Malformed WAF breaks gateway Proxy config
edubonifs opened this issue · comments
Gloo Edge Product
Enterprise
Gloo Edge Version
1.15
Kubernetes Version
1.26
Describe the bug
One of our clients placed the following rule on one of there many VIrtualServices.
waf:
ruleSets:
- ruleStr: |
# disable ruleid 930100 - TP-414237 - Path Traversal Attack (/../)
_
SecRuleRemoveById 124234
SecRuleRemoveById 228932
SecRuleRemoveById 490101
There is an underscore in the WAF rule that shouldn't have been placed there, but this broke the config of 300 VirtualServices in their environment.
The logs from the gateway-proxy were the following:
[2024-03-01 13:26:04.567][1][warning][config] [external/envoy/source/common/config/grpc_subscription_impl.cc:128] gRPC config for type.googleapis.com/envoy.config.route.v3.RouteConfiguration rejected: Rules error. File: <<reference missing or not informed>>. Line: 3. Column: 2. Invalid input: _ │
│ [2024-03-01 13:26:04.567][1][warning][config] [external/envoy/source/common/config/grpc_subscription_impl.cc:128] gRPC config for type.googleapis.com/envoy.config.route.v3.RouteConfiguration rejected: Rules error. File: <<reference missing or not informed>>. Line: 3. Column: 2. Invalid input: _
Expected Behavior
Gloo Edge should prevent that the full config of the gateway-proxy is broken, or at least clients should be able to see which waf rule is causing the issue.
On this outage, the client had 300 VirtualServices and we had to go one by one testing each VirtualService.
This is something very harmful to do during an outage
Steps to reproduce the bug
Place the following WAF rule:
customWafRules: |
# disable ruleid 930100 - TP-414237 - Path Traversal Attack (/../)
_
SecRuleRemoveById 124234
SecRuleRemoveById 228932
SecRuleRemoveById 490101
Additional Environment Detail
No response
Additional Context
No response
Fixed in 1.17.0.