From 5c6e890f49d3ba47457af21c927b24d0803225e0 Mon Sep 17 00:00:00 2001 From: alteredCoder Date: Wed, 30 Mar 2022 18:34:28 +0200 Subject: [PATCH 1/2] Fix Bouncer bypass when using HTTP1.0 --- lib/plugins/crowdsec/ban.lua | 37 +++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 17 deletions(-) diff --git a/lib/plugins/crowdsec/ban.lua b/lib/plugins/crowdsec/ban.lua index 108d855..cffcc9c 100644 --- a/lib/plugins/crowdsec/ban.lua +++ b/lib/plugins/crowdsec/ban.lua @@ -9,32 +9,34 @@ M.ret_code = ngx.HTTP_FORBIDDEN function M.new(template_path, redirect_location, ret_code) - if template_path == nil then - return "BAN_TEMPLATE_PATH variable is empty, will ban without template" - end - if utils.file_exist(template_path) == false then - return "ban template file doesn't exist, will ban without template" - else - M.template_str = utils.read_file(template_path) - if M.template_str == nil then - M.template_str = "" - return "ban template file doesn't exist, will ban without template" - end - end - M.redirect_location = redirect_location - for k, v in pairs(utils.HTTP_CODE) do - if k == ret_code then - M.ret_code = utils.HTTP_CODE[ret_code] - break + if ret_code ~= nil and ret_code ~= 0 then + for k, v in pairs(utils.HTTP_CODE) do + if k == ret_code then + M.ret_code = utils.HTTP_CODE[ret_code] + break + end end end + template_file_ok = false + if (template_path ~= nil and template_path ~= "" and utils.file_exist(template_path) == true) then + M.template_str = utils.read_file(template_path) + if M.template_str ~= nil then + template_file_ok = true + end + end + + if template_file_ok == false and (M.redirect_location == nil or M.redirect_location == "") then + ngx.log(ngx.ERR, "BAN_TEMPLATE_PATH and REDIRECT_LOCATION variable are empty, will return HTTP " .. M.ret_code .. " for ban decisions") + end + return nil end + function M.apply() if M.redirect_location ~= "" then ngx.redirect(M.redirect_location) @@ -44,6 +46,7 @@ function M.apply() ngx.header.content_type = "text/html" ngx.status = M.ret_code ngx.say(M.template_str) + ngx.exit(M.ret_code) return end From 29b27f42186a808655a4fbd256767a66d2dcbbf1 Mon Sep 17 00:00:00 2001 From: alteredCoder Date: Wed, 30 Mar 2022 19:16:25 +0200 Subject: [PATCH 2/2] Add warning when ret_code is not supported --- lib/plugins/crowdsec/ban.lua | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/plugins/crowdsec/ban.lua b/lib/plugins/crowdsec/ban.lua index cffcc9c..d0afd69 100644 --- a/lib/plugins/crowdsec/ban.lua +++ b/lib/plugins/crowdsec/ban.lua @@ -11,15 +11,21 @@ M.ret_code = ngx.HTTP_FORBIDDEN function M.new(template_path, redirect_location, ret_code) M.redirect_location = redirect_location + ret_code_ok = false if ret_code ~= nil and ret_code ~= 0 then for k, v in pairs(utils.HTTP_CODE) do if k == ret_code then M.ret_code = utils.HTTP_CODE[ret_code] + ret_code_ok = true break end end end + if ret_code_ok == false then + ngx.log(ngx.ERR, "RET_CODE '" .. ret_code .. "' is not supported") + end + template_file_ok = false if (template_path ~= nil and template_path ~= "" and utils.file_exist(template_path) == true) then M.template_str = utils.read_file(template_path)