Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support SecRequestBodyNoFilesLimit directive #896

Open
M4tteoP opened this issue Oct 30, 2023 · 2 comments
Open

Support SecRequestBodyNoFilesLimit directive #896

M4tteoP opened this issue Oct 30, 2023 · 2 comments
Labels
enhancement New feature or request

Comments

@M4tteoP
Copy link
Member

M4tteoP commented Oct 30, 2023

Our coraza.conf-recommended file is including the following line:

SecRequestBodyNoFilesLimit 131072

As far as I can see, we are actually just reading the parameter, but we do not enforce any logic based on this (RequestBodyNoFilesLimit is not used anywhere else).

#895 proposes to:

  • comment it out from the recommended configuration
  • add a comment line stating that it is currently not implemented.

Do we see value in this directive? Should we prioritize its implementation? For reference, modsecurity v3 support PR is the following: owasp-modsecurity/ModSecurity#2686, are we considering another way to interpret/implement this directive?
@M4tteoP M4tteoP added the enhancement New feature or request label Oct 30, 2023
@M4tteoP M4tteoP mentioned this issue Oct 30, 2023
Merged
@Barnoux
Copy link

Barnoux commented Apr 30, 2024
edited

From my point of view, the SecRequestBodyNoFilesLimit is usefull i you want to use coraza to do analysis on file upload.

Today if you want to analyse a file upload (for a file at 500MB as an exampe) you have to set the directive : SecRequestBodyLimit 524288000

From ModSecurity Handbook, having the SecRequestBodyNoFilesLimit as low as practical is a good thing.

So every request that are not a file (multipart/form-data) are restrained to the directive SecRequestBodyNoFilesLimit

Does setting a reasonable limit with SecRequestBodyLimit helps prevent denial-of-service (DoS) attacks ?

@jcchavezs
Copy link
Member

jcchavezs commented Apr 30, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jcchavezs @M4tteoP @Barnoux