Issue with Graphql file uploads using nginx proxy

[indieocean]

We are running into issue where Naxsi is blocking file uploads on Graphql even when we have whitelisted it. As soon as we disable Naxsi the upload works.

This is an example curl

curl 'https://localhost/api/graphql' \
-H 'authorization: Bearer token' \
-F operations='{ "query": "mutation uploadFile($file: Upload!) { uploadFile(file: $file) { filename, mimetype } }", "variables": { "file": null } }' \
-F map='{ "0": ["variables.file"] }' \
-F 0='@/Users/bling/uploads/users.xlsx'

At first it complained about the following rules:

uri=/api/graphql&learning=1&vers=0.55.3&total_processed=1&total_blocked=1&block=1&cscore0=$SQL&score0=32&cscore1=$XSS&score1=32&cscore2=$TRAVERSAL&score2=88&zone0=BODY&id0=1010&var_name0=query&zone1=BODY&id1=1011&var_name1=query&zone2=BODY&id2=1015&var_name2=query&zone3=BODY&id3=1205&var_name3=query

We added a new whitelist BasicRule

BasicRule wl:2,1010,1011,1015,1205 "mz:$URL:/api|BODY";

It stopped giving blocking errors but it timesout now.

Any pointers?

[buixor]

I don't really understand how naxsi would lead to a timeout, is there any logs produced after you added the whitelists ?

[indieocean]

Nope. It just hangs. No errors or anything. Thats whats odd.

…

On Thu, Mar 14, 2019 at 8:20 AM buixor ***@***.***> wrote: I don't really understand how naxsi would lead to a timeout, is there any logs produced after you added the whitelists ? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#459 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AACrQ3MOl2-hh2zqqaExqmyKrNhvbyPjks5vWkytgaJpZM4bvWBA> .

[indieocean]

So we managed to fix it. It was an issue with the ngx_http_auth_request_module.

location /api/ {
    auth_request /auth;
    ...
}

location = /auth {
    proxy_pass ...
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Original-URI $request_uri;
}

We ended up replacing it with.

location /api {
    # Auth by Lua block
    # There is a known issue with auth_request and Naxsi that does not play well with uploads.
    access_by_lua_block {
      local res = ngx.location.capture("/auth")

      if res.status == ngx.HTTP_OK then
          return
      end
      ngx.exit(res.status)
    }
    ...
}

It now works correctly after ditching auth_request. We have tracked this on our end as an issue. Don't know if you guys have tried it or tested this scenario.

[he2ss]

We are running into issue where Naxsi is blocking file uploads on Graphql even when we have whitelisted it. As soon as we disable Naxsi the upload works.

This is an example curl

curl 'https://localhost/api/graphql' \
-H 'authorization: Bearer token' \
-F operations='{ "query": "mutation uploadFile($file: Upload!) { uploadFile(file: $file) { filename, mimetype } }", "variables": { "file": null } }' \
-F map='{ "0": ["variables.file"] }' \
-F 0='@/Users/bling/uploads/users.xlsx'

At first it complained about the following rules:

uri=/api/graphql&learning=1&vers=0.55.3&total_processed=1&total_blocked=1&block=1&cscore0=$SQL&score0=32&cscore1=$XSS&score1=32&cscore2=$TRAVERSAL&score2=88&zone0=BODY&id0=1010&var_name0=query&zone1=BODY&id1=1011&var_name1=query&zone2=BODY&id2=1015&var_name2=query&zone3=BODY&id3=1205&var_name3=query

We added a new whitelist BasicRule

BasicRule wl:2,1010,1011,1015,1205 "mz:$URL:/api|BODY";

It stopped giving blocking errors but it timesout now.

Any pointers?

Hi,

I can see that your rule can't work with the triggered event you pasted. Indeed, you allow all the IDs on the BODY but on the URI:/api and the triggered one is /api/graphql.

You must try something like that :

BasicRule wl:2,1010,1011,1015,1205 "mz:$URL:/api/graphql|BODY";

Or with a regex in the URI :

BasicRule wl:2,1010,1011,1015,1205 "mz:$URL_X:^/api|BODY";

You can test this without your last fix and see if it solve your issue.

[buixor]

@indieocean : Thanks for the update, it's not the first time we have a conflict with ngx_http_auth_request_module here.

The issue is still unsolved on our side :/

[indieocean]

BasicRule wl:2,1010,1011,1015,1205 "mz:$URL:/api/graphql|BODY";

Yeah we tried those but nothing seemed to work.

[diadal]

please which config file I need to add BasicRule wl:2,1010,1011,1015,1205 "mz:$URL:/api/graphql|BODY"; thanks

[buixor]

@diadal : You need to add this to your location