[BUG] Content-Length and Transfer-Encoding headers not being passed to appsec

[nward]

Describe the bug 🐛
There's a CRS rule (920180) which looks for missing Content-Length or Transfer-Encoding on a POST.

I assume the issue is that the go http client doesn't include a content-length / transfer-encoding as it's a GET, or something along those lines.

Expected behavior 👀
Content-Length and Transfer-Encoding should be passed to appsec.

Context 🔎
I think this is explained well enough.

Version (please complete the following information):

• OS: Docker (kubernetes)
• Traefik version: 3.6.6
• Plugin version: 1.4.6
• Redis: None

To Reproduce
Enable CRS rules, and cURL something like this:

curl 'https://fqdn/signalr/messages/negotiate?access_token=blah&negotiateVersion=1' \
-X 'POST' \
-H 'Content-Type: text/plain;charset=UTF-8' \
-H 'Accept: */*' \
-H 'Sec-Fetch-Site: same-origin' \
-H 'Accept-Language: en-NZ,en-AU;q=0.9,en;q=0.8' \
-H 'Cache-Control: max-age=0' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Origin: https://fqdn' \
-H 'Content-Length: 10' \
-H 'User-Agent: foo' \
-H 'Referer: https://fqdn/' \
-H 'Accept-Encoding: gzip, deflate, br' \
-H 'Sec-Fetch-Dest: empty' \
-H 'Cookie: removed' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'Priority: u=3, i' \
-H 'X-SignalR-User-Agent: Microsoft SignalR/6.0 (6.0.21; Unknown OS; Browser; Unknown Runtime Version)'

[nward]

Looking at the appsec docs, I see this:

All requests forwarded by the remediation component must be sent via a GET request. However, if the HTTP request contains a body, a POST request must be sent to the Application Security Component.

I suspect this logic should actually be that a POST is always required if the verb is POST - even if a body isn't present - so that valid POST headers are passed through.

[mathieuHa]

Hi @nward, maybe this issue should be opened in Crowdsec repository so they can respond on the Appsec strategy, and maybe explain why they chose this ?

[mathieuHa]

I looked and indeed we are following documentation, could be nice to have Crowdsec Point of view on this

var req *http.Request
	if bouncer.appsecBodyLimit > 0 && httpReq.Body != nil && httpReq.ContentLength > 0 {
		var bodyBuffer bytes.Buffer
		limitedReader := io.LimitReader(httpReq.Body, bouncer.appsecBodyLimit)
		teeReader := io.TeeReader(limitedReader, &bodyBuffer)
		bodyBytes, err := io.ReadAll(teeReader)
		if err != nil {
			return fmt.Errorf("appsecQuery:GetBody %w", err)
		}
		// Conserve body intact after reading it for other middlewares and service
		httpReq.Body = io.NopCloser(io.MultiReader(&bodyBuffer, httpReq.Body))
		req, _ = http.NewRequest(http.MethodPost, routeURL.String(), bytes.NewBuffer(bodyBytes))
	} else {
		req, _ = http.NewRequest(http.MethodGet, routeURL.String(), nil)
	}

[maxlerebourg]

With the new version, can you tell us if it's fixed ?
Now, to choose if it's a GET or a POST, we look for if (req.Body != nil), maybe it fix your issue.

[nward]

With the new version, can you tell us if it's fixed ?
Now, to choose if it's a GET or a POST, we look for if (req.Body != nil), maybe it fix your issue.

I'm traveling at the moment but can check in a day or two. Sounds promising though, thanks!