Skip to content

fix: harden cors, multi-auth and body-transformer plugins against malformed requests#13469

Open
shreemaan-abhishek wants to merge 4 commits into
apache:masterfrom
shreemaan-abhishek:fix/plugin-robustness-fixes
Open

fix: harden cors, multi-auth and body-transformer plugins against malformed requests#13469
shreemaan-abhishek wants to merge 4 commits into
apache:masterfrom
shreemaan-abhishek:fix/plugin-robustness-fixes

Conversation

@shreemaan-abhishek
Copy link
Copy Markdown
Contributor

@shreemaan-abhishek shreemaan-abhishek commented Jun 3, 2026

Description

This PR hardens three plugins against malformed or edge-case requests that currently surface as 500 errors or leak sensitive data into the logs.

  • cors: process_with_allow_origins_by_regex passes the request Origin header straight to ngx.re.find. When a request arrives without an Origin header (nil), this raises and the request fails with a 500. Added an early nil guard so such requests are handled gracefully.

  • multi-auth: when an auth sub-plugin returns a status code with a nil error message, the error-string concatenation .. err throws, turning a 401 into a 500. Made the concatenation nil-safe with (err or "").

  • body-transformer:

    • The multipart decoder called the multipart library directly, so a malformed multipart body raised an error and produced a 500 instead of a 400. The decode is now wrapped in pcall and returns the error to the caller.
    • The post-decode nil check now runs before get_all_with_arrays() is invoked, so a failed decode is reported instead of calling a method on a nil value.
    • On a decode error the raw request body was written to the error log, which can leak credentials/PII and amplify log volume for a malformed body. It now logs the body size instead.
    • Removed a redundant local ok redeclaration that shadowed the outer ok.

Which issue(s) this PR fixes:

Fixes #

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

@dosubot dosubot Bot added size:L This PR changes 100-499 lines, ignoring generated files. bug Something isn't working labels Jun 3, 2026
@shreemaan-abhishek
fix(body-transformer): clear reserved template-helper keys from decod…
7a1c475 
…ed body

Lua reads raw table keys before consulting __index, so a request body with
fields named _ctx/_body/_escape_xml/_escape_json/_multipart would shadow the
template helpers injected via __index and break or hijack rendering. Clear
those reserved keys from the decoded body before setting the metatable.
@shreemaan-abhishek
test: fix body-transformer and cors assertions failing CI
4aa6aec 
body-transformer TEST 17: the bundled multipart parser does not raise on
the malformed body, so the request decodes to an empty part set and
proxies through (200) rather than failing with 400. Assert the actual
guarantee -- no 500 -- instead of pinning a specific status.

cors TEST 36: allow_headers/expose_headers default to '*', and
check_schema rejects '*' together with allow_credential=true. Set both to
explicit non-'*' values so the route config passes schema validation.
@shreemaan-abhishek
style: drop redundant comment on body-transformer decode-error log
45561ad
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@membphis membphis membphis approved these changes

@nic-6443 nic-6443 nic-6443 approved these changes

@AlinsRan AlinsRan AlinsRan approved these changes

Assignees

No one assigned

Labels

bug Something isn't working size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@shreemaan-abhishek @membphis @nic-6443 @AlinsRan