fix: enforces request body scanning with trailers (#306)

Co-authored-by: Ignacy Osetek <ignacy.osetek@gmail.com>

Author: M4tteoP

.gitignore

@@ -5,3 +5,5 @@ target
 .DS_Store
 .vimrc
 go.work.sum
+e2e/http_trailer/server.crt
+e2e/http_trailer/server.key

e2e/docker-compose.yml e2e/coraza/docker-compose.ymle2e/docker-compose.yml renamed to e2e/coraza/docker-compose.yml

@@ -20,7 +20,7 @@ services:
       - --service-node # required to export metrics
       - envoy
     volumes:
-      - ../build:/build
+      - ../../build:/build
       - .:/conf
     ports:
     - 8080:8080

e2e/envoy-config.yaml e2e/coraza/envoy-config.yamle2e/envoy-config.yaml renamed to e2e/coraza/envoy-config.yaml

@@ -0,0 +1,19 @@
+services:
+  httpbin:
+    image: mccutchen/go-httpbin:v2.15.0
+    command: [ "/bin/go-httpbin", "-port", "8081" ]
+    ports:
+      - 8081:8081
+  envoy:
+    depends_on:
+      - httpbin
+    image: ${ENVOY_IMAGE:-envoyproxy/envoy:v1.31-latest}
+    entrypoint: /usr/local/bin/envoy
+    command:
+      - -c
+      - /conf/envoy-config.yaml
+    volumes:
+      - ../../build:/build
+      - .:/conf
+    ports:
+    - 8080:8080

e2e/http_trailer/docker-compose.yml

@@ -0,0 +1,78 @@
+static_resources:
+  listeners:
+    - address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 8080
+      filter_chains:
+        - transport_socket:
+            name: envoy.transport_sockets.tls
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
+              common_tls_context:
+                alpn_protocols: [ "h2,http/1.1" ]
+                tls_certificates:
+                  - certificate_chain:
+                      filename: "/conf/server.crt"
+                    private_key:
+                      filename: "/conf/server.key"
+          filters:
+            - name: envoy.filters.network.http_connection_manager
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                stat_prefix: ingress_http
+                codec_type: http2
+                http2_protocol_options: {}
+                route_config:
+                  virtual_hosts:
+                    - name: local_route
+                      domains:
+                        - "*"
+                      routes:
+                        - match:
+                            prefix: "/"
+                          route:
+                            cluster: local_server
+                http_filters:
+                  - name: envoy.filters.http.wasm
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
+                      config:
+                        name: "coraza-filter"
+                        root_id: ""
+                        configuration:
+                          "@type": "type.googleapis.com/google.protobuf.StringValue"
+                          value: |
+                            {
+                              "directives_map": {
+                                  "defaultrs": [
+                                    "Include @demo-conf",
+                                    "SecDebugLogLevel 3",
+                                    "SecRule ARGS_POST \"@rx script\" \"id:100,phase:2,deny\""
+                                  ]
+                              },
+                              "default_directives": "defaultrs"
+                            }
+                        vm_config:
+                          runtime: "envoy.wasm.runtime.v8"
+                          vm_id: "my_vm_id"
+                          code:
+                            local:
+                              filename: "build/main.wasm"
+                  - name: envoy.filters.http.router
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+
+  clusters:
+    - name: local_server
+      connect_timeout: 6000s
+      type: STRICT_DNS
+      load_assignment:
+        cluster_name: local_server
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: httpbin
+                      port_value: 8081

e2e/http_trailer/envoy-config.yaml

@@ -1,6 +1,6 @@
 module github.com/corazawaf/coraza-proxy-wasm
 
-go 1.23.7
+go 1.23.8
 
 require (
 	github.com/corazawaf/coraza-wasilibs v0.2.0

go.mod

@@ -1,4 +1,4 @@
-go 1.23.7
+go 1.23.8
 
 use (
 	.

