Repeated headers cause problems in json audit logs

[jbohanon]

Describe the bug

Current implementation of json audit logs generates log entries with duplicated keys in the event of repeated headers in either the request or response. This is technically not invalid json per RFC 7159 Section 4, but most implementations silently drop all-but-first or all-but-last instances of duplicated keys. In some cases however, the behavior is undefined and an error is thrown. I found this issue in the nginx repo outlining a similar difficulty. The prevailing idea over there seemed to be to convert repeated header fields into a single array value containing all of the previously enumerated values. The HTTP specification states in RFC 9110 Section 5.2 that field values for repeated headers should be able to be concatenated delimited by commas. I think either of these are reasonable solutions with pros and cons...

Arrays
Pros:

• Can easily handle different data types

Cons:

• Less aligned with typical representations of multiple values for a single header

Comma-delimited concatenated strings
Pros:

• Part of RFC spec for HTTP

Cons:

• Really only applies to string values

To Reproduce

curl -H "test: value" -H "test: another-value" "https://<site-behind-modsec>"

Server (please complete the following information):

• ModSecurity version (and connector): ModSecurity v3.0.4 with envoy connector v0.1.0
• WebServer: envoy 1.19
• OS (and distro): linux ubuntu

Rule Set (please complete the following information):

• Running any public or commercial rule set? OWASP_CRS
• What is the version number? 3.2.0

[martinhsv]

Hi @jbohanon ,

Actually the issue that you found ( owasp-modsecurity/ModSecurity-nginx#230 ) is exactly the same issue. Or, more precisely, that other issue is describing two sub-issues, one of which is the json-formatting issue for duplicates.

As you may gathered from my comments at owasp-modsecurity/ModSecurity-nginx#230 (comment) , I do prefer the array format as the solution.