Forum Discussion

boneyard's avatar
boneyard
Icon for MVP rankMVP
May 07, 2012

iRule code injection / input validation

im wondering about code injection within irules. if the rule uses input which the user can determine there is some risk usually, but how well or bad do iRules / TCL handle this? could i for example escape an match class command and run code somehow or always pass an if statement if i don't do input validation (check if "bad characters" are used)?

 

 

does anyone protect their code against this, if so how?

 

application delivery
dev
devops
iRules

1 Reply

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    May 07, 2012
    I think the worst a malicious user could do is force a reset of their own connection through injection. I tried testing by injecting TCL meta-characters in the Host header with an iRule that checks the host header value against a data group or string. The worst I could do is cause a runtime TCL error. Do you have any specific examples you're concerned about? 

    
when HTTP_REQUEST {

log local0. "\[HTTP::host\]: \|[HTTP::host]\|"
if {[HTTP::host] starts_with "test"}{
pool http_1_pool
log local0. "matched"
} else {
HTTP::respond 200 content "No match"
log local0. "no match"
}

set cmd "\[class match \[HTTP::host\] starts_with string_dg\]"
eval $cmd
log local0. "match? $match"

set match [class match [HTTP::host] starts_with string_dg]
log local0. "match? $match"
}
when LB_SELECTED {
log local0. "selected [LB::server]"
}

    curl -v 10.1.0.120 -H "Host: test\"; pool http_2_pool"

    curl -v 10.1.0.120 -H "Host: test\"; [class get string_dg]; pool http_2_pool"

    curl -v 10.1.0.120 -H "Host: -value abc"

    curl -v 10.1.0.120 -H "Host: -value"

    curl -v 10.1.0.120 -H "Host: -value \"abc\""

    You can protect against accidental interpretation of a string starting with a hyphen using -- to terminate the switch or class options:

    switch -glob -- $string { ...

    class match -value -- $string equals my_dg

    Aaron