Closed
Description
Description
This is a resurfacing of Issue #1451 where a valid google oauth redirect gets blocked because it thinks you're trying to read from the ".profile" OS File.
A rule was implemented to try to detect google oauth and allow it:
But it seems to be too specific and fails my redirects. Example:
GET /accounts/google/login/callback/?state=123ommitted123&code=4%2F0AX4XfWj-123ommitted123-A&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+openid&authuser=0&hd=example.com&prompt=none
- There are more than just 3 args, so the first rule fails
- Even when I remove the restriction that there must be exactly 3 args, I think the regex is too restrictive too, not sure specifically how
Audit Logs / Triggered Rule Numbers
Sensitive data masked with "••••":
2021/09/09 20:09:55 [error] 2525#2525: *30580 [client ••••••••] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable
`TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""]
[msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-mult"[] [tag "attack-generic"] [hostname "10.233.123.103"] [uri "/accounts/google/login/callback/"] [unique_id "1631218195"] [ref ""], client: ••••••••], server: ••••••••],
request: "GET /accounts/google/login/callback/?state=••••••••••••&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+openid&authuser=0&hd=renci.org&prompt=none HTTP/2.0", host: "••••••••••"
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS:scope' (Value: `email profile https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinf (16 characters omitted)' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "78"] [id "930120"] [rev ""] [msg "OS File Access Attempt"]
[data "Matched Data: .profile found within ARGS:scope: email profile https:/www.googleapis.com/auth/userinfo.email https:/www.googleapis.com/auth/userinfo.profile openid"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"]
[tag "capec/1000/255/153/126"] [tag "PCI/6.5.4"] [hostname "10.233.123.103"] [uri "/accounts/google/login/callback/"] [unique_id "1631218187"] [ref "o99,8v143,116t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase"]ModSecurity: Access denied with code 403 (phase 2).
Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' )
[file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "••••••••]"] [uri "/accounts/google/login/callback/"] [unique_id "1631218187"] [ref ""]
It's hitting this rule:
Your Environment
- CRS version: v3.3.2
- Paranoia level setting: The default, I think that's 5?
- ModSecurity version: v3.0.5
- Web Server and version: nginx, specifically https://kubernetes.github.io/ingress-nginx/
- Operating System and version: N/A
Confirmation
[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.