I want help

janke · December 10, 2012, 7:57pm

Hello all,

What is the best way to block un-expected submissions?

For example, I have this puzzle:
((aaa=(\d{1,8}.)+(\d{1,8}))&(bbb=\w{10,30})&(ccc=\d{1,10}))

aaa is uuid, bbb is alphanumric, ccc is just numeric.

I want to have nginx validating this regex, and one more, if someone
craft
(ddd=xyz) in the submission url, it has to FAIL.

Pls, comments are welcome.

tjoseph.

janke · December 10, 2012, 8:28pm

Did I tell that I am looking into a reverse proxy situation ? No.

My mistake. I want to have a reverse proxy, that would filter the
incoming
and pass-on/reject upon the rules.

[SSL enabled web-client]=>[NGINX]=>{filtering]=>[My own custom built
HTTP application]
[SSL enabled web-client]<=[NGINX]<=[My own custom built HTTP
application]

Thanks,

tjoseph.

From: Thomas J. [email protected]
To: “[email protected]” [email protected]
Sent: Tuesday, 11 December 2012 12:26 AM
Subject: I want help…

Hello all,

What is the best way to block un-expected submissions?

For example, I have this puzzle:
((aaa=(\d{1,8}.)+(\d{1,8}))&(bbb=\w{10,30})&(ccc=\d{1,10}))

aaa is uuid, bbb is alphanumric, ccc is just numeric.

I want to have nginx validating this regex, and one more, if someone
craft
(ddd=xyz) in the submission url, it has to FAIL.

Pls, comments are welcome.

tjoseph.

janke · December 14, 2012, 9:19pm

Hello all,

Want to share what I came up with.

See, I have 3 key strings , say abc, pqr and xyz.

And a valid submission will be
https://x.y.com/?abc=1.2.3.4&pqr=asdf&xyz=123888598

abc is numeric, with . in between, and ending in digit(s), think of a
uuid like 2.16.840.1.113883

pqr is only alpha, but has 2 choices, asdf or lkjh

xyz is purely numeric

I do not use this for anything other than reverse proxy, if the pattern
matches.

Here is what I come up with:

location / {
…
…
if ($args ~ ^((abc=(\d+.)+(\d+))&(pqr=(asdf|lkjh))&(xyz=\d+))$){
proxy_pass http://127.0.0.1:890/?$1;
}

Still I can not limit the repetition, like (abc=(\d{3,10})). Seems
nginx, does not support {}. Is that true ?
Provided that I can predict if there can not be more than
64charactersfor abc how do I do it ?

And what about “if is evil”

Does that make sense in 1.2.6 too ??

Tell me I am wrong !!

Thanks all.

tjoseph.

From: Thomas J. [email protected]
To: “[email protected]” [email protected]
Sent: Tuesday, 11 December 2012 12:57 AM
Subject: Re: I want help…

Did I tell that I am looking into a reverse proxy situation ? No.

My mistake. I want to have a reverse proxy, that would filter the
incoming
and pass-on/reject upon the rules.

[SSL enabled web-client]=>[NGINX]=>{filtering]=>[My own custom built
HTTP application]
[SSL enabled web-client]<=[NGINX]<=[My own custom built HTTP
application]

Thanks,

tjoseph.

From: Thomas J. [email protected]
To: “[email protected]” [email protected]
Sent: Tuesday, 11 December 2012 12:26 AM
Subject: I want help…

Hello all,

What is the best way to block un-expected submissions?

For example, I have this puzzle:
((aaa=(\d{1,8}.)+(\d{1,8}))&(bbb=\w{10,30})&(ccc=\d{1,10}))

aaa is uuid, bbb is alphanumric, ccc is just numeric.

I want to have nginx validating this regex, and one more, if someone
craft
(ddd=xyz) in the submission url, it has to FAIL.

Pls, comments are welcome.

tjoseph.

nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx

janke · December 14, 2012, 9:52pm

On Sat, Dec 15, 2012 at 04:18:55AM +0800, Thomas J. wrote:

Hi there,

it seems to me that the level of application-specific control you are
looking for probably does not belong in a default nginx.conf.

