[GitHub] [apisix] gxthrj opened a new issue #5780: DISCUSS: Add a plugin that filters specific requests through regular matching

Sun, 12 Dec 2021 20:49:26 -0800 


gxthrj opened a new issue #5780:
URL: https://github.com/apache/apisix/issues/5780


   ### Issue description
   
   Thinking of the recent [security vulnerabilities in Apache 
log4j2](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228), We can 
provide such a universal plug-in for APISIX to filter out some illegal requests 
through some regularities, although this is not the ultimate solution to the 
vulnerability.
   
   The fastest solution is to use the serverless plug-in to quickly define a 
filtering logic.
   But we know that the serverless plug-in is not recommended for production 
use, and can only be turned on temporarily.
   
   Therefore, I propose to create a plug-in for regular matching to filter 
illegal requests. Everyone is welcome to participate in the design and 
development.
   
   Note: This plug-in is not intended as a solution to security problems, but 
as a general-purpose plug-in that filters out specified requests by configuring 
regular matching conditions.
   
   The following is a reference design, welcome to discuss.
   
   Plug-in name: reg_blocker
   Plug-in configuration examples, which can be continuously expanded:
   
   ```json
   {
       "block_rules": [
           {
               "key": "$http_uri",
               "rules": 
["(?:\$|\%24)(?:\{|\%7b)[^\w]*?j[^\w]*?n[^\w]*?d[^\w]*?i[^\w]*?(?:\:|\%3a)"]
           },
           {
               "key": "$args_name",
               "rules": ["root.exe", "root.m+"]
           }
       ],
       "reject_code": 403,
       "message": "Illegal request"
   }
   ```
   
   ### Environment
   
   - apisix version (cmd: `apisix version`): master
   - OS (cmd: `uname -a`): linux
   - OpenResty / Nginx version (cmd: `nginx -V` or `openresty -V`): 1.19.*
   - etcd version, if have (cmd: run `curl 
http://127.0.0.1:9090/v1/server_info` to get the info from server-info API):
   - apisix-dashboard version, if have:
   - the plugin runner version, if the issue is about a plugin runner (cmd: 
depended on the kind of runner):
   - luarocks version, if the issue is about installation (cmd: `luarocks 
--version`):
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to