fix(security): cap hmac-auth body size and truncate prometheus model labels#13228
Open
AlinsRan wants to merge 2 commits intoapache:masterfrom
Open
fix(security): cap hmac-auth body size and truncate prometheus model labels#13228AlinsRan wants to merge 2 commits intoapache:masterfrom
AlinsRan wants to merge 2 commits intoapache:masterfrom
Conversation
…labels Two independent DoS/memory-exhaustion fixes: fix(hmac-auth): restore max_req_body body-size limit The hmac-auth plugin had no cap on how much request body was buffered when validate_request_body=true. An unauthenticated attacker could send an arbitrarily large body causing the worker to buffer it entirely in memory. - Added max_req_body field to schema (integer, default 524288, minimum 1) - Passed conf.max_req_body to core.request.get_body() in the body validation path fix(prometheus): truncate model-name labels to prevent cardinality DoS ctx.var.request_llm_model / ctx.var.llm_model were passed directly as Prometheus labels. An attacker could send millions of unique model values, exhausting the Prometheus shared dict. - Added MAX_MODEL_LABEL_LEN = 128 constant and model_to_label() helper - Both http_log and inc_llm_active_connections now use model_to_label()
dosubot
bot
added
size:L
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two independent DoS / memory-exhaustion fixes.
Fix 1: hmac-auth — restore
max_req_bodybody-size limitThe hmac-auth plugin had no cap on how much request body was read when
validate_request_body = true. An unauthenticated attacker could send an arbitrarily large body and cause the worker to buffer it entirely in memory.max_req_bodyfield to schema (integer, default 524288 bytes, minimum 1).conf.max_req_bodytocore.request.get_body()inside the body-validation path.Fix 2: prometheus — truncate model-name labels to prevent cardinality DoS
ctx.var.request_llm_model/ctx.var.llm_modelwere set directly from the request body'smodelfield and used as Prometheus labels without any length cap. An attacker could inject millions of unique model strings, exhausting the Prometheus shared dict.MAX_MODEL_LABEL_LEN = 128constant andmodel_to_label()helper function that truncates strings to 128 characters and replaces non-scalar types with<non-scalar>.http_logandinc_llm_active_connectionsnow pass model values throughmodel_to_label()before using them as metric labels.Changes
apisix/plugins/hmac-auth.lua: addmax_req_bodyschema field; pass it toget_body()apisix/plugins/prometheus/exporter.lua: addmodel_to_label()helper; apply it at all label sitest/plugin/hmac-auth2.t: update schema snapshot to includemax_req_bodyt/plugin/hmac-auth3.t: TEST 6 sets up route withmax_req_body=10; TEST 7 verifies oversized body rejected; TEST 8 verifies body at exact limit acceptedTests
t/plugin/hmac-auth3.t: setup route, reject 11-byte body with limit 10, accept 10-byte body at exact limit.