go.work

@@ -0,0 +1,133 @@
+// Copyright The OWASP Coraza contributors
+// SPDX-License-Identifier: Apache-2.0
+
+package main
+
+import (
+	"cmp"
+	"crypto/tls"
+	"fmt"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/magefile/mage/sh"
+	"golang.org/x/net/http2"
+)
+
+// E2e runs e2e tests. Requires docker.
+func E2e() error {
+	envoyHost := cmp.Or(os.Getenv("ENVOY_HOST"), "localhost:8080")
+	httpbinHost := cmp.Or(os.Getenv("HTTPBIN_HOST"), "localhost:8081")
+
+	if err := runCorazaE2e(envoyHost, httpbinHost); err != nil {
+		return err
+	}
+
+	if err := runHttpTrailerE2e(envoyHost); err != nil {
+		return err
+	}
+	return nil
+}
+
+// runCorazaE2e runs Coraza e2e tests with a built plugin against the example deployment
+func runCorazaE2e(envoyHost, httpbinHost string) error {
+	dockerComposeFilePath := "e2e/coraza/docker-compose.yml"
+	var err error
+	if err = sh.RunV("docker", "compose", "--file", dockerComposeFilePath, "up", "-d", "envoy"); err != nil {
+		sh.RunV("docker", "compose", "-f", dockerComposeFilePath, "logs", "envoy")
+		return err
+	}
+	defer func() {
+		_ = sh.RunV("docker", "compose", "--file", dockerComposeFilePath, "down", "-v")
+	}()
+
+	// --nulled-body is needed because coraza-proxy-wasm returns a 200 OK with a nulled body when if the interruption happens after phase 3
+	if err = sh.RunV("go", "run", "github.com/corazawaf/coraza/v3/http/e2e/cmd/httpe2e@main", "--proxy-hostport",
+		"http://"+envoyHost, "--httpbin-hostport", "http://"+httpbinHost, "--nulled-body"); err != nil {
+		sh.RunV("docker", "compose", "-f", dockerComposeFilePath, "logs", "envoy")
+	}
+	return err
+}
+
+// runHttpTrailerE2e runs HTTP trailer E2E tests
+// It is meant to check that HTTP2 request payloads with trailers are scanned at phase 2 before being sent to upstream.
+// This might happen because the end_of_stream parameter from OnHttpRequestBody is never set to true in HTTP2 if trailers
+// are available. In order to mitigate this, OnHttp[Request|Response]Trailers callbacks have been implemented as an enforcement
+// point of the body phase rules.
+// The test expects Coraza to enforce the interruption (403) during phase="http_request_body" and not phase="http_response_headers",
+// which would mean that the payload was sent to upstream before being scanned and was blocked on the way back.
+func runHttpTrailerE2e(envoyHost string) error {
+	fmt.Printf("Running HTTP trailer test\n")
+	dockerComposeFilePath := "e2e/http_trailer/docker-compose.yml"
+	if err := sh.RunV("go", "run", "filippo.io/mkcert@v1.4.4", "-key-file", "e2e/http_trailer/server.key",
+		"-cert-file", "e2e/http_trailer/server.crt", "example.com"); err != nil {
+		return err
+	}
+	defer func() {
+		_ = os.Remove("e2e/http_trailer/server.key")
+		_ = os.Remove("e2e/http_trailer/server.crt")
+	}()
+	if err := sh.RunV("docker", "compose", "--file", dockerComposeFilePath, "up", "-d", "envoy"); err != nil {
+		sh.RunV("docker", "compose", "-f", dockerComposeFilePath, "logs", "envoy")
+		return err
+	}
+	defer func() {
+		_ = sh.RunV("docker", "compose", "--file", dockerComposeFilePath, "down", "-v")
+	}()
+
+	client := &http.Client{
+		Transport: &http2.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		},
+	}
+
+	// Wait for envoy to be ready
+	ready := false
+	for range 20 {
+		resp, err := client.Get("https://" + envoyHost)
+		if err == nil && resp.StatusCode == http.StatusOK {
+			resp.Body.Close()
+			ready = true
+			break
+		}
+		time.Sleep(500 * time.Millisecond)
+		fmt.Println("Waiting for Envoy to be ready...")
+	}
+	if !ready {
+		sh.RunV("docker", "compose", "-f", dockerComposeFilePath, "logs", "envoy")
+		return fmt.Errorf("timeout waiting for Envoy")
+	}
+
+	// Run the actual test.
+	req, err := http.NewRequest("POST", "https://"+envoyHost, strings.NewReader("{\"foo\": \"<script foo>\"}"))
+	if err != nil {
+		return fmt.Errorf("creating request: %w", err)
+	}
+	req.Header.Set("Content-Type", "application/json")
+	req.Trailer = http.Header{"Custom-Trailer": {"This is a custom trailer"}}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		sh.RunV("docker", "compose", "-f", dockerComposeFilePath, "logs", "envoy")
+		return fmt.Errorf("sending request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	output, err := sh.Output("docker", "compose", "-f", dockerComposeFilePath, "logs", "envoy")
+	if err != nil {
+		return fmt.Errorf("getting envoy logs: %w", err)
+	}
+
+	// The request is expected to be blocked at phase 2, before reaching the backend.
+	if resp.StatusCode != http.StatusForbidden {
+		return fmt.Errorf("unexpected status code: got %d, want %d", resp.StatusCode, http.StatusForbidden)
+	}
+	if !strings.Contains(output, "phase=\"http_request_body\"") {
+		return fmt.Errorf("expected phase=\"http_request_body\" in envoy logs transaction interrupted line, got:\n%s", output)
+	}
+	fmt.Printf("✅ HTTP trailer test passed\n")
+
+	return nil
+}

