add options via WaapConfig for inband and outofband engines

pkg/acquisition/modules/waap/waap_runner.go

@@ -40,37 +40,39 @@ func (r *WaapRunner) Init(datadir string) error {
 	for _, collection := range r.WaapRuntime.OutOfBandRules {
 		outOfBandRules += collection.String()
 	}
-	//adapt the logger level to the WAAP
 	runnerLogger := r.logger.Dup()
-	runnerLogger.Infof("setting logger of %s to %s", r.WaapRuntime.Name, r.WaapRuntime.Config.LogLevel)
-	r.WaapInbandEngine, err = coraza.NewWAF(
-		coraza.NewWAFConfig().WithDirectives(inBandRules).WithRootFS(fs).WithDebugLogger(NewCrzLogger(runnerLogger)),
-	)
 
+	//setting up inband engine
+	inbandCfg := coraza.NewWAFConfig().WithDirectives(inBandRules).WithRootFS(fs).WithDebugLogger(NewCrzLogger(runnerLogger))
+	if !r.WaapRuntime.Config.InbandOptions.DisableBodyInspection {
+		inbandCfg = inbandCfg.WithRequestBodyAccess()
+	} else {
+		log.Warningf("Disabling body inspection, Inband rules will not be able to match on body's content.")
+	}
+	if r.WaapRuntime.Config.InbandOptions.RequestBodyInMemoryLimit != nil {
+		inbandCfg = inbandCfg.WithRequestBodyInMemoryLimit(*r.WaapRuntime.Config.InbandOptions.RequestBodyInMemoryLimit)
+	}
+	r.WaapInbandEngine, err = coraza.NewWAF(inbandCfg)
 	if err != nil {
 		return fmt.Errorf("unable to initialize inband engine : %w", err)
 	}
 
-	tx := r.WaapInbandEngine.NewTransaction()
-	if !tx.IsRequestBodyAccessible() {
-		runnerLogger.Warningf("request body is not accessible, inband rules won't be able to match on it")
+	//setting up outband engine
+	outbandCfg := coraza.NewWAFConfig().WithDirectives(outOfBandRules).WithRootFS(fs).WithDebugLogger(NewCrzLogger(runnerLogger))
+	if !r.WaapRuntime.Config.OutOfBandOptions.DisableBodyInspection {
+		outbandCfg = outbandCfg.WithRequestBodyAccess()
+	} else {
+		log.Warningf("Disabling body inspection, Out of band rules will not be able to match on body's content.")
 	}
-	tx.Close()
-
-	r.WaapOutbandEngine, err = coraza.NewWAF(
-		coraza.NewWAFConfig().WithDirectives(outOfBandRules).WithRootFS(fs).WithDebugLogger(NewCrzLogger(runnerLogger)),
-	)
+	if r.WaapRuntime.Config.OutOfBandOptions.RequestBodyInMemoryLimit != nil {
+		outbandCfg = outbandCfg.WithRequestBodyInMemoryLimit(*r.WaapRuntime.Config.OutOfBandOptions.RequestBodyInMemoryLimit)
+	}
+	r.WaapOutbandEngine, err = coraza.NewWAF(outbandCfg)
 
 	if err != nil {
 		return fmt.Errorf("unable to initialize outband engine : %w", err)
 	}
 
-	tx = r.WaapOutbandEngine.NewTransaction()
-	if !tx.IsRequestBodyAccessible() {
-		runnerLogger.Warningf("request body is not accessible, outband rules won't be able to match on it")
-	}
-	tx.Close()
-
 	return nil
 }
 

pkg/waf/waap.go

@@ -48,12 +48,18 @@ type WaapTempResponse struct {
 	SendEvent          bool //do we send an internal event on rule match
 }
 
+type WaapSubEngineOpts struct {
+	DisableBodyInspection    bool `yaml:"disable_body_inspection"`
+	RequestBodyInMemoryLimit *int `yaml:"request_body_in_memory_limit"`
+}
+
 // runtime version of WaapConfig
 type WaapRuntimeConfig struct {
 	Name           string
 	OutOfBandRules []WaapCollection
-	//OutOfBandEngine XXX
-	InBandRules               []WaapCollection
+
+	InBandRules []WaapCollection
+
 	DefaultRemediation        string
 	CompiledOnLoad            []Hook
 	CompiledPreEval           []Hook
@@ -67,22 +73,26 @@ type WaapRuntimeConfig struct {
 	InBandTx    ExtendedTransaction //is it a good idea ?
 	Response    WaapTempResponse
 	//should we store matched rules here ?
+
 }
 
 type WaapConfig struct {
-	Name               string     `yaml:"name"`
-	OutOfBandRules     []string   `yaml:"outofband_rules"`
-	InBandRules        []string   `yaml:"inband_rules"`
-	DefaultRemediation string     `yaml:"default_remediation"`
-	DefaultPassAction  string     `yaml:"default_pass_action"`
-	BlockedHTTPCode    int        `yaml:"blocked_http_code"`
-	PassedHTTPCode     int        `yaml:"passed_http_code"`
-	OnLoad             []Hook     `yaml:"on_load"`
-	PreEval            []Hook     `yaml:"pre_eval"`
-	OnMatch            []Hook     `yaml:"on_match"`
-	VariablesTracking  []string   `yaml:"variables_tracking"`
-	LogLevel           *log.Level `yaml:"log_level"`
-	Logger             *log.Entry `yaml:"-"`
+	Name               string            `yaml:"name"`
+	OutOfBandRules     []string          `yaml:"outofband_rules"`
+	InBandRules        []string          `yaml:"inband_rules"`
+	DefaultRemediation string            `yaml:"default_remediation"`
+	DefaultPassAction  string            `yaml:"default_pass_action"`
+	BlockedHTTPCode    int               `yaml:"blocked_http_code"`
+	PassedHTTPCode     int               `yaml:"passed_http_code"`
+	OnLoad             []Hook            `yaml:"on_load"`
+	PreEval            []Hook            `yaml:"pre_eval"`
+	OnMatch            []Hook            `yaml:"on_match"`
+	VariablesTracking  []string          `yaml:"variables_tracking"`
+	InbandOptions      WaapSubEngineOpts `yaml:"inband_options"`
+	OutOfBandOptions   WaapSubEngineOpts `yaml:"outofband_options"`
+
+	LogLevel *log.Level `yaml:"log_level"`
+	Logger   *log.Entry `yaml:"-"`
 }
 
 func (w *WaapRuntimeConfig) ClearResponse() {