Enabling nextdloud exclusion --> Expecting an action, got: ctl:requestBodyLimit=1073741824" #2069

mathsen · 2021-05-09T19:43:25Z

Describe the bug

I have a nextcloud install (using modsecurity with the nginx connector), enabled the owasp nextcloud exclusions and everything runs fine - expect uploading big files.
So I tried to enable the outcommented, predefined rule in "rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf":

SecRule REQUEST_URI "@endsWith /index.php/apps/files/ajax/upload.php" \
 "id:9003610,\
    phase:1,\
    t:none,\
    nolog,\
    ctl:requestBodyLimit=1073741824"

Expected behaviour

Big file uploads work

Actual behaviour

Testing the outcommented file results in an error. So running "nginx -t" gives:
File: /etc/nginx/modsec/coreruleset-dev/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf. Line: 35. Column: 33. Expecting an action, got: ctl:requestBodyLimit=1073741824"

--> I can't even enable the exclusion and don't see why.

Your Environment

CRS version: current dev branch
Paranoia level setting: 1
ModSecurity version: 3.0.4
Web Server and version: nginx 1.19.10
Operating System and version: Arch Linux, fully up to date

The text was updated successfully, but these errors were encountered:

airween · 2021-05-09T20:17:51Z

Hi @mathsen,

thanks for the report.

Sorry to say, but looks like you ran into a libmodsecurity3 bug (or rather a deficiency), namely libmodsecurity3 does not support the ctl:requestBodyLimit action.

First, you can check the (weak) documentation here. As you can see, this action is just in planning state (marked as TBI - I guess it means "to be implemented").

But you can also check the source: the scanner (it's a lexical analyzer) can't recognize this token (ctl:requestBodyLimit), because it is not implemented yet. You can also check the list of implemented actions here. (Note: if a token exists in the scanner and the parser, it doesn't mean that it works as you expect.)

Thank you again for your report - it's a very important feedback for us (it's a commented rule therefore we did not notice it).

I do not close this issue yet, but appended to the list of our monthly chat agenda. I'm afraid we can't help you in this issue, but may be we have to do something with that commented rule generally.

Sorry again.

mathsen · 2021-05-09T20:23:38Z

@airween Thanks for the fast reply!
Is there no "usual way" at the moment of enabling upload of big files in nextcloud or an exeption with a predefined rule - or can you give me a hint how to achieve this?
I don't see anything else in REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf and can't believe that nobody stumbled over this question yet?

Thanks for the help and greetings

Matse

mathsen · 2021-05-09T21:47:06Z

Hello,
just wanted to give a brief update: With this issue I was able to use the same workaround as mentioned there, so basically in my nginx configuration:

server {
	server_name  nextcloud.mydomain.com;

	modsecurity on;
	modsecurity_rules 'SecRequestBodyLimit 1073741824';
	modsecurity_rules_file /etc/nginx/modsec/main.conf;

       .
       .
       .
}

which works as intended.

Greetings
Matse

airween · 2021-05-10T08:26:10Z

hi @mathsen,

your provided solution is the same what I would have suggested too. Please note, that with this setting the given value will be used for the whole request, eg. if the client sends a request with tons of POST arguments or length of arguments, the processing time may increase. In case of v3 you can't control separately the whole request size, and the excluded size of any files because the SecRequestBodyNoFilesLimit also not supported.

mathsen · 2021-05-10T08:32:22Z

@airween Thanks for your help and detailed answers, which helped a lot to understand the underlying problem!
I will regularly check the docs you provided and update the config to the better "ctl:requestBodyLimit"-solution, once it's available.
Thanks for the quick support here.

lifeforms · 2021-05-17T19:06:56Z

Chat decision: Keeping this issue open for further development.

airween · 2021-06-07T12:27:27Z

#2098 is closed - do we need to keep this issue open?

mathsen changed the title ~~Enabling nextdloud excludion --> Expecting an action, got: ctl:requestBodyLimit=1073741824"~~ Enabling nextdloud exclusion --> Expecting an action, got: ctl:requestBodyLimit=1073741824" May 9, 2021

airween mentioned this issue May 9, 2021

Monthly Chat Agendas May (2021-05-03 and 2021-05-17) Meeting Agenda #2053

Closed

airween self-assigned this May 17, 2021

airween mentioned this issue May 22, 2021

Added a note to a commented rule about unsupported action in v3 #2098

Merged

dune73 closed this as completed Jun 21, 2021

dune73 mentioned this issue Jun 21, 2021

Monthly Chat Agenda June (2021-06-07 and 2021-06-21) #2074

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Enabling nextdloud exclusion --> Expecting an action, got: ctl:requestBodyLimit=1073741824" #2069

Enabling nextdloud exclusion --> Expecting an action, got: ctl:requestBodyLimit=1073741824" #2069

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Enabling nextdloud exclusion --> Expecting an action, got: ctl:requestBodyLimit=1073741824" #2069

Enabling nextdloud exclusion --> Expecting an action, got: ctl:requestBodyLimit=1073741824" #2069

Comments

Describe the bug

Expected behaviour

Actual behaviour

Your Environment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!