From b593be8627a905a7e48468f05108df7461eebeb2 Mon Sep 17 00:00:00 2001 From: Thomas Lynch Date: Fri, 6 Jan 2023 19:02:20 +1100 Subject: [PATCH 1/2] Add some reasonable limits to cookie parsing, reduce impact of possible attack --- src/libs/cookie.lua | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/libs/cookie.lua b/src/libs/cookie.lua index 9da861e..4e71509 100644 --- a/src/libs/cookie.lua +++ b/src/libs/cookie.lua @@ -11,11 +11,12 @@ local SEMICOLON = byte(";") local SPACE = byte(" ") local HTAB = byte("\t") +local MAX_LEN = 10 * 1024 -- in case you are a dumbass and set a high tune.maxrewrite +local MAX_COOKIES = 100 local _M = {} _M._VERSION = '0.01' - function _M.get_cookie_table(text_cookie) if type(text_cookie) ~= "string" then return {} @@ -27,10 +28,16 @@ function _M.get_cookie_table(text_cookie) local n = 0 local len = #text_cookie + if len > MAX_LEN then + return {} + end for i=1, len do if byte(text_cookie, i) == SEMICOLON then n = n + 1 + if n > MAX_COOKIES then + return {} + end end end From 1c6504e83e70e71750640edec27e95c3cda4fc59 Mon Sep 17 00:00:00 2001 From: Thomas Lynch Date: Fri, 6 Jan 2023 19:04:02 +1100 Subject: [PATCH 2/2] use lua-load-per-thread as per https://cbonte.github.io/haproxy-dconv/2.6/configuration.html\#3.1-lua-load because we don't have any cross request/thread global vars to worry about --- haproxy/haproxy.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/haproxy/haproxy.cfg b/haproxy/haproxy.cfg index b353736..ceaea01 100644 --- a/haproxy/haproxy.cfg +++ b/haproxy/haproxy.cfg @@ -2,7 +2,7 @@ global daemon maxconn 256 log stdout format raw local0 debug - lua-load /etc/haproxy/scripts/register.lua + lua-load-per-thread /etc/haproxy/scripts/register.lua stats socket /var/run/haproxy.sock mode 666 level admin stats socket 127.0.0.1:1999 level admin httpclient.ssl.verify none