✨ [BREAKING-CHANGE] Add CrowdsecAppsecBodyLimit (#208)

* ✨ Add CrowdsecAppsecBodyLimit * 🍱 fix lint * 🍱 fix lint * 🍱 fix error on main
2025-11-08 15:15:05 +01:00 · 2025-01-24 21:04:45 +01:00
parent 980a7dd05e
commit 92f05b0ba5
3 changed files with 23 additions and 4 deletions
--- a/README.md
+++ b/README.md
@@ -310,6 +310,9 @@ make run
 *This means if an IP is banned, all services which are protected by an instance of the plugin will deny requests from that IP*
 Only one instance of the plugin is *possible*.

+**/!\ Appsec maximum body limit is defaulted to 10MB**
+*By careful when you upgrade to >1.4.x*
+
 ### Variables
 - Enabled
  - bool
@@ -341,6 +344,10 @@ Only one instance of the plugin is *possible*.
  - bool
  - default: true
  - Block request when Crowdsec Appsec Server is unreachable.
+- CrowdsecAppsecBodyLimit
+  - int64
+  - default: 10485760 (= 10MB)
+  - Transmit only the first number of bytes to Crowdsec Appsec Server.
 - CrowdsecLapiScheme
  - string
  - default: `http`, expected values are: `http`, `https`
@@ -504,6 +511,7 @@ http:
          crowdsecAppsecPath: "/"
          crowdsecAppsecFailureBlock: true
          crowdsecAppsecUnreachableBlock: true
+          crowdsecAppsecBodyLimit: 10485760
          crowdsecLapiKey: privateKey-foo
          crowdsecLapiKeyFile: /etc/traefik/cs-privateKey-foo
          crowdsecLapiScheme: http
--- a/bouncer.go
+++ b/bouncer.go
@@ -65,6 +65,7 @@ type Bouncer struct {
 	appsecPath              string
 	appsecFailureBlock      bool
 	appsecUnreachableBlock  bool
+	appsecBodyLimit         int64
 	crowdsecScheme          string
 	crowdsecHost            string
 	crowdsecPath            string
@@ -154,6 +155,7 @@ func New(_ context.Context, next http.Handler, config *configuration.Config, nam
 		appsecPath:              config.CrowdsecAppsecPath,
 		appsecFailureBlock:      config.CrowdsecAppsecFailureBlock,
 		appsecUnreachableBlock:  config.CrowdsecAppsecUnreachableBlock,
+		appsecBodyLimit:         config.CrowdsecAppsecBodyLimit,
 		crowdsecScheme:          config.CrowdsecLapiScheme,
 		crowdsecHost:            config.CrowdsecLapiHost,
 		crowdsecPath:            config.CrowdsecLapiPath,
@@ -593,12 +595,16 @@ func appsecQuery(bouncer *Bouncer, ip string, httpReq *http.Request) error {
 		Path:   bouncer.appsecPath,
 	}
 	var req *http.Request
-	if httpReq.Body != nil && httpReq.ContentLength > 0 {
-		bodyBytes, err := io.ReadAll(httpReq.Body)
+	if bouncer.appsecBodyLimit > 0 && httpReq.Body != nil && httpReq.ContentLength > 0 {
+		var bodyBuffer bytes.Buffer
+		limitedReader := io.LimitReader(httpReq.Body, bouncer.appsecBodyLimit)
+		teeReader := io.TeeReader(limitedReader, &bodyBuffer)
+		bodyBytes, err := io.ReadAll(teeReader)
 		if err != nil {
 			return fmt.Errorf("appsecQuery:GetBody %w", err)
 		}
-		httpReq.Body = io.NopCloser(bytes.NewBuffer(bodyBytes))
+		// Conserve body intact after reading it for other middlewares and service
+		httpReq.Body = io.NopCloser(io.MultiReader(&bodyBuffer, httpReq.Body))
 		req, _ = http.NewRequest(http.MethodPost, routeURL.String(), bytes.NewBuffer(bodyBytes))
 	} else {
 		req, _ = http.NewRequest(http.MethodGet, routeURL.String(), nil)
--- a/pkg/configuration/configuration.go
+++ b/pkg/configuration/configuration.go
@@ -43,6 +43,7 @@ type Config struct {
 	CrowdsecAppsecPath                       string   `json:"crowdsecAppsecPath,omitempty"`
 	CrowdsecAppsecFailureBlock               bool     `json:"crowdsecAppsecFailureBlock,omitempty"`
 	CrowdsecAppsecUnreachableBlock           bool     `json:"crowdsecAppsecUnreachableBlock,omitempty"`
+	CrowdsecAppsecBodyLimit                  int64    `json:"crowdsecAppsecBodyLimit,omitempty"`
 	CrowdsecLapiScheme                       string   `json:"crowdsecLapiScheme,omitempty"`
 	CrowdsecLapiHost                         string   `json:"crowdsecLapiHost,omitempty"`
 	CrowdsecLapiPath                         string   `json:"crowdsecLapiPath,omitempty"`
@@ -103,6 +104,7 @@ func New() *Config {
 		CrowdsecAppsecPath:             "/",
 		CrowdsecAppsecFailureBlock:     true,
 		CrowdsecAppsecUnreachableBlock: true,
+		CrowdsecAppsecBodyLimit:        10485760,
 		CrowdsecLapiScheme:             HTTP,
 		CrowdsecLapiHost:               "crowdsec:8080",
 		CrowdsecLapiPath:               "/",
@@ -261,7 +263,7 @@ func ValidateParams(config *Config) error {
 	return nil
 }

-func validateURL(variable, scheme, host, path string, path string) error {
+func validateURL(variable, scheme, host, path string) error {
 	// This only check that the format of the URL scheme://host/path is correct and do not make requests
 	testURL := url.URL{Scheme: scheme, Host: host, Path: path}
 	if _, err := http.NewRequest(http.MethodGet, testURL.String(), nil); err != nil {
@@ -332,6 +334,9 @@ func validateParamsRequired(config *Config) error {
 	if config.UpdateMaxFailure < -1 {
 		return errors.New("UpdateMaxFailure: cannot be less than -1")
 	}
+	if config.CrowdsecAppsecBodyLimit < 0 {
+		return errors.New("CrowdsecAppsecBodyLimit: cannot be less than 0")
+	}

 	if !contains([]string{NoneMode, LiveMode, StreamMode, AloneMode, AppsecMode}, config.CrowdsecMode) {
 		return errors.New("CrowdsecMode: must be one of 'none', 'live', 'stream', 'alone' or 'appsec'")