Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Google OAuth redirects still being blocked due to ".profile"

See original GitHub issue

Description

This is a resurfacing of Issue #1451 where a valid google oauth redirect gets blocked because it thinks you’re trying to read from the “.profile” OS File.

A rule was implemented to try to detect google oauth and allow it: https://github.com/coreruleset/coreruleset/blob/cebc7fdd6c54c2b988b72c4362fc15cb2686cde0/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf#L24

But it seems to be too specific and fails my redirects. Example:

GET /accounts/google/login/callback/?state=123ommitted123&code=4%2F0AX4XfWj-123ommitted123-A&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+openid&authuser=0&hd=example.com&prompt=none

There are more than just 3 args, so the first rule fails
Even when I remove the restriction that there must be exactly 3 args, I think the regex is too restrictive too, not sure specifically how

Audit Logs / Triggered Rule Numbers

Sensitive data masked with “••••”:

2021/09/09 20:09:55 [error] 2525#2525: *30580 [client ••••••••] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable
`TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] 
[msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-mult"[] [tag "attack-generic"] [hostname "10.233.123.103"] [uri "/accounts/google/login/callback/"] [unique_id "1631218195"] [ref ""], client: ••••••••], server: ••••••••], 
request: "GET /accounts/google/login/callback/?state=••••••••••••&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+openid&authuser=0&hd=renci.org&prompt=none HTTP/2.0", host: "••••••••••"

ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `lfi-os-files.data' against variable `ARGS:scope' (Value: `email profile https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinf (16 characters omitted)' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "78"] [id "930120"] [rev ""] [msg "OS File Access Attempt"] 
[data "Matched Data: .profile found within ARGS:scope: email profile https:/www.googleapis.com/auth/userinfo.email https:/www.googleapis.com/auth/userinfo.profile openid"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] 
[tag "capec/1000/255/153/126"] [tag "PCI/6.5.4"] [hostname "10.233.123.103"] [uri "/accounts/google/login/callback/"] [unique_id "1631218187"] [ref "o99,8v143,116t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase"]ModSecurity: Access denied with code 403 (phase 2). 
Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) 
[file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "••••••••]"] [uri "/accounts/google/login/callback/"] [unique_id "1631218187"] [ref ""]

It’s hitting this rule: https://github.com/coreruleset/coreruleset/blob/cebc7fdd6c54c2b988b72c4362fc15cb2686cde0/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf#L107

Your Environment

CRS version: v3.3.2
Paranoia level setting: The default, I think that’s 5?
ModSecurity version: v3.0.5
Web Server and version: nginx, specifically https://kubernetes.github.io/ingress-nginx/
Operating System and version: N/A

Confirmation

[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

Issue Analytics

State:
Created 2 years ago
Comments:10 (8 by maintainers)

Top GitHub Comments

1reaction

dune73commented, Nov 15, 2021

@azurit, thank you for the proposal in #2232. I think we can close this in favor of said feature request that takes a holistic approach to this surprisingly diverse problem.

0reactions

azuritcommented, Jan 27, 2022

@mac-chaffee Can you look at this? It’s a replacement for current Google OAuth2 support (we are moving it from CRS core rules into plugins). Thank you!

https://github.com/coreruleset/google-oauth2-plugin