Release/0.9.1 (#130)

* Update dependencies

* Add APIFW_API_MODE_MAX_ERRORS_IN_RESPONSE param to limit the response size

* Fix related_fields_details value

Author: afr1ka

.github/workflows/binaries.yml

@@ -51,7 +51,7 @@ jobs:
     needs:
       - draft-release
     env:
-      X_GO_DISTRIBUTION: "https://go.dev/dl/go1.23.7.linux-amd64.tar.gz"
+      X_GO_DISTRIBUTION: "https://go.dev/dl/go1.23.8.linux-amd64.tar.gz"
       APIFIREWALL_NAMESPACE: "github.com/wallarm/api-firewall"
     strategy:
       matrix:
@@ -162,7 +162,7 @@ jobs:
     needs:
       - draft-release
     env:
-      X_GO_VERSION: "1.23.7"
+      X_GO_VERSION: "1.23.8"
       APIFIREWALL_NAMESPACE: "github.com/wallarm/api-firewall"
     strategy:
       matrix:
@@ -272,19 +272,19 @@ jobs:
         include:
           - arch: armv6
             distro: bookworm
-            go_distribution: https://go.dev/dl/go1.23.7.linux-armv6l.tar.gz
+            go_distribution: https://go.dev/dl/go1.23.8.linux-armv6l.tar.gz
             artifact: armv6-libc
           - arch: aarch64
             distro: bookworm
-            go_distribution: https://go.dev/dl/go1.23.7.linux-arm64.tar.gz
+            go_distribution: https://go.dev/dl/go1.23.8.linux-arm64.tar.gz
             artifact: arm64-libc
           - arch: armv6
             distro: alpine_latest
-            go_distribution: https://go.dev/dl/go1.23.7.linux-armv6l.tar.gz
+            go_distribution: https://go.dev/dl/go1.23.8.linux-armv6l.tar.gz
             artifact: armv6-musl
           - arch: aarch64
             distro: alpine_latest
-            go_distribution: https://go.dev/dl/go1.23.7.linux-arm64.tar.gz
+            go_distribution: https://go.dev/dl/go1.23.8.linux-arm64.tar.gz
             artifact: arm64-musl
     steps:
       - uses: actions/checkout@v4

.github/workflows/trivy.yml

@@ -20,7 +20,7 @@ jobs:
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
       actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     name: Build
-    runs-on: "ubuntu-20.04"
+    runs-on: "ubuntu-22.04"
     steps:
       - name: Checkout code
         uses: actions/checkout@v4

Makefile

@@ -1,4 +1,4 @@
-VERSION := 0.9.0
+VERSION := 0.9.1
 NAMESPACE := github.com/wallarm/api-firewall
 
 .DEFAULT_GOAL := build

cmd/api-firewall/internal/handlers/api/app.go

@@ -30,17 +30,18 @@ var (
 // object for each of our http handlers. Feel free to add any configuration
 // data/logic on this App struct
 type App struct {
-	Routers     map[int]*router.Mux
-	Log         zerolog.Logger
-	passOPTIONS bool
-	shutdown    chan os.Signal
-	mw          []web.Middleware
-	storedSpecs storage.DBOpenAPILoader
-	lock        *sync.RWMutex
+	Routers             map[int]*router.Mux
+	Log                 zerolog.Logger
+	passOPTIONS         bool
+	maxErrorsInResponse int
+	shutdown            chan os.Signal
+	mw                  []web.Middleware
+	storedSpecs         storage.DBOpenAPILoader
+	lock                *sync.RWMutex
 }
 
 // NewApp creates an App value that handle a set of routes for the set of application.
-func NewApp(lock *sync.RWMutex, passOPTIONS bool, storedSpecs storage.DBOpenAPILoader, shutdown chan os.Signal, logger zerolog.Logger, mw ...web.Middleware) *App {
+func NewApp(lock *sync.RWMutex, passOPTIONS bool, maxErrorsInResponse int, storedSpecs storage.DBOpenAPILoader, shutdown chan os.Signal, logger zerolog.Logger, mw ...web.Middleware) *App {
 
 	schemaIDs := storedSpecs.SchemaIDs()
 
