Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Disables implicit Cookies url decoding #928

Merged
merged 13 commits into from
Dec 11, 2023
Merged

fix: Disables implicit Cookies url decoding #928

merged 13 commits into from
Dec 11, 2023

Conversation

M4tteoP
Copy link
Member

@M4tteoP M4tteoP commented Nov 23, 2023
edited
Loading

Tentatively closes #920.

@M4tteoP M4tteoP requested a review from a team as a code owner November 23, 2023 09:45
@M4tteoP M4tteoP changed the title Disables implicit Cookies url decoding fix: Disables implicit Cookies url decoding Nov 23, 2023
@codecov Codecov
Copy link

codecov bot commented Nov 23, 2023
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (13771ff) 82.57% compared to head (b6408e1) 82.58%.
Report is 1 commits behind head on main.

❗ Current head b6408e1 differs from pull request most recent head 9202309. Consider uploading reports for the commit 9202309 to get more accurate results

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #928   +/-   ##
=======================================
  Coverage   82.57%   82.58%           
=======================================
  Files         160      160           
  Lines        8988     8991    +3     
=======================================
+ Hits         7422     7425    +3     
  Misses       1317     1317           
  Partials      249      249
Flag Coverage Δ
default 77.67% <100.00%> (+0.02%) ⬆️
examples 26.60% <30.76%> (+0.03%) ⬆️
ftw 47.03% <100.00%> (+0.01%) ⬆️
ftw-multiphase 49.23% <100.00%> (+0.01%) ⬆️
tinygo 75.20% <100.00%> (+0.05%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@jptosso
Copy link
Member

jptosso commented Nov 23, 2023

I still think we split the function instead of using using a Boolean constant

jcchavezs
jcchavezs reviewed Nov 27, 2023
View reviewed changes
internal/url/url_test.go Outdated Show resolved Hide resolved
@jcchavezs
Copy link
Member

I still think we split the function instead of using using a Boolean constant

Kind of agree but that would require to copy the code. Another option could be:

type kvEscape func(string) string

var (
	urlUnescape  kvEscape = QueryUnescape
	NoEscape      kvEscape = func(s string) { return s }
)

...

q := ParseQuery(out, '&', urlUnescape)

@anuraaga
Copy link
Contributor

We could split the API with private function

func ParseQuery(string)
func ParseQueryWithoutUnescape(string)

func doParseQuery(string, bool)

@M4tteoP M4tteoP force-pushed the cookie_nourldecoded branch from ec8b21d to 3c19a8f Compare November 28, 2023 10:22
M4tteoP
M4tteoP commented Nov 28, 2023
View reviewed changes
internal/url/url.go
m[key] = append(m[key], value)
}
return m
}

// QueryUnescape is a non-strict version of net/url.QueryUnescape.
func QueryUnescape(input string) string {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Old comment about making it private: #326 (comment)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I love when code becomes private.

@M4tteoP
Copy link
Member Author

M4tteoP commented Nov 28, 2023

Thank you all for the inputs!
I went for the doParseQuery avoiding public booleans and I did a minor refactor to QueryUnescape to improve a bit the readability. I can not notice meaningful differences in benchmarks:

QueryUnescape
Before:

goos: darwin
goarch: arm64
pkg: github.com/corazawaf/coraza/v3/internal/url
BenchmarkQueryUnescape-10    	 4639016	       252.8 ns/op	      78 B/op	       7 allocs/op
PASS
ok  	github.com/corazawaf/coraza/v3/internal/url	1.526s

After:

goos: darwin
goarch: arm64
pkg: github.com/corazawaf/coraza/v3/internal/url
BenchmarkQueryUnescape-10    	 4720306	       249.2 ns/op	      78 B/op	       7 allocs/op
PASS
ok  	github.com/corazawaf/coraza/v3/internal/url	1.515s

ParseQuery (same QueryUnescape)
Before:

goos: darwin
goarch: arm64
pkg: github.com/corazawaf/coraza/v3/internal/url
BenchmarkParseQuery-10    	 2169714	       544.6 ns/op	     627 B/op	       5 allocs/op
PASS
ok  	github.com/corazawaf/coraza/v3/internal/url	1.835s

After:

goos: darwin
goarch: arm64
pkg: github.com/corazawaf/coraza/v3/internal/url
BenchmarkParseQuery-10    	 2197615	       544.0 ns/op	     627 B/op	       5 allocs/op
PASS
ok  	github.com/corazawaf/coraza/v3/internal/url	1.842s

jcchavezs
jcchavezs reviewed Nov 28, 2023
View reviewed changes
.gitignore Show resolved Hide resolved
jcchavezs
jcchavezs reviewed Nov 28, 2023
View reviewed changes
internal/url/url.go Outdated Show resolved Hide resolved
jcchavezs
jcchavezs reviewed Nov 28, 2023
View reviewed changes
internal/url/url.go Outdated Show resolved Hide resolved
anuraaga
anuraaga approved these changes Dec 1, 2023
View reviewed changes
internal/corazawaf/transaction.go Outdated Show resolved Hide resolved
@M4tteoP
Copy link
Member Author

M4tteoP commented Dec 11, 2023

Merging, mind that in the next release, I would write a line about this engine behavior change

@M4tteoP M4tteoP merged commit 968dc71 into corazawaf:main Dec 11, 2023
8 checks passed
@M4tteoP M4tteoP deleted the cookie_nourldecoded branch December 18, 2023 11:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anuraaga anuraaga anuraaga approved these changes

@jcchavezs jcchavezs jcchavezs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

REQUEST_COOKIES variables gets implicitly URL decoded
4 participants
@M4tteoP @jptosso @jcchavezs @anuraaga