Skip to content

nginx + v3: high CPU usage on rule 200001 #2019

Closed
@theMiddleBlue

Description

@theMiddleBlue

I'm not sure if this issue was already reported. Anyway:

What reported here SpiderLabs/owasp-modsecurity-crs#1133 seems to be related to the rule 200001 and the requestBodyProcessor=JSON on each request with Content-Type: application/json.

With a long JSON string in the request body, the rule 200001 takes a very long time to process it, and the nginx worker CPU usage stuck at 100% until it finishes.

Logs and dumps
Using an 800 Kb JSON file as request body, and sent with content-type application/json the request took 83 seconds:

curl -s -H 'Content-Type: application/json' -d @test.json 'http://localhost' -w @curl-format.txt
host localhost upstream: 
    time_namelookup:  0.005550
       time_connect:  0.006125
    time_appconnect:  0.000000
   time_pretransfer:  0.011318
      time_redirect:  0.000000
 time_starttransfer:  0.014967
                    ----------
         time_total:  83.675212

Just replacing the content-type value with application/x-www-form-urlencoded, the request took just 2 seconds:

curl -s -H 'Content-Type: application/x-www-form-urlencoded' -d @test.json 'http://localhost' -w @curl-format.txt
host localhost upstream: 
    time_namelookup:  0.005729
       time_connect:  0.006164
    time_appconnect:  0.000000
   time_pretransfer:  0.006292
      time_redirect:  0.000000
 time_starttransfer:  0.012784
                    ----------
         time_total:  2.071719

To Reproduce

  • download test.json
  • create curl-format.txt as following
    time_namelookup:  %{time_namelookup}\n
       time_connect:  %{time_connect}\n
    time_appconnect:  %{time_appconnect}\n
   time_pretransfer:  %{time_pretransfer}\n
      time_redirect:  %{time_redirect}\n
 time_starttransfer:  %{time_starttransfer}\n
                    ----------\n
         time_total:  %{time_total}\n
  • send request to nginx with content-type application/json and the test.json content as the request body:
$ curl -v -H 'Content-Type: application/json' -d @test.json 'http://localhost' -w @curl-format.txt

Server:

  • ModSecurity - v3.0.3-45-g145f2f35 for Linux
  • Modsecurity-nginx 1.0.0
  • nginx 1.13.6

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions