Flatters WAF config API for better flexibility in setting memory limits and enabling BodyAccess

[M4tteoP]

Following #499, I'm working on avoiding body-related actions when the bodies themself are not accessible (see corazawaf/coraza-proxy-wasm#76). I'm facing a problem with WithRequestBodyAccess because it always enforces the body access, not taking into account any related user directive.
This PR proposes to remove the enforcement. WithRequestBodyAccess and WithResponseBodyAccess would become a way to set memory limits, demanding to the traditional directives (SecRequestBodyAccess and SecResponseBodyAccess) the decision of enabling or not the body access.

I see value in slitting the enforcement from the configuration also considering actions like ctl:requestBodyAccess: for specific transactions the body could become accessible and would be okay to already have customized configurations in place if it happens.

Thanks for the feedback and alternative ideas/proposals!

P.S: WithRequestBodyAccess and WithResponseBodyAccess names would become not completely consistent, should I change them into something like WithRequestBodyConfig even if it will break implementations?

[anuraaga]

Sorry for the late review. We want all the settings to be programmatically configurable without any text directives so don't think we can lose that ability for body access.

I think we could add an Enabled method to the body configs, or just flatten them instead of having separate sub-structs. Leaning towards latter, what do you think?

[codecov-commenter]

Codecov Report

Base: 78.21% // Head: 78.27% // Increases project coverage by +0.06% 🎉

Coverage data is based on head (9bd1aa8) compared to base (fb52935).
Patch coverage: 51.28% of modified lines in pull request are covered.

Additional details and impacted files

@@            Coverage Diff             @@
##           v3/dev     #503      +/-   ##
==========================================
+ Coverage   78.21%   78.27%   +0.06%     
==========================================
  Files         145      145              
  Lines        6876     6872       -4     
==========================================
+ Hits         5378     5379       +1     
+ Misses       1264     1256       -8     
- Partials      234      237       +3     

Flag	Coverage Δ
default	73.53% <51.28%> (+0.05%)	⬆️
examples	27.27% <20.51%> (+0.07%)	⬆️
ftw	55.53% <33.33%> (+0.09%)	⬆️
tinygo	71.59% <51.28%> (+0.06%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
internal/corazawaf/waf.go	91.60% <ø> (ø)
types/waf.go	70.73% <ø> (ø)
waf.go	40.00% <18.18%> (-5.77%)	⬇️
config.go	40.00% <41.17%> (+6.00%)	⬆️
actions/ctl.go	71.50% <100.00%> (ø)
internal/corazawaf/body_buffer.go	71.69% <100.00%> (ø)
internal/corazawaf/transaction.go	79.94% <100.00%> (ø)
internal/seclang/directives.go	67.97% <100.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[M4tteoP]

responseBodyConfig had inMemoryLimit and WithInMemoryLimit, but then it was not populated nor called, nor the WAF struct has a corresponding default value and field for it. It is okay to assume that it was not used, and not needed?

[M4tteoP]

Thanks @anuraaga! I removed both RequestBodyConfig and ResponseBodyConfig structures and refactored the API making each element individually configurable. PTAL 🙏

[anuraaga]

Thanks! Mostly LGTM

[M4tteoP]

Sorry for the delay! Addressed the review and updated the title to a more coherent one with the PR evolution

[M4tteoP]

Could you please take another look at this one? @jptosso @fzipi
Thanks! 🙏

[jptosso]

LGTM, has a lot of methods, but it's easier to understand.

[fzipi]

In essence, why don't we use uint instead of int? I don't expect sizes to be negative in the future, but maybe someone wants reaaaly big files 😄

[M4tteoP]

1. Internally these limits are defined as int64. I can't see a reason for negative sizes, but to avoid conversions we may stick with int64 also for the exported function. I went for this solution in the last pushed commit.
   Otherwise, we can swap everything to unsigned, even if I feel that int64 is already enough in terms of super big files.
2. Done! Added "Bytes" for all the exported function names.

[jcchavezs]

Another consideration here is that we access to those content types that are being inspected and only buffer when inspection.

…

On Mon, 21 Nov 2022, 18:22 Matteo Pace, ***@***.***> wrote: 1. Internally these limits are defined as int64. I can't see a reason for negative sizes, but to avoid conversions we may stick with int64 also for the exported function. I went for this solution in the last pushed commit. Otherwise, we can swap everything to unsigned, even if I feel that int64 is already enough in terms of super big files. 2. Done! Added "Bytes" for all the exported function names. — Reply to this email directly, view it on GitHub <#503 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAXOYAR3M64YSCGIY6ZCMUDWJOVUNANCNFSM6AAAAAAR3P365A> . You are receiving this because your review was requested.Message ID: ***@***.***>

[fzipi]

So, in summary:

• people here don't care about big sizes, because "most of the times you don't need them".
• we don't mind about negative numbers
• we just care most of all about simplicity and usage. People use int, and despite being good or bad, is what people use so we stick to that to avoid conversion.

Can we document these decisions somewhere else where they can be reached by more people? Also, for future Coraza developers :)

[anuraaga]

Yup except for this

people here don't care about big sizes

We basically assume 64-bit usage where int are big sizes.

Would be good to document but don't think it's needed for this PR

[M4tteoP]

Moved from int64 to int and tried to properly comment about it. @fzipi PTAL 🙏

[fzipi]

In general looks good. But... are we considering the practical implications of an integer overflow here?
Can we generate an overflow in: l := len(data) + br.length? If data is near max int, and br.length adds enough to make l a very small int?

[M4tteoP]

@fzipi that's a legit concern. I feel that the fundamental question is: are 32-bit machines a thing (to be supported)? If so, and We basically assume 64-bit usage where int are big sizes can not be a strong assumption, I think we should explicitly use int64 internally and just keep the int exposed to the API. The agreed limits will still be in place, but internally no problems like this one should happen anymore. @jptosso

[fzipi]

What I want to point is that assumptions are the "enemy" of security, in general. We make things explicit so we are sure. Making this explicit is about:

• documenting it properly and clearly.
• the limit is clearly checked. For a signed int, this implies checking that the file is between 0 and max int. We should explicitly take action if the size is negative (but not -1, because we are overriding that with Unset)

Hopefully, it is clear now.

[fzipi]

Can we fix conflicts here @M4tteoP? Thx!

[M4tteoP]

Actually, I think that the value is parsed and stored, but never used. It should be implemented or documented (also in the coraza.conf-recommended)

[jcchavezs]

Do we really need the work Bytes?

[M4tteoP]

I don't have strong feelings about it. It makes the function more explicit but makes the name even more verbose. It has been added addressing a previous review #503 (comment).

[jcchavezs]

I think given the directive is SecRequestBodyLimit it is better to align with it, also Bytes seem redundant, specifying the units is something that I like when in doubt but in this case and in general in golang ecosystem, bytes is the unit for bodies.