Skip to content

Latest commit

 

History

History
726 lines (377 loc) · 33.7 KB

chat-archive-2023-06-28.md

File metadata and controls

726 lines (377 loc) · 33.7 KB

Wed, Jun 28th, 2023

Juan Pablo Tosso 12:00:25 UTC

Hello everyone, and welcome to our monthly meeting! Let’s wait a few minutes to see who else is joining 🙂

Matteo Pace 12:02:29 UTC

Hey hey 👋

Juan Pablo Tosso 12:03:16 UTC

@JC @fzipitria

Juan Pablo Tosso 12:04:29 UTC

Meeting link: corazawaf/coraza#814

JC 12:04:54 UTC

Aloha

Juan Pablo Tosso 12:05:43 UTC

This month has been full of releases, we released v3, v3.0.1, and v3.0.2. As most of you Know we are super proud of v3 as it is a major update with tons of performance and API improvements

Juan Pablo Tosso 12:06:48 UTC

v3.0.1 is a super important update as it implements a few bug fixes, performance improvements and most important it fixes this security advisory https://github.com/corazawaf/coraza/security/advisories/GHSA-c2pj-v37r-2p6h This bug allows an attacker to DDOS coraza by using a malicious content-type header

Juan Pablo Tosso 12:07:57 UTC

and v3.0.2 fixes a super important bug that was affecting our connectors by sometimes breaking the body buffers

Juan Pablo Tosso 12:08:17 UTC

This month 6 PRs were created and merged: corazawaf/coraza#807 corazawaf/coraza#808 corazawaf/coraza#811 corazawaf/coraza#812 corazawaf/coraza#824 corazawaf/coraza#825

Juan Pablo Tosso 12:09:09 UTC

After v3 release, we have seen a considerable increase in the number of issues and contributions, so I would like to thank the team for the diffusion and the rest of the community for trusting us with our security 🙂 it has been an awesome month

Juan Pablo Tosso 12:10:01 UTC

We are receiving a lot of activity for most of our connectors, there is a lot of interest in the SPOA and we have received a lot of feedbacks so we hope at some point it can become stable

Juan Pablo Tosso 12:10:23 UTC

Caddy connector has received lots of issues but it means there is interest in the community 🙂 development is quite active here

Juan Pablo Tosso 12:10:41 UTC

We are finally receiving a lot of interest and participation in libcoraza, which will become the heart of the Nginx connector

Juan Pablo Tosso 12:12:02 UTC

and of course, our proxy-wasm team has finally released v0.1.0 and v0.1.1 🙂 https://github.com/corazawaf/coraza-proxy-wasm/releases/tag/0.1.0

Juan Pablo Tosso 12:12:24 UTC

so enough of project status, any questions ?

Juan Pablo Tosso 12:13:38 UTC

Ok so the first topic is HTTP audit log writer

Juan Pablo Tosso 12:15:32 UTC

We have to do a few definitions

JC 12:17:09 UTC

right now coraza is not aware of its own version so we cannot add it to the user-agentnice to have, not toooo important tho.

Are we keeping compatibility for mlogc?is this what people does use? What are the alternatives?

Are we adding any extra headers to the log upload?Shall we support auth?

How much is the timeout value?whatever we come up will be wrong but maybe a best guess e.g. 1s?

Should we use content-type? the problem is we are not aware of the formatter’s content-typeGood one, we must make the formatter aware of it

I guess like every other format

nope, it creates a barrier for local development and PoC

Juan Pablo Tosso 12:17:56 UTC

I’m not aware if anyone uses mlogc, its part of the modsec toolkit, @airween what do you think?

airween 12:24:33 UTC

Uhm, sorry, I don't use mlogc. (Actually I use autit.log very rarely...)

Juan Pablo Tosso 12:24:50 UTC

but what do you think about the community?

airween 12:26:14 UTC

Sorry, I don't understand this now 🙂 - what do you mean about "the community"?

Juan Pablo Tosso 12:26:35 UTC

I mean, do you see people asking about mlogc? Is it a thing?

Juan Pablo Tosso 12:26:41 UTC

or nobody really uses it

airween 12:28:36 UTC

oh, I got it - once I saw an issue under ModSecurity GH page that they want to finish the developing of that tool, because none of them use that

Juan Pablo Tosso 12:29:13 UTC

great! thank you very much 🙂

airween 12:29:26 UTC

but now I can't find that issue 😞

airween 12:32:28 UTC

oh, sorry - here is the post what I remember:

owasp-modsecurity/ModSecurity#2275 (comment)

he just mentions there that mlogc is not available in libmodsecurity3.

