Skip to content

Fix SecRequestBody(NoFiles)Limit overflow#3419

Closed
airween wants to merge 4 commits intoowasp-modsecurity:v3/masterfrom
airween:v3/secreqbodylimit
Closed

Fix SecRequestBody(NoFiles)Limit overflow#3419
airween wants to merge 4 commits intoowasp-modsecurity:v3/masterfrom
airween:v3/secreqbodylimit

Conversation

@airween
Copy link
Member

@airween airween commented Jul 14, 2025

what

This PR fixes the possible overflow of SecRequestBodyLimit and SecRequestBodyNoFilesLimit directives.

why

There are two reported issues:

There are a few problems in handling these config variables:

  • the type of variables were double before this patch - this makes no sense, there is no 1234.6 bytes...
  • the type of variables were signed - also makes sense, there is no negative value
  • the parser converted the read value with atoi(), which gives an integer with different bitsize

Therefore if a user gave an extra high value, then the atoi() converted it into a negative value.

references

Fixes #3356 and #3352

side note

Now there is no hardcoded limit for these values. Beside of that if the admin gives 0 (zero) value then the engine allows unlimited bytes.

I want to stop this, which means if the value of these variables aren't set or set to 0, that means the value is 0 and engine will allow only 0 byte. Hopefully this will force the admin to set an explicit value.

@airween airween self-assigned this Jul 14, 2025
@airween airween added 3.x Related to ModSecurity version 3.x WIP labels Jul 14, 2025
@airween
Copy link
Member Author

airween commented Jul 14, 2025

This PR is working in progress.

@jonathansmith9485, @SonNgo2211, @EsadCetiner - please take a review this.

@EsadCetiner
Copy link

EsadCetiner commented Jul 14, 2025

@airween I just tested your PR and I'm still getting blocked by 200002, however this time the value is reported as 0 in the debug log

[175253424070.699027] [/remote.php/dav/files/esadc/] [5] Request body excluding files is bigger than the maximum expected. Limit: 0

@airween
Copy link
Member Author

airween commented Jul 15, 2025

@airween I just tested your PR and I'm still getting blocked by 200002, however this time the value is reported as 0 in the debug log

[175253424070.699027] [/remote.php/dav/files/esadc/] [5] Request body excluding files is bigger than the maximum expected. Limit: 0

Thanks, I can check this soon.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jul 16, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@airween
Copy link
Member Author

airween commented Jul 20, 2025

I'm going to close this PR, because I completely rewritten the Config*Int types' handling in a new one, which comes soon.

@airween airween closed this Jul 20, 2025
@airween airween deleted the v3/secreqbodylimit branch July 20, 2025 20:25
This was referenced Jul 23, 2025
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@airween airween

Labels

3.x Related to ModSecurity version 3.x WIP

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

libModSecurity3: requests are blocked when SecRequestBodyNoFilesLimit is set to a very high value

2 participants

@airween @EsadCetiner