@@ -51,13 +52,14 @@ func NewApp(lock *sync.RWMutex, passOPTIONS bool, storedSpecs storage.DBOpenAPIL
 	}
 
 	app := App{
-		Routers:     routers,
-		shutdown:    shutdown,
-		mw:          mw,
-		Log:         logger,
-		storedSpecs: storedSpecs,
-		lock:        lock,
-		passOPTIONS: passOPTIONS,
+		Routers:             routers,
+		shutdown:            shutdown,
+		mw:                  mw,
+		Log:                 logger,
+		storedSpecs:         storedSpecs,
+		lock:                lock,
+		passOPTIONS:         passOPTIONS,
+		maxErrorsInResponse: maxErrorsInResponse,
 	}
 
 	return &app
@@ -286,7 +288,10 @@ func (a *App) APIModeMainHandler(ctx *fasthttp.RequestCtx) {
 		ctx.Request.Header.SetMethod(fasthttp.MethodGet)
 	}
 
-	if err := web.Respond(ctx, validator.ValidationResponse{Summary: responseSummary, Errors: responseErrors}, fasthttp.StatusOK); err != nil {
+	// limit amount of errors to reduce the total size of the response
+	limitedResponseErrors := validator.SampleSlice(responseErrors, a.maxErrorsInResponse)
+
+	if err := web.Respond(ctx, validator.ValidationResponse{Summary: responseSummary, Errors: limitedResponseErrors}, fasthttp.StatusOK); err != nil {
 		a.Log.Error().
 			Err(err).
 			Bytes("host", ctx.Request.Header.Host()).

cmd/api-firewall/internal/handlers/api/routes.go

@@ -52,7 +52,7 @@ func Handlers(lock *sync.RWMutex, cfg *config.APIMode, shutdown chan os.Signal,
 	}
 
 	// Construct the App which holds all routes as well as common Middleware.
-	apps := NewApp(lock, cfg.PassOptionsRequests, storedSpecs, shutdown, logger, mid.IPAllowlist(&ipAllowlistOptions), mid.WAFModSecurity(&modSecOptions), mid.Logger(logger), mid.MIMETypeIdentifier(logger), mid.Errors(logger), mid.Panics(logger))
+	apps := NewApp(lock, cfg.PassOptionsRequests, cfg.MaxErrorsInResponse, storedSpecs, shutdown, logger, mid.IPAllowlist(&ipAllowlistOptions), mid.WAFModSecurity(&modSecOptions), mid.Logger(logger), mid.MIMETypeIdentifier(logger), mid.Errors(logger), mid.Panics(logger))
 
 	for _, schemaID := range schemaIDs {
 

cmd/api-firewall/tests/main_api_mode_test.go

@@ -11,6 +11,7 @@ import (
 	"net/url"
 	"os"
 	"os/signal"
+	"slices"
 	"strings"
 	"sync"
 	"syscall"
@@ -22,7 +23,6 @@ import (
 	"github.com/google/uuid"
 	"github.com/rs/zerolog"
 	"github.com/valyala/fasthttp"
-	"golang.org/x/exp/slices"
 
 	handlersAPI "github.com/wallarm/api-firewall/cmd/api-firewall/internal/handlers/api"
 	"github.com/wallarm/api-firewall/internal/config"
@@ -613,6 +613,9 @@ func TestAPIModeBasic(t *testing.T) {
 	// check conflicts in the Path
 	t.Run("testConflictsInThePath", apifwTests.testConflictsInThePath)
 	t.Run("testObjectInQuery", apifwTests.testObjectInQuery)
+
+	// check limited response (maxErrorsInResponse param)
+	t.Run("testAPIModeMissedMultipleReqParamsLimitedResponse", apifwTests.testAPIModeMissedMultipleReqParamsLimitedResponse)
 }
 
