fix: safe parsing for access request log and violation log

src/core/metrics/sources/nginx_access_log.go

@@ -18,6 +18,10 @@ import (
 	"github.com/nginx/agent/v2/src/core/metrics/sources/tailer"
 )
 
+const (
+	spaceDelim = " "
+)
+
 // This metrics source is used to tail the NGINX access logs to retrieve http metrics.
 
 type NginxAccessLog struct {
@@ -207,26 +211,30 @@ func (c *NginxAccessLog) logStats(ctx context.Context, logFile, logFormat string
 			}
 
 			if access.Request != "" {
-				splitRequest := strings.Split(access.Request, " ")
-				n := fmt.Sprintf("method.%s", strings.ToLower(splitRequest[0]))
+				method, _, protocol := getParsedRequest(access.Request)
+				n := fmt.Sprintf("method.%s", strings.ToLower(method))
 				if isOtherMethod(n) {
 					n = "method.others"
 				}
 				counters[n] = counters[n] + 1
 
 				if access.ServerProtocol == "" {
-					httpProtocolVersion := strings.Split(splitRequest[2], "/")[1]
-					httpProtocolVersion = strings.ReplaceAll(httpProtocolVersion, ".", "_")
-					n = fmt.Sprintf("v%s", httpProtocolVersion)
-					counters[n] = counters[n] + 1
+					if strings.Count(protocol, "/") == 1 {
+						httpProtocolVersion := strings.Split(protocol, "/")[1]
+						httpProtocolVersion = strings.ReplaceAll(httpProtocolVersion, ".", "_")
+						n = fmt.Sprintf("v%s", httpProtocolVersion)
+						counters[n] = counters[n] + 1
+					}
 				}
 			}
 
 			if access.ServerProtocol != "" {
-				httpProtocolVersion := strings.Split(access.ServerProtocol, "/")[1]
-				httpProtocolVersion = strings.ReplaceAll(httpProtocolVersion, ".", "_")
-				n := fmt.Sprintf("v%s", httpProtocolVersion)
-				counters[n] = counters[n] + 1
+				if strings.Count(access.ServerProtocol, "/") == 1 {
+					httpProtocolVersion := strings.Split(access.ServerProtocol, "/")[1]
+					httpProtocolVersion = strings.ReplaceAll(httpProtocolVersion, ".", "_")
+					n := fmt.Sprintf("v%s", httpProtocolVersion)
+					counters[n] = counters[n] + 1
+				}
 			}
 
 			// don't need the http status for NGINX Plus
@@ -294,6 +302,35 @@ func (c *NginxAccessLog) logStats(ctx context.Context, logFile, logFormat string
 	}
 }
 
+func getParsedRequest(request string) (method string, uri string, protocol string) {
+	if len(request) == 0 {
+		return
+	}
+
+	startURIIdx := strings.Index(request, spaceDelim)
+	if startURIIdx == -1 {
+		return
+	}
+
+	endURIIdx := strings.LastIndex(request, spaceDelim)
+	// Ideally, endURIIdx should never be -1 here, as startURIIdx should have handled it already
+	if endURIIdx == -1 {
+		return
+	}
+
+	// For Example: GET /user/register?ahref<random>p' or '</random> HTTP/1.1
+
+	// method -> GET
+	method = request[:startURIIdx]
+
+	// uri -> /user/register?ahref<random>p' or '</random>
+	uri = request[startURIIdx+1 : endURIIdx]
+
+	// protocol -> HTTP/1.1
+	protocol = request[endURIIdx+1:]
+	return
+}
+
 func getRequestLengthMetricValue(requestLengths []float64) float64 {
 	value := 0.0
 