magefiles/e2etest.go

@@ -1,26 +1,27 @@
 module github.com/corazawaf/coraza-proxy-wasm/magefiles
 
-go 1.23.7
+go 1.23.8
 
 require (
-	fortio.org/fortio v1.66.0
+	fortio.org/fortio v1.69.4
 	github.com/magefile/mage v1.15.0
 	github.com/tetratelabs/wabin v0.0.0-20230304001439-f6f874872834
+	golang.org/x/net v0.39.0
 )
 
 require (
-	fortio.org/cli v1.7.0 // indirect
-	fortio.org/dflag v1.7.2 // indirect
-	fortio.org/log v1.14.0 // indirect
-	fortio.org/scli v1.15.1 // indirect
-	fortio.org/sets v1.1.1 // indirect
-	fortio.org/struct2env v0.4.1 // indirect
+	fortio.org/cli v1.10.0 // indirect
+	fortio.org/dflag v1.8.1 // indirect
+	fortio.org/log v1.17.2 // indirect
+	fortio.org/safecast v1.0.0 // indirect
+	fortio.org/scli v1.16.1 // indirect
+	fortio.org/sets v1.3.0 // indirect
+	fortio.org/struct2env v0.4.2 // indirect
 	fortio.org/version v1.0.4 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	golang.org/x/crypto/x509roots/fallback v0.0.0-20240626151235-a6a393ffd658 // indirect
-	golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 // indirect
-	golang.org/x/net v0.26.0 // indirect
-	golang.org/x/sys v0.21.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
+	github.com/kortschak/goroutine v1.1.2 // indirect
+	golang.org/x/crypto/x509roots/fallback v0.0.0-20250406160420-959f8f3db0fb // indirect
+	golang.org/x/sys v0.32.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
 )

magefiles/go.mod

@@ -1,27 +1,31 @@
 fortio.org/assert v1.2.1 h1:48I39urpeDj65RP1KguF7akCjILNeu6vICiYMEysR7Q=
 fortio.org/assert v1.2.1/go.mod h1:039mG+/iYDPO8Ibx8TrNuJCm2T2SuhwRI3uL9nHTTls=
-fortio.org/cli v1.7.0 h1:w+uXZLGi4t3Vn/BvbeMuSw84Z1pvNPG9HqeGfpP68cc=
-fortio.org/cli v1.7.0/go.mod h1:s4vxWz7P7T4cYOWdMF0NA693Nu1gK9OW4KoDj54/Do4=
-fortio.org/dflag v1.7.2 h1:lUhXFvDlw4CJj/q7hPv/TC+n/wVoQylzQO6bUg5GQa0=
-fortio.org/dflag v1.7.2/go.mod h1:6yO/NIgrWfQH195WbHJ3Y45SCx11ffivQjfx2C/FS1U=
-fortio.org/fortio v1.66.0 h1:9F/200qIu136z847bxs/NeAoYdJaQlVofYlppi3qwcw=
-fortio.org/fortio v1.66.0/go.mod h1:eUl5MRscw6CiWAStai8aB3/8unxA9uNzJRXdhKEaq1s=
-fortio.org/log v1.14.0 h1:ZkIc3Qqwfs9Dd931k07YzoC+bqCpJKEjVlZwxgXW3Nw=
-fortio.org/log v1.14.0/go.mod h1:1tnXMqd5rZAgvSeHJkD2xXpyXRBzdeXtKLZuzNLIwtA=
-fortio.org/scli v1.15.1 h1:Upza50brpEZwUk8Nn2gdP4BjgqJZY3J+z7KLrrAzPjY=
-fortio.org/scli v1.15.1/go.mod h1:9LOD4iPe9u73KeJGYC/Af1oFniOafO7oZ9VvwENMf/c=
-fortio.org/sets v1.1.1 h1:Q7Z1Ft2lpUc1N7bfI8HofIK0QskrOflfYRyKT2LzBng=
-fortio.org/sets v1.1.1/go.mod h1:J2BwIxNOLWsSU7IMZUg541kh3Au4JEKHrghVwXs68tE=
-fortio.org/struct2env v0.4.1 h1:rJludAMO5eBvpWplWEQNqoVDFZr4RWMQX7RUapgZyc0=
-fortio.org/struct2env v0.4.1/go.mod h1:lENUe70UwA1zDUCX+8AsO663QCFqYaprk5lnPhjD410=
+fortio.org/cli v1.10.0 h1:BsJXuBrJxBLqE+62gHSOQBRzY+EvE/sF1MnjIexUSI8=
+fortio.org/cli v1.10.0/go.mod h1:DNxA/oD3cQaOtTean8Sgr78lJrwGLIs06X8U/G3va+M=
+fortio.org/dflag v1.8.1 h1:2ax/9IvIwMb0zPE3yZEDp9D+UewfZzj5B8UKT79tblU=
+fortio.org/dflag v1.8.1/go.mod h1:M2K61nLYfB4pAsp7mZzBtjqLP6dX11R9Vm+1I4F+sVg=
+fortio.org/fortio v1.69.4 h1:G0DXdTn8/QtiCh+ykBXft8NcOCojfAhQKseHuxFVePE=
+fortio.org/fortio v1.69.4/go.mod h1:kgXo4E9kDVE7QJMlK+6d7Hwkdepvug46knsvVAxqYNs=
+fortio.org/log v1.17.2 h1:JPX/ApDXDoGzsNtXw0AJI4ai6tl9wHp4Ch6bVs1OK0Y=
+fortio.org/log v1.17.2/go.mod h1:1V7bPfFI7ZVTdtN9DnUCAN0ilEMs5VgKjHIDRO7Mjzk=
+fortio.org/safecast v1.0.0 h1:dr3131WPX8iS1pTf76+39WeXbTrerDYLvi9s7Oi3wiY=
+fortio.org/safecast v1.0.0/go.mod h1:xZmcPk3vi4kuUFf+tq4SvnlVdwViqf6ZSZl91Jr9Jdg=
+fortio.org/scli v1.16.1 h1:TzaGHhFXKlTNx7mQ5BzVnXz2/qXZHG/mS30nWfJS0kE=
+fortio.org/scli v1.16.1/go.mod h1:jrdQnLbJuapUoaOcm2NwfTpCYrc5cNNc3datQkh3sQs=
+fortio.org/sets v1.3.0 h1:UiEtck/ndNM3Tg53mJu3I7Zz1ED8+YSQLtPKSjd8LTE=
+fortio.org/sets v1.3.0/go.mod h1:y8fFzm4bPTk3Qfr/tF3Xz7oWwgzpy++QdkwURKhNbP4=
+fortio.org/struct2env v0.4.2 h1:Xh7HlS9vf2ZdRvRfmoGIasNDO8t6z36M713utVODRCo=
+fortio.org/struct2env v0.4.2/go.mod h1:lENUe70UwA1zDUCX+8AsO663QCFqYaprk5lnPhjD410=
 fortio.org/version v1.0.4 h1:FWUMpJ+hVTNc4RhvvOJzb0xesrlRmG/a+D6bjbQ4+5U=
 fortio.org/version v1.0.4/go.mod h1:2JQp9Ax+tm6QKiGuzR5nJY63kFeANcgrZ0osoQFDVm0=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
-github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
+github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/kortschak/goroutine v1.1.2 h1:lhllcCuERxMIK5cYr8yohZZScL1na+JM5JYPRclWjck=
+github.com/kortschak/goroutine v1.1.2/go.mod h1:zKpXs1FWN/6mXasDQzfl7g0LrGFIOiA6cLs9eXKyaMY=
 github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg=
 github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -30,15 +34,13 @@ github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PK
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/tetratelabs/wabin v0.0.0-20230304001439-f6f874872834 h1:ZF+QBjOI+tILZjBaFj3HgFonKXUcwgJ4djLb6i42S3Q=
 github.com/tetratelabs/wabin v0.0.0-20230304001439-f6f874872834/go.mod h1:m9ymHTgNSEjuxvw8E7WWe4Pl4hZQHXONY8wE6dMLaRk=
-golang.org/x/crypto/x509roots/fallback v0.0.0-20240626151235-a6a393ffd658 h1:i7K6wQLN/0oxF7FT3tKkfMCstxoT4VGG36YIB9ZKLzI=
-golang.org/x/crypto/x509roots/fallback v0.0.0-20240626151235-a6a393ffd658/go.mod h1:kNa9WdvYnzFwC79zRpLRMJbdEFlhyM5RPFBBZp/wWH8=
-golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 h1:yixxcjnhBmY0nkL253HFVIm0JsFHwrHdT3Yh6szTnfY=
-golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8/go.mod h1:jj3sYF3dwk5D+ghuXyeI3r5MFf+NT2An6/9dOA95KSI=
-golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
-golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
-golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/crypto/x509roots/fallback v0.0.0-20250406160420-959f8f3db0fb h1:Iu0p/klM0SM7atONioa/bPhLS7cjhnip99x1OIGibwg=
+golang.org/x/crypto/x509roots/fallback v0.0.0-20250406160420-959f8f3db0fb/go.mod h1:lxN5T34bK4Z/i6cMaU7frUU57VkDXFD4Kamfl/cp9oU=
+golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
+golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
+golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
+golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
+golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=