Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[owasp-modsecurity compatibility] hexDecode method #1253

Open
tty2 opened this issue Dec 18, 2024 · 3 comments
Open

[owasp-modsecurity compatibility] hexDecode method #1253

tty2 opened this issue Dec 18, 2024 · 3 comments

Comments

@tty2
Copy link

tty2 commented Dec 18, 2024

Summary

coraza doesn't implement method hexDecode
owasp-modsecurity has this method

Basic example

https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v3.x)#hexdecode

Motivation

OWASP modsecurity compatibility

@fzipi
Copy link
Member

fzipi commented Dec 18, 2024

Thanks for reporting! Are you up for a PR?

@tty2
Copy link
Author

tty2 commented Dec 18, 2024

Hi
I'm gonna take it to implement soon.

@tty2
Copy link
Author

tty2 commented Dec 20, 2024

Could you help me to understand the approach used in the tests for hexDecode?
https://github.com/corazawaf/coraza/blob/main/internal/transformations/testdata/hexDecode.json

@jcchavezs I see you are an author of these tests, you are probably more in the context. And thanks you've done it in advance!

My current assumption that coraza tends to "best-effort" approach (opposite to "fail fast" approach). In that case it explains everything.
As example this test case:

 {
    "type": "tfn",
    "name": "hexDecode",
    "input": "01234567890a0",
    "output": "\\x01#Eg\\x89\\x0a",
    "ret": 1
 }

From RFC 4648:
"The encoding process represents 8-bit groups (octets) of input bits as output strings of 2 encoded characters." => the valid lenght of the input should be even. In this case it is odd, 13 characters.
As I understand the offered logic is pretty simple: from the expected output I can guess we just trim the input and process the rest. Right?

The other case is more tricky:

  {
    "name": "hexDecode",
    "type": "tfn",
    "ret": 1,
    "input": "01234567890a0z01234567890a",
    "output": "\\x01#Eg\\x89\\x0a#\\x01#Eg\\x89\\x0a"
  }

We have even number of characters at the begging but with the invalid symbol inside ("z" in this case). With removing invalid symbol only we'll get to the situation from the previous case (odd number of symbols). Which logic we should follow here?
I guess find the next valid pair and follow, right?
The most interesting part is how do we get "#" from "0z". Is that some specific behavior? I couldn't find any mentioning about it in RFC. Could you clarify this part, please?

Thanks in advance

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants