Forum Discussion

boneyard's avatar
May 07, 2012

iRule code injection / input validation

im wondering about code injection within irules. if the rule uses input which the user can determine there is some risk usually, but how well or bad do iRules / TCL handle this? could i for example escape an match class command and run code somehow or always pass an if statement if i don't do input validation (check if "bad characters" are used)?

 

 

does anyone protect their code against this, if so how?

 

  • I think the worst a malicious user could do is force a reset of their own connection through injection. I tried testing by injecting TCL meta-characters in the Host header with an iRule that checks the host header value against a data group or string. The worst I could do is cause a runtime TCL error. Do you have any specific examples you're concerned about?

    
    when HTTP_REQUEST {
    
    log local0. "\[HTTP::host\]: \|[HTTP::host]\|"
    if {[HTTP::host] starts_with "test"}{
    pool http_1_pool
    log local0. "matched"
    } else {
    HTTP::respond 200 content "No match"
    log local0. "no match"
    }
    
    set cmd "\[class match \[HTTP::host\] starts_with string_dg\]"
    eval $cmd
    log local0. "match? $match"
    
    set match [class match [HTTP::host] starts_with string_dg]
    log local0. "match? $match"
    }
    when LB_SELECTED {
    log local0. "selected [LB::server]"
    }
    

    curl -v 10.1.0.120 -H "Host: test\"; pool http_2_pool"

    curl -v 10.1.0.120 -H "Host: test\"; [class get string_dg]; pool http_2_pool"

    curl -v 10.1.0.120 -H "Host: -value abc"

    curl -v 10.1.0.120 -H "Host: -value"

    curl -v 10.1.0.120 -H "Host: -value \"abc\""

    You can protect against accidental interpretation of a string starting with a hyphen using -- to terminate the switch or class options:

    switch -glob -- $string { ...

    class match -value -- $string equals my_dg

    Aaron