Enables multiphase evaluation by default (#194)

Co-authored-by: José Carlos Chávez <[email protected]>
corazawaf · May 30, 2023 · b5d1835 · b5d1835
1 parent 2980df9
commit b5d1835
Show file tree

Hide file tree

Showing 11 changed files with 390 additions and 37 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -14,18 +14,24 @@ on:
 env:
   GO_VERSION: 1.19
   TINYGO_VERSION: 0.27.0
-  # Test against latest two releases and latest dev
+  # Run e2e tests against latest two releases and latest dev
   ENVOY_IMAGES: >
     envoyproxy/envoy:v1.26-latest
     envoyproxy/envoy:v1.25-latest
     envoyproxy/envoy-dev:latest
 
 jobs:
   build:
+    name: "Build (multiphase evaluation: ${{ matrix.multiphase_eval }})"
     runs-on: ubuntu-22.04
     permissions:
       contents: read
       packages: write
+    strategy:
+      matrix:
+        multiphase_eval: ["true","false"]
+    env:
+      MULTIPHASE_EVAL: ${{ matrix.multiphase_eval }}
     steps:
       - name: Check out code
         uses: actions/checkout@v3
@@ -82,9 +88,11 @@ jobs:
           path: build/ftw-envoy.log
 
       - name: Set up Docker Buildx
+        if: ${{ matrix.multiphase_eval=='true' }}
         uses: docker/setup-buildx-action@v2
 
       - name: Docker meta
+        if: ${{ matrix.multiphase_eval=='true' }}
         id: meta
         uses: docker/metadata-action@v4
         with:
@@ -97,6 +105,7 @@ jobs:
             type=semver,pattern={{major}}
 
       - name: Docker meta busybox
+        if: ${{ matrix.multiphase_eval=='true' }}
         id: meta-busybox
         uses: docker/metadata-action@v4
         with:
@@ -111,13 +120,15 @@ jobs:
             suffix=-busybox
 
       - name: Login to GHCR
+        if: ${{ matrix.multiphase_eval=='true' }}
         uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push busybox based image
+        if: ${{ matrix.multiphase_eval=='true' }}
         uses: docker/build-push-action@v3
         with:
           context: .
@@ -130,6 +141,7 @@ jobs:
             BASE_IMAGE=busybox:1.36-uclibc
 
       - name: Build and push
+        if: ${{ matrix.multiphase_eval=='true' }}
         uses: docker/build-push-action@v3
         with:
           context: .
@@ -141,7 +153,7 @@ jobs:
 
       - name: Create draft release
         # Triggered only on tag creation
-        if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
+        if: matrix.multiphase_eval=='true' && github.event_name == 'push' && contains(github.ref, 'refs/tags/')
         run: |
           ls build
           mv build/main.wasm build/coraza-proxy-wasm.wasm

diff --git a/.github/workflows/nightly-coraza-check.yaml b/.github/workflows/nightly-coraza-check.yaml
@@ -13,7 +13,13 @@ env:
 
 jobs:
   test:
+    name: "Test (multiphase evaluation: ${{ matrix.multiphase_eval }})"
     runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        multiphase_eval: ["true","false"]
+    env:
+      MULTIPHASE_EVAL: ${{ matrix.multiphase_eval }}
     steps:
       - name: Check out code
         uses: actions/checkout@v3

diff --git a/README.md b/README.md
@@ -39,6 +39,12 @@ go run mage.go build
 
 You will find the WASM plugin under `./build/main.wasm`.
 
+### Multiphase
+
+By default, coraza-proxy-wasm runs with multiphase evaluation enabled (See [coraza.rule.multiphase_evaluation](.magefiles/magefile.go) build tag). It enables the evaluation of rule variables in the phases that they are ready for, potentially anticipating the phase the rule is defined for. This feature suits coraza-proxy-wasm, and specifically Envoy request lifecycle, aiming to inspect data that has been received so far as soon as possible. It leads to enforce actions the earliest possible, avoiding WAF bypasses. This functionality, in conjunction with the [early blocking CRS feature](#recommendations-using-crs-with-proxy-wasm), permits to effectively raise the anomaly score and eventually drop the request at the earliest possible phase.
+
+If you want to disable it, set the `MULTIPHASE_EVAL` environment variable to `false` before building the filter.
+
 ### Running the filter in an Envoy process
 
 In order to run the coraza-proxy-wasm we need to spin up an envoy configuration including this as the filter config

diff --git a/ftw/docker-compose.yml b/ftw/docker-compose.yml
@@ -6,7 +6,8 @@ services:
     command:
       - /bin/sh
       - -c
-      - chown -R 101:101 /home/envoy/logs
+      # Early creates the log file so wasm-logs does not fail even if envoy is not yet healthy
+      - touch /home/envoy/logs/envoy.log && chown -R 101:101 /home/envoy/logs
     volumes:
       - logs:/home/envoy/logs:rw
   envoy:

diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ module github.com/corazawaf/coraza-proxy-wasm
 go 1.19
 
 require (
-	github.com/corazawaf/coraza-wasilibs v0.0.0-20230408002644-e2e3af21f503
+	github.com/corazawaf/coraza-wasilibs v0.0.0-20230510100417-e8a89d2b2f05
 	github.com/corazawaf/coraza/v3 v3.0.0-rc.3
 	github.com/stretchr/testify v1.8.0
 	github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0
@@ -18,12 +18,12 @@ require (
 	github.com/magefile/mage v1.15.0 // indirect
 	github.com/petar-dambovaliev/aho-corasick v0.0.0-20211021192214-5ab2d9280aa9 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/tetratelabs/wazero v1.0.1 // indirect
+	github.com/tetratelabs/wazero v1.1.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
-	github.com/wasilibs/go-aho-corasick v0.3.0 // indirect
-	github.com/wasilibs/go-libinjection v0.2.1 // indirect
-	github.com/wasilibs/go-re2 v1.0.0 // indirect
+	github.com/wasilibs/go-aho-corasick v0.4.0 // indirect
+	github.com/wasilibs/go-libinjection v0.3.0 // indirect
+	github.com/wasilibs/go-re2 v1.1.0 // indirect
 	golang.org/x/net v0.10.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

diff --git a/go.sum b/go.sum
@@ -1,5 +1,5 @@
-github.com/corazawaf/coraza-wasilibs v0.0.0-20230408002644-e2e3af21f503 h1:hGXspDwUBHQUne1NT2D6PmkR9wFCXsibjaJpz7xhf+g=
-github.com/corazawaf/coraza-wasilibs v0.0.0-20230408002644-e2e3af21f503/go.mod h1:bTc+NV7T2wQevFQHDDWhD/+IAA5bvKbbK4CxzfvJx/o=
+github.com/corazawaf/coraza-wasilibs v0.0.0-20230510100417-e8a89d2b2f05 h1:X7hj8/9mLUt98pOB3wQJtBP7qdvhVWcojE2RdPHtf4Q=
+github.com/corazawaf/coraza-wasilibs v0.0.0-20230510100417-e8a89d2b2f05/go.mod h1:rhPJNQQO6tShOjrB3RQzFQBCWYrayxYSzDkqy92mhxo=
 github.com/corazawaf/coraza/v3 v3.0.0-rc.3 h1:nuJ9f63ZVwBz/u8PJJDqMTPr/RNNV2GQDqvPm9UKGsY=
 github.com/corazawaf/coraza/v3 v3.0.0-rc.3/go.mod h1:MjV/iyO+B+JcVEWUJi4O2r1sfHeFzlF28MnvAqWfea0=
 github.com/corazawaf/libinjection-go v0.1.2 h1:oeiV9pc5rvJ+2oqOqXEAMJousPpGiup6f7Y3nZj5GoM=
@@ -27,21 +27,21 @@ github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PK
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0 h1:kS7BvMKN+FiptV4pfwiNX8e3q14evxAWkhYbxt8EI1M=
 github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0/go.mod h1:qkW5MBz2jch2u8bS59wws65WC+Gtx3x0aPUX5JL7CXI=
-github.com/tetratelabs/wazero v1.0.1 h1:xyWBoGyMjYekG3mEQ/W7xm9E05S89kJ/at696d/9yuc=
-github.com/tetratelabs/wazero v1.0.1/go.mod h1:wYx2gNRg8/WihJfSDxA1TIL8H+GkfLYm+bIfbblu9VQ=
+github.com/tetratelabs/wazero v1.1.0 h1:EByoAhC+QcYpwSZJSs/aV0uokxPwBgKxfiokSUwAknQ=
+github.com/tetratelabs/wazero v1.1.0/go.mod h1:wYx2gNRg8/WihJfSDxA1TIL8H+GkfLYm+bIfbblu9VQ=
 github.com/tidwall/gjson v1.14.4 h1:uo0p8EbA09J7RQaflQ1aBRffTR7xedD2bcIVSYxLnkM=
 github.com/tidwall/gjson v1.14.4/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
 github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
 github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
 github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
 github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
-github.com/wasilibs/go-aho-corasick v0.3.0 h1:ScfPQhAwop/ELIkwY0dfMTFb/bwOdYI/MB3mkX2WOZI=
-github.com/wasilibs/go-aho-corasick v0.3.0/go.mod h1:LKW6EW9NWuWYE8PII+sFpRbbY3UcrMUgfUTkGaoWyMY=
-github.com/wasilibs/go-libinjection v0.2.1 h1:1aSwyE4oNpPGpFw3i3hoM15sF3qn1s4P0jC2jgFM2Qk=
-github.com/wasilibs/go-libinjection v0.2.1/go.mod h1:ZUoVe+HLQYq+QPBNTSgg3fxGvZsvXiDbi0UomBlsGzo=
-github.com/wasilibs/go-re2 v1.0.0 h1:pvrqtMzZgTMHVPfXJrk4YZwiqIXOKdfo5aed6CzUAW4=
-github.com/wasilibs/go-re2 v1.0.0/go.mod h1:8g69JapfgjSCx49dKOQij1dqA3sOvoH5NteaUy1X0SA=
+github.com/wasilibs/go-aho-corasick v0.4.0 h1:dPa/vF341zewXGiKh6Qih0H5MC1yVlDcAEp6fc14Nms=
+github.com/wasilibs/go-aho-corasick v0.4.0/go.mod h1:d5wspqdBMcfs1ZAFfkijwXKohocUb5vnP5bmxWLbJ74=
+github.com/wasilibs/go-libinjection v0.3.0 h1:X2zERL6bjRRPTnOWPI5CT6t1LMJNw7f+FZuTQTxJiTM=
+github.com/wasilibs/go-libinjection v0.3.0/go.mod h1:pjrvsp+uswZLkflpghGhrgKpGEZlemqkLwKOJyIsvj4=
+github.com/wasilibs/go-re2 v1.1.0 h1:RF/qHrnaFRIYaxnDFIZ4I8cZJTU+wE9DkOHtEHOUA18=
+github.com/wasilibs/go-re2 v1.1.0/go.mod h1:9j8kG6X6t8KQoB9odr0+WEieocbZwbKUgTo8GjNUdV4=
 github.com/wasilibs/nottinygc v0.2.0 h1:cXz2Ac9bVMLkpuOlUlPQMWowjw0K2cOErXZOFdAj7yE=
 github.com/wasilibs/nottinygc v0.2.0/go.mod h1:oDcIotskuYNMpqMF23l7Z8uzD4TC0WXHK8jetlB3HIo=
 golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=