Forum Discussion

boneyard's avatar
boneyard
Icon for MVP rankMVP
May 07, 2012

iRule code injection / input validation

im wondering about code injection within irules. if the rule uses input which the user can determine there is some risk usually, but how well or bad do iRules / TCL handle this? could i for example es...
application delivery
dev
devops
iRules
hooleylist's avatar
hooleylist
Icon for Cirrostratus rankCirrostratus
May 07, 2012
I think the worst a malicious user could do is force a reset of their own connection through injection. I tried testing by injecting TCL meta-characters in the Host header with an iRule that checks the host header value against a data group or string. The worst I could do is cause a runtime TCL error. Do you have any specific examples you're concerned about? 


when HTTP_REQUEST {

log local0. "\[HTTP::host\]: \|[HTTP::host]\|"
if {[HTTP::host] starts_with "test"}{
pool http_1_pool
log local0. "matched"
} else {
HTTP::respond 200 content "No match"
log local0. "no match"
}

set cmd "\[class match \[HTTP::host\] starts_with string_dg\]"
eval $cmd
log local0. "match? $match"

set match [class match [HTTP::host] starts_with string_dg]
log local0. "match? $match"
}
when LB_SELECTED {
log local0. "selected [LB::server]"
}

curl -v 10.1.0.120 -H "Host: test\"; pool http_2_pool"

curl -v 10.1.0.120 -H "Host: test\"; [class get string_dg]; pool http_2_pool"

curl -v 10.1.0.120 -H "Host: -value abc"

curl -v 10.1.0.120 -H "Host: -value"

curl -v 10.1.0.120 -H "Host: -value \"abc\""

You can protect against accidental interpretation of a string starting with a hyphen using -- to terminate the switch or class options:

switch -glob -- $string { ...

class match -value -- $string equals my_dg

Aaron