ModSecurity-nginx icon indicating copy to clipboard operation
ModSecurity-nginx copied to clipboard
verified publisher icon owasp-modsecurity

Add an Option to Skip Body Inspections ( Closes #343 )

Open thekief opened this issue 6 months ago • 6 comments

As dicussed in the issue, I would like to add 2 new directives that allow to skip the body inspection. There are a few usecases, where, e.g. encrypted data is set, and no useful inspection can be made.

While denying the body access may skip the inspection, it still results in the caching of data. Subsequently, there is an unneeded amount of resource consumption, memory, as well as time, involved.

While it would be cleaner to expose an API that allows users of libmodsecurity to check, if a path, e.g. has a reqeust body check, this involves a lot more work. The approach taken in this PR, shifts the functionality to that is only necessitates changes in the nginx module.

Regarding Tests: As for tests, I'm a bit unsure what the best way would be to test it. One way would be to try to upload a file, e.g. 100MB, to a location and check when the first data reaches it. If the body inspection is disabled, the first bytes will arrive much sooner, as the nginx module caches the body until it's fully received otherwise and only then forwards the data.

thekief avatar Jun 03 '25 10:06 thekief

Hi @thekief,

thanks for this PR, I think this is quite useful.

Regarding Tests: As for tests, I'm a bit unsure what the best way would be to test it.

If I suggest suggest a method:

  • create a vhost config where you turn Off the request body inspection
  • create a rule (into phase:2) that checks for a variable from the request body (eg ARGS_POST)
  • send a request which should trigger that rule

For the response body skip:

  • create another vhost config where you turn Off the response body inspection
  • create a rule (into phase:4) that checks for a variable from the response body (eg RESPONSE_BODY)
  • set a content for that vhost which triggers that rule

You can add cross checking too (eg. the first mentioned rule above executes in phase:4 and you try to mix the settings with these new options...)

airween avatar Jun 03 '25 11:06 airween

Sorry for getting back so late. I created configurations, but as I'm terrible with nginx tests using Perl, may I just send you the configurations? :sweat_smile:

thekief avatar Jun 11 '25 12:06 thekief

The abbreviation for response is usually rep or resp, or consider not using the abbreviation and directly name the directive: modsecurity_skip_request_body_filter and modsecurity_skip_response_body_filter

HanadaLee avatar Jun 16 '25 07:06 HanadaLee

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud[bot] avatar Jun 16 '25 12:06 sonarqubecloud[bot]

@HanadaLee thank you for looking over the changes. I use resp to abbreviate response now

thekief avatar Jun 16 '25 12:06 thekief