src/core/metrics/sources/nginx_access_log_test.go

@@ -74,7 +74,7 @@ func TestAccessLogStats(t *testing.T) {
 			`$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"`,
 			[]string{
 				"127.0.0.1 - - [19/May/2022:09:30:39 +0000] \"GET /nginx_status HTTP/1.1\" 200 98 \"-\" \"Go-http-client/1.1\" \"-\"\n",
-				"127.0.0.1 - - [19/May/2022:09:30:39 +0000] \"GET /nginx_status HTTP/1.1\" 200 98 \"-\" \"Go-http-client/1.1\" \"-\"\n",
+				`127.0.0.1 - - [19/May/2022:09:30:39 +0000] "GET /user/register?ahref<Script>p' or 's' = 's</Script> HTTP/1.1" 200 98 "-" "-" "-"`,
 			},
 			make(chan *proto.StatsEntity, 1),
 			&proto.StatsEntity{

src/extensions/nginx-app-protect/monitoring/processor/nap.go

@@ -81,7 +81,6 @@ var (
 		subViolations,
 		supportID,
 		threatCampaignNames,
-		httpURI,
 		violationRating,
 		httpHostname,
 		xForwardedForHeaderVal,
@@ -97,6 +96,7 @@ var (
 		clientApplication,
 		clientApplicationVersion,
 		transportProtocol,
+		httpURI,
 	}
 )
 

src/extensions/nginx-app-protect/monitoring/processor/testdata/expanded_nap_waf.log.txt

@@ -1 +1 @@
-N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address,4355056874564592513,N/A,/,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>410000000200c00-3a03030c30000072-8000000000000000-0</block><alarm>477f0ffcbbd0fea-befbf35cb000007e-8000000000000000-0</alarm><learn>0-20-0-0</learn><staging>0-0-0-0</staging></violation_masks><request-violations><violation><viol_index>42</viol_index><viol_name>VIOL_ATTACK_SIGNATURE</viol_name><context>parameter</context><parameter_data><value_error/><enforcement_level>global</enforcement_level><name>YQ==</name><auto_detected_type>alpha-numeric</auto_detected_type><value>PHNjcmlwdD4=</value><location>query</location><param_name_pattern>*</param_name_pattern><staging>0</staging></parameter_data><staging>0</staging><sig_data><sig_id>200001475</sig_id><blocking_mask>3</blocking_mask><kw_data><buffer>YT08c2NyaXB0Pg==</buffer><offset>3</offset><length>7</length></kw_data></sig_data><sig_data><sig_id>200000098</sig_id><blocking_mask>3</blocking_mask><kw_data><buffer>YT08c2NyaXB0Pg==</buffer><offset>2</offset><length>7</length></kw_data></sig_data></violation><violation><viol_index>14</viol_index><viol_name>VIOL_HTTP_PROTOCOL</viol_name><http_sanity_checks_status>2048</http_sanity_checks_status><http_sub_violation_status>2048</http_sub_violation_status><http_sub_violation>SG9zdCBoZWFkZXIgd2l0aCBJUCB2YWx1ZTogMTAuMTQ2LjE3OS4xMTk=</http_sub_violation></violation><violation><viol_index>24</viol_index><viol_name>VIOL_PARAMETER_VALUE_METACHAR</viol_name><parameter_data><value_error/><enforcement_level>global</enforcement_level><name>YQ==</name><auto_detected_type>alpha-numeric</auto_detected_type><value>PHNjcmlwdD4=</value><location>query</location></parameter_data><wildcard_entity>*</wildcard_entity><staging>0</staging><language_type>4</language_type><metachar_index>60</metachar_index><metachar_index>62</metachar_index></violation></request-violations></BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n,HTTP/1.1
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address,4355056874564592513,N/A,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>410000000200c00-3a03030c30000072-8000000000000000-0</block><alarm>477f0ffcbbd0fea-befbf35cb000007e-8000000000000000-0</alarm><learn>0-20-0-0</learn><staging>0-0-0-0</staging></violation_masks><request-violations><violation><viol_index>42</viol_index><viol_name>VIOL_ATTACK_SIGNATURE</viol_name><context>parameter</context><parameter_data><value_error/><enforcement_level>global</enforcement_level><name>YQ==</name><auto_detected_type>alpha-numeric</auto_detected_type><value>PHNjcmlwdD4=</value><location>query</location><param_name_pattern>*</param_name_pattern><staging>0</staging></parameter_data><staging>0</staging><sig_data><sig_id>200001475</sig_id><blocking_mask>3</blocking_mask><kw_data><buffer>YT08c2NyaXB0Pg==</buffer><offset>3</offset><length>7</length></kw_data></sig_data><sig_data><sig_id>200000098</sig_id><blocking_mask>3</blocking_mask><kw_data><buffer>YT08c2NyaXB0Pg==</buffer><offset>2</offset><length>7</length></kw_data></sig_data></violation><violation><viol_index>14</viol_index><viol_name>VIOL_HTTP_PROTOCOL</viol_name><http_sanity_checks_status>2048</http_sanity_checks_status><http_sub_violation_status>2048</http_sub_violation_status><http_sub_violation>SG9zdCBoZWFkZXIgd2l0aCBJUCB2YWx1ZTogMTAuMTQ2LjE3OS4xMTk=</http_sub_violation></violation><violation><viol_index>24</viol_index><viol_name>VIOL_PARAMETER_VALUE_METACHAR</viol_name><parameter_data><value_error/><enforcement_level>global</enforcement_level><name>YQ==</name><auto_detected_type>alpha-numeric</auto_detected_type><value>PHNjcmlwdD4=</value><location>query</location></parameter_data><wildcard_entity>*</wildcard_entity><staging>0</staging><language_type>4</language_type><metachar_index>60</metachar_index><metachar_index>62</metachar_index></violation></request-violations></BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n,HTTP/1.1

src/extensions/nginx-app-protect/monitoring/processor/testdata/xml_header_data.log.txt

@@ -1 +1 @@
-N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address,4355056874564592514,N/A,/,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' ?> <BAD_MSG> <violation_masks> <block>410000000200c00-3a03030c30000072-8000000000000000-0</block> <alarm>477f0ffcbbd0fea-befbf35cb000007e-8000000000000000-0</alarm> <learn>0-2-0-0</learn> <staging>0-0-0-0</staging> </violation_masks> <request-violations> <violation> <viol_index>42</viol_index> <viol_name>VIOL_ATTACK_SIGNATURE</viol_name> <context>header</context> <header> <header_name>Rm9v</header_name> <header_value>ZWNobzwhLS0gI2VjaG8=</header_value> <header_pattern>*</header_pattern> <staging>0</staging> </header> <staging>0</staging> </violation> </request-violations> </BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address,4355056874564592514,N/A,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' ?> <BAD_MSG> <violation_masks> <block>410000000200c00-3a03030c30000072-8000000000000000-0</block> <alarm>477f0ffcbbd0fea-befbf35cb000007e-8000000000000000-0</alarm> <learn>0-2-0-0</learn> <staging>0-0-0-0</staging> </violation_masks> <request-violations> <violation> <viol_index>42</viol_index> <viol_name>VIOL_ATTACK_SIGNATURE</viol_name> <context>header</context> <header> <header_name>Rm9v</header_name> <header_value>ZWNobzwhLS0gI2VjaG8=</header_value> <header_pattern>*</header_pattern> <staging>0</staging> </header> <staging>0</staging> </violation> </request-violations> </BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n

src/extensions/nginx-app-protect/monitoring/processor/testdata/xml_parameter_data.log.txt

@@ -1 +1 @@
-N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address,4355056874564592515,N/A,/,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' ?> <BAD_MSG> <request-violations> <violation> <viol_index>42</viol_index> <viol_name>VIOL_ATTACK_SIGNATURE</viol_name> <context>parameter</context> <parameter_data> <value_error/> <enforcement_level>global</enforcement_level> <name/> <value>ZjVwYXJhbWF1dG90ZXN0Pg==</value> <param_name_pattern>*</param_name_pattern> <staging>0</staging> </parameter_data> <staging>0</staging> <sig_data> <sig_id>300000110</sig_id> <blocking_mask>7</blocking_mask> <kw_data> <buffer>PWY1cGFyYW1hdXRvdGVzdD4=</buffer> <offset>1</offset> <length>15</length> </kw_data> </sig_data> </violation> </request-violations> </BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address,4355056874564592515,N/A,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' ?> <BAD_MSG> <request-violations> <violation> <viol_index>42</viol_index> <viol_name>VIOL_ATTACK_SIGNATURE</viol_name> <context>parameter</context> <parameter_data> <value_error/> <enforcement_level>global</enforcement_level> <name/> <value>ZjVwYXJhbWF1dG90ZXN0Pg==</value> <param_name_pattern>*</param_name_pattern> <staging>0</staging> </parameter_data> <staging>0</staging> <sig_data> <sig_id>300000110</sig_id> <blocking_mask>7</blocking_mask> <kw_data> <buffer>PWY1cGFyYW1hdXRvdGVzdD4=</buffer> <offset>1</offset> <length>15</length> </kw_data> </sig_data> </violation> </request-violations> </BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n

