Merge pull request #32 from crowdsecurity/fix_security_issue

Fix Bouncer bypass when using HTTP1.0
2022-03-31 10:57:34 +02:00 · 2022-03-31 10:57:34 +02:00 · b4d03d1988
commit b4d03d1988
parent 0d59627714 29b27f4218
1 changed files with 26 additions and 17 deletions
--- a/lib/plugins/crowdsec/ban.lua
+++ b/lib/plugins/crowdsec/ban.lua
@ -9,32 +9,40 @@ M.ret_code = ngx.HTTP_FORBIDDEN


 function M.new(template_path, redirect_location, ret_code)
-    if template_path == nil then
-        return "BAN_TEMPLATE_PATH variable is empty, will ban without template"
-    end
-    if utils.file_exist(template_path) == false then
-        return "ban template file doesn't exist, will ban without template"
-    else
-        M.template_str = utils.read_file(template_path)
-        if M.template_str == nil then
-            M.template_str = ""
-            return "ban template file doesn't exist, will ban without template"
-        end
-    end
-
    M.redirect_location = redirect_location

-    for k, v in pairs(utils.HTTP_CODE) do
-        if k == ret_code then
-            M.ret_code = utils.HTTP_CODE[ret_code]
-            break
+    ret_code_ok = false
+    if ret_code ~= nil and ret_code ~= 0 then
+        for k, v in pairs(utils.HTTP_CODE) do
+            if k == ret_code then
+                M.ret_code = utils.HTTP_CODE[ret_code]
+                ret_code_ok = true
+                break
+            end
        end
    end

+    if ret_code_ok == false then
+        ngx.log(ngx.ERR, "RET_CODE '" .. ret_code .. "' is not supported")
+    end
+
+    template_file_ok = false
+    if (template_path ~= nil and template_path ~= "" and utils.file_exist(template_path) == true) then
+        M.template_str = utils.read_file(template_path)
+        if M.template_str ~= nil then
+            template_file_ok = true
+        end
+    end
+
+    if template_file_ok == false and (M.redirect_location == nil or M.redirect_location == "") then
+        ngx.log(ngx.ERR, "BAN_TEMPLATE_PATH and REDIRECT_LOCATION variable are empty, will return HTTP " .. M.ret_code  .. " for ban decisions")
+    end
+
    return nil
 end


+
 function M.apply()
    if M.redirect_location ~= "" then
        ngx.redirect(M.redirect_location)
@ -44,6 +52,7 @@ function M.apply()
        ngx.header.content_type = "text/html"
        ngx.status = M.ret_code
        ngx.say(M.template_str)
+        ngx.exit(M.ret_code)
        return
    end