Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[dev/Wasm] Removing unsupported try catch #2783

Draft
wants to merge 7 commits into
base: v3/dev/wasm-experimental
Choose a base branch
from
Draft

[dev/Wasm] Removing unsupported try catch #2783

wants to merge 7 commits into from

Conversation

M4tteoP
Copy link
Contributor

@M4tteoP M4tteoP commented Aug 13, 2022

Context

Several basic elements from the modsecurity.conf file (e.g. rules 200002, 200003, 200004) are leading to a RuntimeError anticipated by a stoi: no conversion error.
As far as I know, the proxy Wasm SDK does not still support the handling of exceptions, therefore, the stoi conversion based on catching an exception when the conversion fails leads to this behaviour.

Solution

The PR proposes to handle the conversion based on the more recent std::from_chars that handles without exceptions the outcome.

Work in progress, request for tips and discussion

Other try catch patterns are still in place inside the code and they may lead to similar errors. Specifically:

  1. Would it be possible to have some guidance or pointers on how to tweak .cc and .yy files? E.g. seclang-parser.cc#L2907-L2915
  2. I think that a very sensitive point is the allocation of the request body: transaction.cc#L1019-L1025. Do you have any tips on how would it possible to avoid the usage of exceptions?

Thanks!

@martinhsv @leyao-daily

@M4tteoP M4tteoP force-pushed the v3/dev/wasm-fix-stoi-conversion branch from 0ccef89 to b02f740 Compare August 17, 2022 08:49
@M4tteoP
Copy link
Contributor Author

M4tteoP commented Aug 17, 2022
edited

Update: about stod conversions, as you may see looking at the commits, I tried both:

  • std::from_chars: It should be faster, but requires a recent compiler to handle double variables.
  • std::stringstream: It should be slower, better compatibility.

As far as I understood, these conversions happen just at loading time, the overhead of ss compared to from_chars should not be so relevant in favor of fewer compiling problems. I also saw that stringstream is currently used in the ModSecurity codebase.

Open to any discussion also about it.

@mathetake
Copy link

fyi, the exception support might work with the latest envoy, see the discussion proxy-wasm/proxy-wasm-cpp-sdk#140

@leyao-daily
Copy link

fyi, the exception support might work with the latest envoy, see the discussion proxy-wasm/proxy-wasm-cpp-sdk#140

It helps a lot. Thanks.

@M4tteoP
Copy link
Contributor Author

M4tteoP commented Aug 24, 2022

Thank you, Takeshi! I have followed the conversation for a bit, as of now I have not been able to make it work, but it sounds really promising. I tweaked all the code where I saw a feasible alternative, but (for example about memory allocation) I feel that exception support is very much needed to prevent unexpected behaviors.

@martinhsv
Copy link
Contributor

Hello @M4tteoP ,

I'm open to revisiting some of these try/catch usages. Many of the existing usages aren't the highest-value usages of try/catch anyway.

On the other hand, if we're saying we would want to never implement additional try-catch blocks in ModSecurity in the future, that might be seen as a nontrivial limitation on development.

Another thing to consider is what the replacement code is. So far ModSecurity has not generally incorporated C++17 features. It's useful to maintain compatibility with older compiler versions (within reason), so we'd have to decide if this is the right time for that.

@M4tteoP
Copy link
Contributor Author

M4tteoP commented Sep 6, 2022

Hello @martinhsv,

Another thing to consider is what the replacement code is. So far ModSecurity has not generally incorporated C++17 features. It's useful to maintain compatibility with older compiler versions (within reason), so we'd have to decide if this is the right time for that.

Thank you, if we agree on a proper replacement code that permits maintaining compatibility with older compile versions, I'm open to working on a PR on the main branch. Specifically, do you wish to avoid the usage of std::from_chars? Could std::stringstream be a valid replacement also for integer conversions?

if we're saying we would want to never implement additional try-catch blocks in ModSecurity in the future, that might be seen as a nontrivial limitation on development.

Yes, I totally understand that, it would be awesome just to properly revisit not needed usages and, strictly speaking about Wasm:

  • Restrict only to the dev/Wasm branch more drastic PRs to permit Wasm to work even if some tradeoff in terms of functionalities may be introduced.
  • Work on supporting exceptions handling (following what Takeshi pointed out).

@M4tteoP M4tteoP mentioned this pull request Oct 11, 2022
Open
@dspeg
Copy link

dspeg commented Oct 20, 2022

When testing ModSecurity Wasm plugin, we encountered unexpected "500" or "503" error codes with some simple rules added. I hope some of the issues can be fixed by this PR. Thanks @M4tteoP for working on it.

@marcstern marcstern added the 3.x Related to ModSecurity version 3.x label Feb 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
3.x Related to ModSecurity version 3.x
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@M4tteoP @mathetake @leyao-daily @martinhsv @dspeg @marcstern