Return an error when parsing an Include directive using a glob pattern that doesn't match any file
#1250
Comments
|
Hey @gantony, thanks for reporting this! |
|
Thanks for the feedback.
We could dig a hole for ourselves here too 😅. Maybe the path is valid but we typed A bit like a compile error for an unused variable in go 😄. |
|
What middleware and what version are you using? |
|
I am using the latest I guess an example would help describe the issue. This program: package main
import (
"fmt"
"testing/fstest"
"github.com/corazawaf/coraza/v3"
)
func main() {
m := fstest.MapFS{
"crs/sample.conf": &fstest.MapFile{Data: []byte("SecRuleEngine DetectionOnly\n")},
"valid.conf": &fstest.MapFile{Data: []byte("Include crs/sample.conf\n")},
"valid-glob.conf": &fstest.MapFile{Data: []byte("Include crs/*.conf\n")},
"invalid-error.conf": &fstest.MapFile{Data: []byte("Include crs/demo.conf\n")},
"invalid-silent.conf": &fstest.MapFile{Data: []byte("Include rules/*.conf\n")},
}
setupCoraza := func(config string) {
_, err := coraza.NewWAF(coraza.NewWAFConfig().
WithRootFS(m).
WithDirectives(config))
if err != nil {
fmt.Println(err)
}
}
// This works
setupCoraza(`Include valid.conf`)
// This works (glob)
setupCoraza(`Include valid-glob.conf`)
// This doesn't work, but we get the expected error
setupCoraza(`Include invalid-error.conf`)
// This doesn't work (no file imported), but it does so silently
// Would like to add an error when an Include with a glob has no effect (import no files)
setupCoraza(`Include invalid-silent.conf`)
}provides the following output: and I would propose to update Coraza to provide the following output: Of course, I'm open to suggestion for the exact wording around |
Sorry, looks like I should have opened a discussion instead of opening an issue 😓. The fix (if desirable) is very small so will open a PR for consideration. |
|
As I ran into a similar issue: Example: If the coraza service-user has no read-permissions for the directory containing the config-files ( Versions: |
|
PR is merged, so I believe this issue can be closed. |
Summary
Coraza gives us a nice (and helpful!) error message when a file we want to include is not found.
For example,
Include Ncoraza.conf, whereNcoraza.confdoes not exists, we get the following error:However, when using a glob like in
Include coreruleset-default/*.conf, whencoreruleset-defaultdoes not exist, we get no error whatsoever. The existing logic only returns an error is the glob expression is malformed, as commented in fs.Glob:My suggestion is to add an extra check, and create an "no matched files error" when an
Includedirective with a blob does not match any file.Basic example
Evaluating
Include coreruleset-default/*.conf, where there is no match, would return an error like:Currently, the operation succeeds (no file is loaded,
Importdirective has no effect and no error is provided).Motivation
Doing this for consistency between importing a file and importing multiple files with a glob pattern. If we add an import directive, the expectation is that it will either import something or report an error.
Discussion
I am happy to implement that change, but want to discuss it first to make sure it's acceptable.
Should it be the default behavior? I think so, but maybe some folks could be afraid of breaking existing configuration. If this is a strong concern, we could make this validation optional with an optional parameter. This wouldn't be my preference, but that would be better that not having anything...
The text was updated successfully, but these errors were encountered: