🐛 urls with .profile in them are triggering a modsec rule resulting in a 403 page forbidden error

[LavMatt]

Describe the bug.

It appears urls for details of tables in find moj data that start profile are triggering a modsec ingress rule that blocks the page being displayed with a 403 error.

This is across all environments

The modsec logs indicate the rule id doing the block is 949110 (Inbound Anomaly Score Exceeded)

2024/10/24 10:48:44 [error] 395872#395872: *46651044 [client 35.176.93.186] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "81"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.5"] [maturity "0"] [accuracy "0"] [tag "github_team=data-catalogue"] [tag "application-multi"]

However, this is going to be more complicated to properly understand and mitigate because the rule is an aggregation of scores from other rules and we can't disable or override the 949110 rule, we'll need to dig into it and find the rule(s) which is(are) triggered

To Reproduce

No response

Expected Behaviour

No response

Additional context

No response

[mitchdawson1982]

Failing Examples

• https://find-moj-data.service.justice.gov.uk/details/table/urn:li:dataset:(urn:li:dataPlatform:dbt,cadet.awsdatacatalog.nomis_sensitive.profile_types,PROD)
• https://dev.find-moj-data.service.justice.gov.uk/details/table/urn:li:dataset:(urn:li:dataPlatform:dbt,cadet.awsdatacatalog.book_secure_move.profiles,PROD)

2024/10/24 10:48:44 [error] 395872#395872: *46651044 [client 35.176.93.186] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter 5' against variable TX:ANOMALY_SCORE' (Value: 5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "81"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.5"] [maturity "0"] [accuracy "0"] [tag "github_team=data-catalogue"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "172.20.210.146"] [uri "/details/table/urn:li:dataset:(urn:li:dataPlatform:dbt,cadet.awsdatacatalog.nomis_ao_dev_dbt.profiles,PROD)"] [unique_id "172976692490.111309"] [ref ""], client: 35.176.93.186, server: dev.find-moj-data.service.justice.gov.uk, request: "GET /details/table/urn:li:dataset:(urn:li:dataPlatform:dbt,cadet.awsdatacatalog.nomis_ao_dev_dbt.profiles,PROD) HTTP/2.0", host: "dev.find-moj-data.service.justice.gov.uk", referrer: "https://dev.find-moj-data.service.justice.gov.uk/pagination/1?query=profile"

[mitchdawson1982]

• https://github.com/owasp-modsecurity/ModSecurity/blob/v3/master/modsecurity.conf-recommended
• https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#modsecurity
• https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.3/dev/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf

[mitchdawson1982]

{
    "transaction": {
        "client_ip": "35.176.93.186",
        "time_stamp": "Fri Oct 25 15:14:26 2024",
        "server_id": "e9991f0bc8e68c08bcb04fe43698297c017fca69",
        "client_port": 63185,
        "host_ip": "172.20.171.236",
        "host_port": 443,
        "unique_id": "172986926676.560105",
        "request": {
            "method": "GET",
            "http_version": 2.0,
            "uri": "/details/table/urn:li:dataset:(urn:li:dataPlatform:dbt,cadet.awsdatacatalog.nomis_sensitive.profile_types,PROD)"
        },
        "response": {
            "body": "<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body>\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n",
            "http_code": 403,
            "headers": {
                "Server": "",
                "Server": "",
                "Date": "Fri, 25 Oct 2024 15:14:26 GMT",
                "Content-Length": "548",
                "Content-Type": "text/html",
                "Connection": "close",
                "Strict-Transport-Security": "max-age=15724800; includeSubDomains"
            }
        },
        "producer": {
            "modsecurity": "ModSecurity v3.0.8 (Linux)",
            "connector": "ModSecurity-nginx v1.0.3",
            "secrules_engine": "Enabled",
            "components": [
                "OWASP_CRS/3.3.5\""
            ]
        },
        "messages": [
            {
                "message": "Restricted File Access Attempt",
                "details": {
                    "match": "Matched \"Operator `PmFromFile' with parameter `restricted-files.data' against variable `REQUEST_FILENAME' (Value: `/details/table/urn:li:dataset:(urn:li:dataPlatform:dbt,cadet.awsdatacatalog.nomis_sensitive.profile_ (11 characters omitted)' )",
                    "reference": "o91,8v4,111t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase",
                    "ruleId": "930130",
                    "file": "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf",
                    "lineNumber": "106",
                    "data": "Matched Data: .profile found within REQUEST_FILENAME: /details/table/urn:li:dataset:(urn:li:dataplatform:dbt,cadet.awsdatacatalog.nomis_sensitive.profile_types,prod)",
                    "severity": "2",
                    "ver": "OWASP_CRS/3.3.5",
                    "rev": "",
                    "tags": [
                        "github_team=data-catalogue",
                        "application-multi",
                        "language-multi",
                        "platform-multi",
                        "attack-lfi",
                        "paranoia-level/1",
                        "OWASP_CRS",
                        "capec/1000/255/153/126",
                        "PCI/6.5.4"
                    ],
                    "maturity": "0",
                    "accuracy": "0"
                }
            },
            {
                "message": "Inbound Anomaly Score Exceeded (Total Score: 5)",
                "details": {
                    "match": "Matched \"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' )",
                    "reference": "",
                    "ruleId": "949110",
                    "file": "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf",
                    "lineNumber": "81",
                    "data": "",
                    "severity": "2",
                    "ver": "OWASP_CRS/3.3.5",
                    "rev": "",
                    "tags": [
                        "github_team=data-catalogue",
                        "application-multi",
                        "language-multi",
                        "platform-multi",
                        "attack-generic"
                    ],
                    "maturity": "0",
                    "accuracy": "0"
                }
            }
        ]
    }
}

[mitchdawson1982]

Current PR resolves the issue, still researching if more refinements can be made.PR