The back-end application is probably the right place to do these checks.

You could try using one of the nginx embedded language modules, which
may provide more features.

Or you could try using the various $arg_* variables in a map –
Module ngx_http_map_module.

And a valid submission will be
https://x.y.com/?abc=1.2.3.4&pqr=asdf&xyz=123888598

Would https://x.y.com/?abc=1.2.3.4&xyz=123888598&pqr=asdf be
invalid? Unless you control the client, you probably don’t control
the order.

abc is numeric, with . in between, and ending in digit(s), think of a uuid like
2.16.840.1.113883

pqr is only alpha, but has 2 choices, asdf or lkjh

xyz is purely numeric

Untested, but something like

map $arg_xyz $xyz_bad {
default 1
~ ^[0-9]+$ 0
}

with similar things for “abc” and “pqr”, would set variables that you
could then test for.

if ($xyz_bad) {
return 400 “xyz is wrong”
}

location / {
…
…
if ($args ~ ^((abc=(\d+.)+(\d+))&(pqr=(asdf|lkjh))&(xyz=\d+))$){
proxy_pass http://127.0.0.1:890/?$1;
}

Still I can not limit the repetition, like (abc=(\d{3,10})). Seems nginx, does
not support {}. Is that true ?

I don’t know; but it possibly depends on the regex library found at
compile time.

And what about “if is evil”

Don’t use “if” inside “location” unless you can explain why your usage
is correct. That’s the rule I tend to use.

Good luck with it,

f

Francis D. [email protected]

janke · December 14, 2012, 10:58pm

Hi,

Thanks a lot for the insight.

I have checked the order of abc, pqr and xyz and nginx does not
proxy_pass.

It does not proxy_pass if it is ab or abcd, instead of abc.

It does not even matching special characters.

That is good, and it is blocking a submission with additionalparameters,
like

https://x.y.com/?abc=1.2.3.4&pqr=asdf&xyz=123888598&def=123

The client is typically the browser that would make ajax call from
anywhere in the Internet, but I do
see someone possibly crafting a payload that could confuse the app
running on 127.0.0.1.

Will definitely go through map and will get back.

Appreciate and thanks again, Francis.

tjoseph.

From: Francis D. [email protected]
To: [email protected]
Sent: Saturday, 15 December 2012 2:21 AM
Subject: Re: I want help…

On Sat, Dec 15, 2012 at 04:18:55AM +0800, Thomas J. wrote:

Hi there,

it seems to me that the level of application-specific control you are
looking for probably does not belong in a default nginx.conf.

The back-end application is probably the right place to do these checks.

You could try using one of the nginx embedded language modules, which
may provide more features.

Or you could try using the various $arg_* variables in a map –
Module ngx_http_map_module.

And a valid submission will be
https://x.y.com/?abc=1.2.3.4&pqr=asdf&xyz=123888598

Would https://x.y.com/?abc=1.2.3.4&xyz=123888598&pqr=asdf be
invalid? Unless you control the client, you probably don’t control
the order.

abc is numeric, with . in between, and ending in digit(s), think of a uuid like
2.16.840.1.113883

pqr is only alpha, but has 2 choices, asdf or lkjh

xyz is purely numeric

Untested, but something like

map $arg_xyz $xyz_bad {
default 1
~ ^[0-9]+$ 0
}

with similar things for “abc” and “pqr”, would set variables that you
could then test for.

if ($xyz_bad) {
return 400 “xyz is wrong”
}

location / {
…
…
if ($args ~ ^((abc=(\d+.)+(\d+))&(pqr=(asdf|lkjh))&(xyz=\d+))$){
proxy_pass http://127.0.0.1:890/?$1;
}

Still I can not limit the repetition, like (abc=(\d{3,10})). Seems nginx, does
not support {}. Is that true ?

I don’t know; but it possibly depends on the regex library found at
compile time.

And what about “if is evil”

Don’t use “if” inside “location” unless you can explain why your usage
is correct. That’s the rule I tend to use.

Good luck with it,

f

Francis D. [email protected]