Hope this helps ❤️

Juan Pablo Tosso 12:33:02 UTC

thank you very much! This is a great reference. It makes sense to ignore mlogc support

Juan Pablo Tosso 12:18:26 UTC

Auth is supported by using basic auth, just set the URL as http://username:passsword@url.com

JC 12:18:45 UTC

This isn’t ZeroTrust friendly

Juan Pablo Tosso 12:18:56 UTC

nothing is zerotrust friendly

Juan Pablo Tosso 12:20:19 UTC

In that case we would have to extend AuditLogConfig with a username and a password

JC 12:21:07 UTC

Probably support for headers is desirable.

Juan Pablo Tosso 12:22:17 UTC

we could add something like SecAuditLogHttpsHeader X-Api-Key %{API_KEY} To get API keys from ENV?

JC 12:26:08 UTC

Since we are talking about adding a new directive it is better to defer this until someone request it.

Juan Pablo Tosso 12:21:14 UTC

what happens if the binary formatter uses null bytes ?

JC 12:21:41 UTC

What is the problem? We let the receiver to deal with it.

JC 12:21:56 UTC

I mean in https we can't do much more than sending the payload.

JC 12:22:13 UTC

If we want something more sofisticated maybe people use other stuff

Juan Pablo Tosso 12:23:27 UTC

what I mean if we would have to handle CRLFs inside the binary payloads

Juan Pablo Tosso 12:23:45 UTC

but I agree

Juan Pablo Tosso 12:24:28 UTC

ok so for log formatters lets update the map to store both, the content-type and the formatter. Then we propagate it using the options

airween 12:24:33 UTC

Uhm, sorry, I don't use mlogc. (Actually I use autit.log very rarely...)

airween 12:24:33 UTC

Uhm, sorry, I don't use mlogc. (Actually I use autit.log very rarely...)

Juan Pablo Tosso 12:24:50 UTC

but what do you think about the community?

airween 12:26:14 UTC

Sorry, I don't understand this now 🙂 - what do you mean about "the community"?

Juan Pablo Tosso 12:26:35 UTC

I mean, do you see people asking about mlogc? Is it a thing?

Juan Pablo Tosso 12:26:41 UTC

or nobody really uses it

airween 12:28:36 UTC

oh, I got it - once I saw an issue under ModSecurity GH page that they want to finish the developing of that tool, because none of them use that

Juan Pablo Tosso 12:29:13 UTC

great! thank you very much 🙂

airween 12:29:26 UTC

but now I can't find that issue 😞

airween 12:32:28 UTC

oh, sorry - here is the post what I remember:

owasp-modsecurity/ModSecurity#2275 (comment)

he just mentions there that mlogc is not available in libmodsecurity3.

Hope this helps ❤️

Juan Pablo Tosso 12:33:02 UTC

thank you very much! This is a great reference. It makes sense to ignore mlogc support

Juan Pablo Tosso 12:24:50 UTC

but what do you think about the community?

airween 12:24:33 UTC

Uhm, sorry, I don't use mlogc. (Actually I use autit.log very rarely...)

Juan Pablo Tosso 12:24:50 UTC

but what do you think about the community?

airween 12:26:14 UTC

Sorry, I don't understand this now 🙂 - what do you mean about "the community"?

Juan Pablo Tosso 12:26:35 UTC

I mean, do you see people asking about mlogc? Is it a thing?

Juan Pablo Tosso 12:26:41 UTC

or nobody really uses it

airween 12:28:36 UTC

oh, I got it - once I saw an issue under ModSecurity GH page that they want to finish the developing of that tool, because none of them use that

Juan Pablo Tosso 12:29:13 UTC

great! thank you very much 🙂

airween 12:29:26 UTC

but now I can't find that issue 😞

airween 12:32:28 UTC

oh, sorry - here is the post what I remember:

owasp-modsecurity/ModSecurity#2275 (comment)

he just mentions there that mlogc is not available in libmodsecurity3.

Hope this helps ❤️

Juan Pablo Tosso 12:33:02 UTC

thank you very much! This is a great reference. It makes sense to ignore mlogc support

Juan Pablo Tosso 12:29:22 UTC

The rest of the points looks good to me:

Juan Pablo Tosso 12:29:42 UTC

let’s consider headers for the future, I think it requires more feedbacks

Juan Pablo Tosso 12:30:43 UTC

if everyone is ok we could proceed to the next topic

Juan Pablo Tosso 12:31:04 UTC

I believe it’s not a thing anymore as we already released v3.0.1 and v3.0.2

JC 12:31:56 UTC

Following semver

Juan Pablo Tosso 12:32:27 UTC

exactly we should always use semantic versioning as it is the go standard for go mod

Juan Pablo Tosso 12:31:22 UTC

Sponsorship perks !

JC 12:31:56 UTC

Following semver

JC 12:31:56 UTC

Following semver

Juan Pablo Tosso 12:32:27 UTC

exactly we should always use semantic versioning as it is the go standard for go mod

Juan Pablo Tosso 12:33:02 UTC

thank you very much! This is a great reference. It makes sense to ignore mlogc support

airween 12:24:33 UTC

Uhm, sorry, I don't use mlogc. (Actually I use autit.log very rarely...)

Juan Pablo Tosso 12:24:50 UTC

but what do you think about the community?

airween 12:26:14 UTC

Sorry, I don't understand this now 🙂 - what do you mean about "the community"?

Juan Pablo Tosso 12:26:35 UTC

I mean, do you see people asking about mlogc? Is it a thing?

Juan Pablo Tosso 12:26:41 UTC

or nobody really uses it

airween 12:28:36 UTC

oh, I got it - once I saw an issue under ModSecurity GH page that they want to finish the developing of that tool, because none of them use that

Juan Pablo Tosso 12:29:13 UTC

great! thank you very much 🙂

airween 12:29:26 UTC

but now I can't find that issue 😞

airween 12:32:28 UTC

oh, sorry - here is the post what I remember:

owasp-modsecurity/ModSecurity#2275 (comment)

he just mentions there that mlogc is not available in libmodsecurity3.

Hope this helps ❤️

Juan Pablo Tosso 12:33:02 UTC

thank you very much! This is a great reference. It makes sense to ignore mlogc support

Juan Pablo Tosso 12:33:20 UTC

I want to use as examples:

Juan Pablo Tosso 12:34:07 UTC

Also I would like to mention that although we don’t have any financial requirement as a project, we would be able to do some interesting things, like issues with bounties, a dev on duty program, and a coraza live event somewhere in the world

JC 12:35:42 UTC

The ConRaza cc @fzipitria

Juan Pablo Tosso 12:36:09 UTC

corazacon

Juan Pablo Tosso 12:36:27 UTC

corazapalooza

Juan Pablo Tosso 12:36:03 UTC

There is also another kind of support that we appreciate a lot, for example, Tetrate provides helps in the development, and Traceable formally supports my work in coraza. Among other companies like Intel. Should we also have a perk for them?

JC 12:36:59 UTC

Interesting idea

Juan Pablo Tosso 12:38:05 UTC

Zap has the following criteria for platinum sponsorship: Perks:

Juan Pablo Tosso 12:39:39 UTC

I don’t think there is anyone working 80% on coraza so maybe we should adjust it to a lower sponsorship level

Juan Pablo Tosso 12:44:10 UTC

Let’s copy Zap’s criterias wit ha few changes:

JC 12:46:32 UTC

I would create an issue on this and see if there are companies interested

Juan Pablo Tosso 12:46:49 UTC

Ok lgtm

Juan Pablo Tosso 12:47:00 UTC

so we will continue this topic inside the issue

Juan Pablo Tosso 12:47:31 UTC

Finally, JC’s philosophical topic, to Dependabot or not to dependabot

Juan Pablo Tosso 12:47:55 UTC

I personally love dependabot, it doesnt hurt

JC 12:48:12 UTC

So I should have create an issue for this, it's being in my head for a while

JC 12:48:31 UTC

Whenever we release a new stable version in coraza, updating all the connectors is a pain.

JC 12:48:47 UTC

So I think that should be automated.

Juan Pablo Tosso 12:49:38 UTC

mmh I think dependabot should take care of that, but I don’t know how

JC 12:50:08 UTC

I saw this working in other orgs.

JC 12:50:31 UTC

So we just need to implement a flow for dependabot to fot he updated whenever coraza is out. Now that coraza is stable we can do that easily.

JC 12:50:54 UTC

Like we don't have to deal with breaking changes.

Juan Pablo Tosso 12:55:13 UTC

let’s create an issue to do the configs

Juan Pablo Tosso 12:55:24 UTC

but I agree with you, we use dependabot everywhere and it just makes sense

Juan Pablo Tosso 12:56:05 UTC

any other thing you would like to discuss team? As @JC calls us, corazones :rolling_on_the_floor_laughing: which means hearts in spanish

JC 12:56:55 UTC

I wonder if we should look at supply chain checks on CI like using snyk or things like that.

Juan Pablo Tosso 12:57:36 UTC

it is interesting but we should also keep in mind that most of our dependencies are for development and building, not for runtime

JC 12:58:19 UTC

But my real big concern is who is taking ownership of the actions we just talked about in this meeting. When people wakes up it would be cool for us to check the meeting and see if any of us can own some work @Matteo Pace @Roshan Piyush @fzipitria @Anuraag Agrawal

JC 12:59:55 UTC

I can own dependabot check

JC 13:00:12 UTC

Since @Juan Pablo Tosso is owning the https reporter

Matteo Pace 13:01:36 UTC

I think would be great to create all the issues that you just talk about and wait for some assignments/self assignments

Juan Pablo Tosso 13:03:12 UTC

I agree with Matteo, lets create proper issues

Matteo Pace 13:03:14 UTC

About dependabot, I don’t know if it is feasible, but some issues required to manually run go mod tidy

Juan Pablo Tosso 13:03:39 UTC

https://docs.github.com/en/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot there are a lot of options for dependabot

Matteo Pace 13:05:24 UTC

I will be careful if it happens again, and see if it is doable to make it run automatically

Juan Pablo Tosso 13:03:16 UTC

and each one of us take ownership

Liang Zhibang 13:07:00 UTC

please review my PR 🫡 corazawaf/libcoraza#30

Juan Pablo Tosso 13:08:41 UTC

nice catch, I will take a look and approve it, thank you

Liang Zhibang 13:09:48 UTC

🫡

Juan Pablo Tosso 13:08:47 UTC

Ok so we close our monthly meetings

Juan Pablo Tosso 13:08:56 UTC

Please team help me creating issues

Juan Pablo Tosso 13:08:58 UTC

Thank you everyone!

Liang Zhibang 13:14:04 UTC

I’ve ported coraza to openresty successfully. But my libcoraza-nginx not compatible with libcoraza. I think of create a repo named libcoraza-nginx

Juan Pablo Tosso 13:14:57 UTC

lets try to keep it as generic as possible but we can do that in the meantime

Liang Zhibang 13:16:25 UTC

you are right.

Liang Zhibang 13:14:19 UTC

https://github.com/potats0/lua-resty-coraza

Liang Zhibang 13:15:07 UTC

load full coreruleset spend 50M in arm ubuntu

Liang Zhibang 13:16:49 UTC

worker process 4,

Juan Pablo Tosso 13:17:51 UTC

terrific work, thank you very much Liang, we will keep a close eye

Liang Zhibang 13:23:31 UTC

qps with coraza

Liang Zhibang 13:23:51 UTC

qps without coraza

Juan Pablo Tosso 13:28:35 UTC

and have you tested blocking?

Liang Zhibang 13:29:47 UTC

sure

Juan Pablo Tosso 13:29:51 UTC

@fzipitria / @JC what should be a decent test plan to test there are no memory leaks?

Liang Zhibang 13:30:04 UTC

I tested

Juan Pablo Tosso 13:30:28 UTC

it is hard to test memory leaks using cgo because of the garbage collector

Liang Zhibang 13:31:03 UTC

if memory was leaked the nginx will oom when 10000 requests

Juan Pablo Tosso 13:31:14 UTC

I see

Juan Pablo Tosso 13:31:53 UTC

I’m impressed, I will take a deeper look and get back to you. We really appreciate your contribution

Juan Pablo Tosso 13:32:29 UTC

We have to solve the log callbacks issue too

Juan Pablo Tosso 13:32:39 UTC

where are you pointing the error logs?

Liang Zhibang 13:33:50 UTC

i didn't point the error log .I am wondering about log callback

Juan Pablo Tosso 13:34:15 UTC

there is a function but it is not working. I will take some time to fix it and get back to you

Liang Zhibang 13:35:31 UTC

sure, i'm waiting for you, and thank you for contributing

Juan Pablo Tosso 13:36:02 UTC

but we should send coraza a pointer to a function that handles the log

void ngx_http_modsecurity_log(void log, const void data) { const char *msg; if (log == NULL) { return; } msg = (const char *) data;

ngx_log_error(NGX_LOG_INFO, (ngx_log_t *)log, 0, "%s", msg);

} msc_set_log_cb(conf->modsec, ngx_http_modsecurity_log);

Juan Pablo Tosso 13:36:07 UTC

this is how modsec - nginx handles it

Liang Zhibang 13:39:56 UTC

cgo is hard to invoke pointer of function

Juan Pablo Tosso 13:40:08 UTC

yes but there is a hack

Juan Pablo Tosso 13:40:19 UTC

you create a C function inside go, then you do it from there

Juan Pablo Tosso 13:40:34 UTC

so instead of calling the C function, you call the CGO C function that calls the C function

Liang Zhibang 13:44:05 UTC

you mean that log callback for printing error log of coraza?

Juan Pablo Tosso 13:44:13 UTC

yes

Juan Pablo Tosso 13:44:29 UTC

@airween would be happy if it is fixed lol

Liang Zhibang 13:45:42 UTC

libcoraza exposed a few api for calling.maybe use go reflect to solve the problem

Juan Pablo Tosso 13:46:20 UTC

https://github.com/corazawaf/libcoraza/blob/master/libcoraza/log.go

Juan Pablo Tosso 13:46:36 UTC

https://github.com/corazawaf/libcoraza/blob/3fb9f6c3928e8fc141eb5fd9cea3d74a268204e1/libcoraza/coraza.go#L280

Juan Pablo Tosso 13:46:57 UTC

coraza_set_log_cb should call C.send_log_to_cb

Liang Zhibang 13:48:12 UTC

get it