Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request(v3): adjust requestBodyLimit and RequestBodyNoFilesLimit via runtime rule #3330

Open
EsadCetiner opened this issue Jan 19, 2025 · 2 comments
Open

Feature Request(v3): adjust requestBodyLimit and RequestBodyNoFilesLimit via runtime rule #3330

EsadCetiner opened this issue Jan 19, 2025 · 2 comments
Assignees
@airween
Labels
3.x Related to ModSecurity version 3.x libmodsec - missing features

Comments

@EsadCetiner
Copy link

Feature:

libModSecurity3 currently does not support adjusting the requestBodyLimit and requestBodyNoFilesLimit values via a runtime rule, however this feature is supported in ModSecurity2. I should be able to adjust these values via a rule like so:

SecRule REQUEST_FILENAME "@streq /example" \
    "id:9508030,\
    phase:1,\
    t:none,\
    nolog,\
    ctl:requestBodyLimit=1073741824,\
    ctl:requestBodyNoFilesLimit=1073741824"

Use case:

The CRS Nextcloud plugin is a plugin designed to resolve false positives when running Nextcloud and CRS together, but it currently can't increase the max allowed file size due to the aforementioned feature missing. This plugin can't directly adjust these values via a configure-time rule as it can potentially conflict with other plugins or override a user's configuration. For now, a workaround is documented in the plugin's readme file, but this complicates the installation process especially for novices. If the instructions in the readme file need to change for whatever reason, there's no easy way to notify the end user they need to update their configuration.

With this feature, CRS would be able to include this functionality out of the box instead of documenting it in the readme file, reducing the complexity of the installation process and maintenance of the plugin for end users.
@airween
Copy link
Member

airween commented Jan 19, 2025

Hi @EsadCetiner,

thanks for this report.

As you write libmodsecurity3 does not support one of the mentioned ctl action, but that's only the requestBodyLimit. As I see in reference, mod_security2 does not support requestBodyNoFilesLimit action either. I couldn't find any pattern in source code, so I'm almost sure there is no such ctl action.

But the supported one is definitely worth considering. Thanks again.

@airween airween self-assigned this Jan 19, 2025
@airween airween added 3.x Related to ModSecurity version 3.x libmodsec - missing features labels Jan 19, 2025
@EsadCetiner
Copy link
Author

@airween Your right, you can't adjust requestBodyNoFilesLimit via an ctl:action. I mixed them up since they're similar.

Either way, it would be nice if you could add that as a feature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@airween airween

Labels
3.x Related to ModSecurity version 3.x libmodsec - missing features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@airween @EsadCetiner