Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] ModSecurity ignores MAX_CLIENT_SIZE setting in BunkerWeb #1736

Open
2 tasks done
git4check opened this issue Nov 20, 2024 · 1 comment
Open
2 tasks done

[BUG] ModSecurity ignores MAX_CLIENT_SIZE setting in BunkerWeb #1736

git4check opened this issue Nov 20, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@git4check
Copy link

What happened?

In BunkerWeb version 1.5.10, the MAX_CLIENT_SIZE environment variable, which is intended to limit the maximum request body size, is correctly applied to Nginx but ignored by ModSecurity.

As a result, ModSecurity continues to enforce its default limits (SecRequestBodyLimit and SecRequestBodyNoFilesLimit), leading to 400 Bad Request or 413 Payload Too Large errors when requests exceed those default limits, even if MAX_CLIENT_SIZE is set to a higher value.

How to reproduce?

Configure BunkerWeb with the MAX_CLIENT_SIZE environment variable, e.g.:
yaml
Copy code
environment:
MAX_CLIENT_SIZE: "10m"
Send a POST request with a body size of around 5 MB.
The request is blocked with a 400 or 413 error, despite the MAX_CLIENT_SIZE being set to allow up to 10 MB.

Configuration file(s) (yaml or .env)

No response

Relevant log output

[error] ModSecurity: Access denied with code 400. Matched "Operator `Eq' with parameter `0' against variable `REQBODY_ERROR'" [msg "Failed to parse request body."] [data "Request body excluding files is bigger than the maximum expected."]

BunkerWeb version

1.5.10

What integration are you using?

Docker

Linux distribution (if applicable)

DEBIAN

Removed private data

  • I have removed all private data from the configuration file and the logs

Code of Conduct

  • I agree to follow this project's Code of Conduct
@git4check git4check added the bug Something isn't working label Nov 20, 2024
@TheophileDiot
Copy link
Member

Hi @git4check,

Thank you for opening this issue! It seems like ModSecurity encountered an error while trying to parse the request body. This typically happens when there is an issue with the body of the HTTP request. Here are some common scenarios that could cause this:

  • Malformed Request Body: The request body is improperly formatted, such as invalid JSON, XML, or multipart data.

  • Incorrect Content-Type Header: The Content-Type header does not match the actual format of the request body.

  • Unsupported Encoding: The request uses an unsupported or invalid content encoding, like gzip or deflate, which ModSecurity cannot process.

  • File Upload Issues: There are problems with multipart form data, such as incomplete or corrupted file uploads.

  • Request Body Parsing Errors: The body contains unexpected characters, or multipart requests have mismatched boundary delimiters.

  • Corrupted HTTP Request: The request was altered or corrupted during transit, rendering the body unreadable.

  • ModSecurity Configuration Problems: There may be configuration issues in ModSecurity, such as problems with the parser or handling of specific content types.

When ModSecurity cannot parse the body, it blocks the request to prevent further processing of potentially invalid or harmful data.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TheophileDiot @git4check