 func createForm(form map[string]string) (string, io.Reader, error) {
@@ -2926,3 +2929,105 @@ func (s *APIModeServiceTests) testObjectInQuery(t *testing.T) {
 	// check response status code and response body
 	checkResponseForbiddenStatusCode(t, &reqCtx, DefaultSchemaID, []string{validator.ErrCodeRequiredQueryParameterMissed})
 }
+
+func (s *APIModeServiceTests) testAPIModeMissedMultipleReqParamsLimitedResponse(t *testing.T) {
+
+	updatedCfg := config.APIMode{
+		APIFWInit:                  config.APIFWInit{Mode: web.APIMode},
+		SpecificationUpdatePeriod:  2 * time.Second,
+		UnknownParametersDetection: true,
+		PassOptionsRequests:        false,
+		MaxErrorsInResponse:        1,
+	}
+
+	handler := handlersAPI.Handlers(s.lock, &updatedCfg, s.shutdown, s.logger, s.dbSpec, nil, nil)
+
+	p, err := json.Marshal(map[string]any{
+		"firstname": "test",
+		"lastname":  "test",
+		"job":       "test",
+		"email":     "[email protected]",
+		"url":       "http://wallarm.com",
+	})
+
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req := fasthttp.AcquireRequest()
+	req.SetRequestURI("/test/signup")
+	req.Header.SetMethod("POST")
+	req.SetBodyStream(bytes.NewReader(p), -1)
+	req.Header.SetContentType("application/json")
+	req.Header.Add(web.XWallarmSchemaIDHeader, fmt.Sprintf("%d", DefaultSchemaID))
+
+	reqCtx := fasthttp.RequestCtx{
+		Request: *req,
+	}
+
+	handler(&reqCtx)
+
+	t.Logf("Name of the test: %s; request method: %s; request uri: %s; request body: %s", t.Name(), string(reqCtx.Request.Header.Method()), string(reqCtx.Request.RequestURI()), string(reqCtx.Request.Body()))
+	t.Logf("Name of the test: %s; status code: %d; response body: %s", t.Name(), reqCtx.Response.StatusCode(), string(reqCtx.Response.Body()))
+
+	// check response status code and response body
+	checkResponseOkStatusCode(t, &reqCtx, DefaultSchemaID)
+
+	// Repeat request with invalid email
+	reqInvalidEmail, err := json.Marshal(map[string]any{
+		"email": "[email protected]",
+	})
+
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req.SetBodyStream(bytes.NewReader(reqInvalidEmail), -1)
+
+	missedParams := map[string]any{
+		"firstname": struct{}{},
+		"lastname":  struct{}{},
+	}
+
+	reqCtx = fasthttp.RequestCtx{
+		Request: *req,
+	}
+
+	handler(&reqCtx)
+
+	if reqCtx.Response.StatusCode() != 200 {
+		t.Errorf("Incorrect response status code. Expected: 200 and got %d",
+			reqCtx.Response.StatusCode())
+	}
+
+	apifwResponse := validator.ValidationResponse{}
+	if err := json.Unmarshal(reqCtx.Response.Body(), &apifwResponse); err != nil {
+		t.Errorf("Error while JSON response parsing: %v", err)
+	}
+
+	if len(apifwResponse.Errors) != 1 {
+		t.Errorf("wrong number of errors. Expected: 1. Got: %d", len(apifwResponse.Errors))
+	}
+
+	for _, apifwErr := range apifwResponse.Errors {
+
+		if apifwErr.Code != validator.ErrCodeRequiredBodyParameterMissed {
+			t.Errorf("Incorrect error code. Expected: %s and got %s",
+				validator.ErrCodeRequiredBodyParameterMissed, apifwErr.Code)
+		}
+
+		if len(apifwErr.Fields) != 1 {
+			t.Errorf("wrong number of related fields. Expected: 1. Got: %d", len(apifwErr.Fields))
+		}
+
+		if _, ok := missedParams[apifwErr.Fields[0]]; !ok {
+			t.Errorf("Invalid missed field. Expected: firstname or lastname but got %s",
+				apifwErr.Fields[0])
+		}
+
+	}
+
+	t.Logf("Name of the test: %s; request method: %s; request uri: %s; request body: %s", t.Name(), string(reqCtx.Request.Header.Method()), string(reqCtx.Request.RequestURI()), string(reqCtx.Request.Body()))
+	t.Logf("Name of the test: %s; status code: %d; response body: %s", t.Name(), reqCtx.Response.StatusCode(), string(reqCtx.Response.Body()))
+
+}

cmd/api-firewall/tests/wallarm_api2_update.db

@@ -2,7 +2,7 @@ version: "3.8"
 services:
   api-firewall:
     container_name: api-firewall
-    image: wallarm/api-firewall:v0.9.0
+    image: wallarm/api-firewall:v0.9.1
     restart: on-failure
     environment:
       APIFW_URL: "http://0.0.0.0:8080"

demo/docker-compose/OWASP_CoreRuleSet/docker-compose.yml

@@ -2,7 +2,7 @@ version: '3.8'
 services:
   api-firewall:
     container_name: api-firewall
-    image: wallarm/api-firewall:v0.9.0
+    image: wallarm/api-firewall:v0.9.1
     restart: on-failure
     environment:
       APIFW_MODE: "api"

demo/docker-compose/docker-compose-api-mode.yml

@@ -2,7 +2,7 @@ version: '3.8'
 services:
   api-firewall:
     container_name: api-firewall
-    image: wallarm/api-firewall:v0.9.0
+    image: wallarm/api-firewall:v0.9.1
     restart: on-failure
     environment:
       APIFW_MODE: "graphql"