x0, 0x0}})
github.com/crowdsecurity/coraza/[email protected]/internal/corazawaf/transaction.go:601 +0x4a5
github.com/crowdsecurity/coraza/v3/internal/corazawaf.(*Rule).doEvaluate(0xc0027189c0, {0x27438d0, 0xc001dd20a8}, 0x2, 0xc000a9cd88, 0xc001fbb6f8, 0x0, 0xc000a29050)
github.com/crowdsecurity/coraza/[email protected]/internal/corazawaf/rule.go:241 +0xe05
github.com/crowdsecurity/coraza/v3/internal/corazawaf.(*Rule).Evaluate(0xc0027189c0, 0x2, {0x2744578, 0xc000a9cd88}, 0xc000a29050)
github.com/crowdsecurity/coraza/[email protected]/internal/corazawaf/rule.go:182 +0x2aa
github.com/crowdsecurity/coraza/v3/internal/corazawaf.(*RuleGroup).Eval(0xc000923010, 0x2, 0xc000a9cd88)
github.com/crowdsecurity/coraza/[email protected]/internal/corazawaf/rulegroup.go:219 +0x30f
github.com/crowdsecurity/coraza/v3/internal/corazawaf.(*Transaction).ProcessRequestBody(0xc000a9cd88)
github.com/crowdsecurity/coraza/[email protected]/internal/corazawaf/transaction.go:1040 +0x545
github.com/crowdsecurity/crowdsec/pkg/appsec.(*ExtendedTransaction).ProcessRequestBody(...)
github.com/crowdsecurity/crowdsec/pkg/appsec/tx.go:68
github.com/crowdsecurity/crowdsec/pkg/acquisition/modules/appsec.(*AppsecRunner).processRequest(0xc0005d85a0, {{0xc000923000?, 0xc000d439b0?}}, 0xc00135e900)
github.com/crowdsecurity/crowdsec/pkg/acquisition/modules/appsec/appsec_runner.go:201 +0x4c9
github.com/crowdsecurity/crowdsec/pkg/acquisition/modules/appsec.(*AppsecRunner).ProcessInBandRules(0xc0005d85a0, 0xc00135e900)
github.com/crowdsecurity/crowdsec/pkg/acquisition/modules/appsec/appsec_runner.go:221 +0xbb
github.com/crowdsecurity/crowdsec/pkg/acquisition/modules/appsec.(*AppsecRunner).handleRequest(0xc0005d85a0, 0xc00135e900)
github.com/crowdsecurity/crowdsec/pkg/acquisition/modules/appsec/appsec_runner.go:340 +0x3b1
github.com/crowdsecurity/crowdsec/pkg/acquisition/modules/appsec.(*AppsecRunner).Run(0xc0005d85a0, 0x3912120)
github.com/crowdsecurity/crowdsec/pkg/acquisition/modules/appsec/appsec_runner.go:396 +0x85
github.com/crowdsecurity/crowdsec/pkg/acquisition/modules/appsec.(*AppsecSource).StreamingAcquisition.func1.1()
github.com/crowdsecurity/crowdsec/pkg/acquisition/modules/appsec/appsec.go:281 +0x3e
gopkg.in/tomb%2ev2.(*Tomb).run(0x3912120, 0xb162c58b162c58b1?)
gopkg.in/[email protected]/tomb.go:163 +0x2b
created by gopkg.in/tomb%2ev2.(*Tomb).Go in goroutine 392
gopkg.in/[email protected]/tomb.go:159 +0xdb

What did you expect to happen?

The rule should have been loaded without a crash or at least, I should have got an error.

How can we reproduce it (as minimally and precisely as possible)?

Have a configuration that loads the culprit seclang rule

Anything else we need to know?

No response

Crowdsec version

version: v1.6.5~rc4-debian-pragmatic-amd64-bfed861b Codename: alphaga BuildDate: 2025-01-31_14:56:22 GoVersion: 1.23.5 Platform: linux libre2: C++ User-Agent: crowdsec/v1.6.5~rc4-debian-pragmatic-amd64-bfed861b-linux Constraint_parser: >= 1.0, <= 3.0 Constraint_scenario: >= 1.0, <= 3.0 Constraint_api: v1 Constraint_acquis: >= 1.0, < 2.0 Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog

OS version

# On Linux:
$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
$ uname -a
Linux hostname 5.15.0-1075-aws #82~20.04.1-Ubuntu SMP Thu Dec 19 05:24:09 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

</details>


### Enabled collections and parsers

<details>

```console
$ cscli hub list -o raw
# paste output here

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # paste output here

On Windows:

C:> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml

paste output here

Config show

$ cscli config show
# paste output here

Prometheus metrics

$ cscli metrics
# paste output here

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

It's a specific seclang rule for appsec: ``` SecRule &REQUEST_COOKIES_NAMES:wp_cookie "@eq 1" "id:1,phase:2,t:none,t:lowercase,t:urldecode,deny,log,msg:'Malware.Expert - wordpress cookie: php eval()'" ```
@sabban sabban added the kind/bug Something isn't working label Feb 4, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 4, 2025

@sabban: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@sabban
Copy link
Contributor Author

sabban commented Feb 4, 2025
edited
Loading

same issue with the following rules:

SecRule &REQUEST_COOKIES_NAMES:litespeed_role   "@gt 0" "id:2,phase:2,t:none,deny,log,msg:'worpress'"

@LaurenceJJones
Copy link
Contributor

Pending fix is waiting on upstream merge: corazawaf/coraza#1143

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working needs/triage os/linux
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sabban @LaurenceJJones