src/extensions/nginx-app-protect/monitoring/processor/testdata/xml_parameter_data_as_param_data.log.txt

@@ -1 +1 @@
-N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address,4355056874564592516,N/A,/,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' encoding='UTF-8'?> <BAD_MSG> <request-violations> <violation> <viol_index>52</viol_index> <viol_name>VIOL_JSON_MALFORMED</viol_name> <context>parameter</context> <param_data> <param_name>anNvbg==</param_name> <staging>0</staging> <param_value>eyAiYSI6ICLW1iJ9</param_value> </param_data> <staging>0</staging> </violation> </request-violations> </BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address,4355056874564592516,N/A,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' encoding='UTF-8'?> <BAD_MSG> <request-violations> <violation> <viol_index>52</viol_index> <viol_name>VIOL_JSON_MALFORMED</viol_name> <context>parameter</context> <param_data> <param_name>anNvbg==</param_name> <staging>0</staging> <param_value>eyAiYSI6ICLW1iJ9</param_value> </param_data> <staging>0</staging> </violation> </request-violations> </BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n

src/extensions/nginx-app-protect/monitoring/processor/testdata/xml_parameter_data_empty_context.log.txt

@@ -1 +1 @@
-N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address,4355056874564592517,N/A,/,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' ?> <BAD_MSG> <request-violations> <violation> <viol_index>33</viol_index> <viol_name>VIOL_PARAMETER</viol_name> <parameter_data> <value_error/> <enforcement_level>unknown level</enforcement_level> <name>eA==</name> <value>MQ==</value> </parameter_data> </violation> <violation> <viol_index>33</viol_index> <viol_name>VIOL_PARAMETER</viol_name> <parameter_data> <value_error/> <enforcement_level>unknown level</enforcement_level> <name>eQ==</name> <value>JQ==</value> </parameter_data> </violation> </request-violations> </BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n
+N/A,80,127.0.0.1,,GET,app_protect_default_policy,HTTP,blocked,0,Critical,::,{Cross Site Scripting Signatures;High Accuracy Signatures}::{Cross Site Scripting Signatures;High Accuracy Signatures},61478,HTTP protocol compliance failed:Host header contains IP address,4355056874564592517,N/A,5,1-localhost:1-/,N/A,REJECTED,SECURITY_WAF_VIOLATION,HTTP protocol compliance failed::Illegal meta character in value::Attack signature detected::Violation Rating Threat detected::Bot Client Detected,<?xml version='1.0' ?> <BAD_MSG> <request-violations> <violation> <viol_index>33</viol_index> <viol_name>VIOL_PARAMETER</viol_name> <parameter_data> <value_error/> <enforcement_level>unknown level</enforcement_level> <name>eA==</name> <value>MQ==</value> </parameter_data> </violation> <violation> <viol_index>33</viol_index> <viol_name>VIOL_PARAMETER</viol_name> <parameter_data> <value_error/> <enforcement_level>unknown level</enforcement_level> <name>eQ==</name> <value>JQ==</value> </parameter_data> </violation> </request-violations> </BAD_MSG>,curl,HTTP Library,N/A,N/A,Untrusted Bot,N/A,N/A,HTTP/1.1,/,GET /?a=<script> HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: curl/7.64.1\r\nAccept: */*\r\n\r\n