Skip to content

Add an Option to Skip Body Inspections ( Closes #343 ) #356

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add an Option to Skip Body Inspections ( Closes #343 ) #356

wants to merge 1 commit into from

Conversation

thekief
Copy link

@thekief thekief commented Jun 3, 2025

As dicussed in the issue, I would like to add 2 new directives that allow to skip the body inspection. There are a few usecases, where, e.g. encrypted data is set, and no useful inspection can be made.

While denying the body access may skip the inspection, it still results in the caching of data. Subsequently, there is an unneeded amount of resource consumption, memory, as well as time, involved.

While it would be cleaner to expose an API that allows users of libmodsecurity to check, if a path, e.g. has a reqeust body check, this involves a lot more work. The approach taken in this PR, shifts the functionality to that is only necessitates changes in the nginx module.

Regarding Tests: As for tests, I'm a bit unsure what the best way would be to test it. One way would be to try to upload a file, e.g. 100MB, to a location and check when the first data reaches it. If the body inspection is disabled, the first bytes will arrive much sooner, as the nginx module caches the body until it's fully received otherwise and only then forwards the data.

@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Jun 3, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@airween
Copy link
Member

airween commented Jun 3, 2025

Hi @thekief,

thanks for this PR, I think this is quite useful.

Regarding Tests: As for tests, I'm a bit unsure what the best way would be to test it.

If I suggest suggest a method:

  • create a vhost config where you turn Off the request body inspection
  • create a rule (into phase:2) that checks for a variable from the request body (eg ARGS_POST)
  • send a request which should trigger that rule

For the response body skip:

  • create another vhost config where you turn Off the response body inspection
  • create a rule (into phase:4) that checks for a variable from the response body (eg RESPONSE_BODY)
  • set a content for that vhost which triggers that rule

You can add cross checking too (eg. the first mentioned rule above executes in phase:4 and you try to mix the settings with these new options...)

@thekief
Copy link
Author

thekief commented Jun 11, 2025
edited
Loading

Sorry for getting back so late. I created configurations, but as I'm terrible with nginx tests using Perl, may I just send you the configurations? 😅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@thekief @airween