Add server.request.body.filenames AppSec address for Vert.x 3.4, 4.0 and 5.0#11268
Draft
Add server.request.body.filenames AppSec address for Vert.x 3.4, 4.0 and 5.0#11268
Conversation
…and 5.0 Instruments RoutingContextImpl.fileUploads() in vertx-web-3.4, vertx-web-4.0 and vertx-web-5.0 to fire EVENTS.requestFilesFilenames() with the list of uploaded filenames, enabling WAF-level blocking on malicious file names.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What Does This Do
Instruments
RoutingContextImpl.fileUploads()in the Vert.x Web 3.4, 4.0 and 5.0 modules to fire theserver.request.body.filenamesAppSec IG event, enabling WAF-level detection and blocking on uploaded file names.New callsites
vertx-web-3.4: newRoutingContextFilenamesAdvice(returnsSet<FileUpload>), wired inRoutingContextImplInstrumentationvertx-web-4.0: newRoutingContextFilenamesAdvice(returnsCollection<FileUpload>to cover bothSetin 4.0.x andListin 4.5.x+), wired inRoutingContextImplInstrumentationvertx-web-5.0: newRoutingContextFilenamesAdvice(returnsList<FileUpload>) + newRoutingContextImplInstrumentationAll three advice classes use
FileUpload.classas theCallDepthThreadLocalMapkey (public interface, avoidsIllegalAccessErrorwhen ByteBuddy inlines the advice).Test server fixes
All four
VertxTestServervariants (3.4, 4.0/test, 4.0/latestDep, 5.0) had a brokenBODY_MULTIPARThandler that usedsetExpectMultipart(true)+ an asyncendHandler, bypassingBodyHandler. This preventedfileUploads()from ever being populated. Replaced with:BodyHandler.create()registered as a prior handler on the same routectx.fileUploads()beforeconvertFormAttributes(ctx)testBodyMultipart()continues to pass becauseBodyHandleralso populatesformAttributes().NettyMultipartHelperfixVert.x's internal
NettyFileUploadthrowsUnsupportedOperationExceptionfromgetHttpDataType(). Added a try-catch to skip such items silently — they are handled by Vert.x's own instrumentation.Motivation
solves APPSEC-61873 (partial — Vert.x coverage)
Additional Notes
Double-instrumentation in 5.0 tests: the
vertx-web-5.0test module includesvertx-web-4.0astestImplementation, so bothRoutingContextImplInstrumentationclasses are applied in the same test run. UsingCollection<FileUpload>in the 4.0 advice (instead ofSet<FileUpload>) was necessary to avoid a ByteBuddy type-mismatch error when Vert.x 4.5.x+ changed the return type offileUploads()fromSettoList. Once the type error was gone, both advices coexist correctly via the sharedCallDepthThreadLocalMapkey.JVM constraint: vertx-web-3.4 and vertx-web-4.0 default test set
maxJavaVersion = VERSION_15; tests must be run with-PtestJvm=11.Contributor Checklist
type:and (comp:orinst:) labels in addition to any other useful labelsclose,fix, or any linking keywords when referencing an issueUse
solvesinstead, and assign the PR milestone to the issueJira ticket: APPSEC-61873
Note: Once your PR is ready to merge, add it to the merge queue by commenting
/merge./merge -ccancels the queue request./merge -f --reason "reason"skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.