Misleading XML parsing error on valid XML bodies

[heaven]

Description

Coraza v3.3.3

When processing valid XML (e.g., WordPress XML-RPC requests), Coraza logs a "Failed to process request body" error, suggesting a parsing failure. However, the XML parses correctly and the interruption is due to CRS rule 200002. This creates the impression of internal parser errors rather than an expected rule block.

Relevant code

coraza/internal/corazawaf/transaction.go

Line 1069 in 38f4571

tx.debugLogger.Error().Err(err).Msg("Failed to process request body")

Steps to reproduce

1. Enable CRS on Coraza v3.3.3.
2. Send a valid XML-RPC request to /xmlrpc.php.
3. Observe an XML error in the log.

Here is an example (formatted for readability):

<?xml version="1.0"?>
<methodCall>
  <methodName>wp.getUsersBlogs</methodName>
  <params>
    <param><value><string>admin</string></value></param>
    <param><value><string>admin</string></value></param>
  </params>
</methodCall>

Expected result

The error should fire when there is an actual problem with the XML, an internal error, e.g., if we fed some binaly, compressed, or partial data to the parser.

Actual result

We receive an interruption along with a missleading error in the log, which possibly masks underlying problems and adds unnecessary noise.

[heaven]

There might be a parsing error, too. But the error itself doesn't tell us any details, and after examining multiple examples of the failed to parse bodies, they all appeared to be valid XML:

• tags nest properly
• attribute quoting is correct
• declaration is valid
• no illegal characters

[victoredvardsson]

We have this issue as well, would be interesting to get some clarity in this. For example what the expected behavior is?

We have multiple domains where we need to disable the REQBODY_ERROR rule because it fails to parse XML content. Mainly when our clients try to access their Wordpress sites via Wordpress mobile application.

[jptosso]

XML is partially supported, IMO the only way to address this is by creating a libxml2 plugin using CGO, its not a big deal to get this done, but this cannot get merged into the main repository, as we don't accept CGO.

Update: Apparently libxml is abandoned now
https://gitlab.gnome.org/GNOME/libxml2/-/issues/346 https://discourse.gnome.org/t/stepping-down-as-libxml2-maintainer/31398
Which means there is no existing xml library that could be used for this purpose...

[heaven]

@jptosso I think there's nothing we can do at the moment? Is the XML parsing a "best-effort" currently, or does it not work at all?

I have disabled the XML parser by commenting out this rule to silence the error.

# SecRule REQUEST_HEADERS:Content-Type "^(?:application(?:/soap\+|/)|text/)xml" \
#     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"