Ingress-nginx: ModSecurity in 0.19.0 no longer logs in fully valid JSON

Is this a request for help? No.

What keywords did you search in NGINX Ingress controller issues before filing this one? ModSecurity, JSON, SecAuditLogFormat

Is this a BUG REPORT or FEATURE REQUEST? BUG REPORT

NGINX Ingress controller version: 0.19.0 (still testing in 0.20.0)

Kubernetes version (use kubectl version): 1.11.2

Environment:

• Cloud provider or hardware configuration: Azure Kubernetes Service
• OS (e.g. from /etc/os-release): Ubuntu 16.04
• Kernel (e.g. uname -a):
• Install tools:
• Others:

What happened: When ModSecurity intercepts attacks a 403 is correctly returned and the attack is recorded in ModSecurity's audit log. In 0.13.0 this was recorded in JSON format. In 0.19.0 additional double-quote characters appear in two scenarios that break the JSON format and prevent audit logs being parsed by tooling.

What you expected to happen: safe JSON encoding is used when recording log entries so that values inside JSON properties have quote characters correctly escaped.

How to reproduce it (as minimally and precisely as possible): On a Kubernetes cluster with ModSecurity enabled and logging to stderr (see below), upgrade to the 0.19.0 image and trip a ModSecurity rule. Parse the resulting output with a JSON parser to find the errors. ModSecurity configuration is added using the following annotation:

nginx.ingress.kubernetes.io/configuration-snippet: |
      modsecurity_rules '
        SecRuleEngine On
        SecDefaultAction "phase:2,log,auditlog,deny,status:403"
        SecDefaultAction "phase:1,log,auditlog,deny,status:403"
        SecAuditLog /dev/fd/2
        SecAuditLogFormat JSON
        SecAuditLogParts ABIJHZ
        SecAuditLogType Serial
        SecAuditEngine RelevantOnly

Anything else we need to know: Docker is parsing the stderr output which is being picked up by Microsoft's OMS agent and reported to Log Analytics. Using the 0.13.0 Ingress image this was fine, using 0.19.0 we are seeing invalid JSON output.

Two places where the JSON is invalid:
1) An additional quote is added after the OWASP version number (search for OWASP_CRS/3.0.2 and note that it appears in the context of "components":["OWASP_CRS/3.0.2""] - note the extra closing quote.

2) When logging the response body (i.e. when OWASP rules trip due to response body content such as suspect php source leakage), double-quotes in the response body are not escaped at all, invalidating the JSON schema significantly. Additionally, quotes in ModSecurity error messages don't match up, e.g. "match":"Matched "Operator $$Rx' with parameter (etc) - in the actual logs a backtick is rendered instead of $$, but GitHub acts on the backtick. Note here that there is an erroneous double-quote before the word Operator but also the backtick before Rx doesn't match the single-quote after Rx. The second point is not causing invalid JSON but is an indicator that ModSecurity JSON serialisation is badly confused over the various quotes. It is possible that a JSON serialiser in 0.19.0 is trying to be too clever about detecting quotes-within-quotes and is replacing them with backticks/double-quotes as appropriate but is then getting confused by long chunks of text containing double-quotes, single-quotes, apostrophes and backticks. JSON format compliance simply requires an escaping backslash character before the quote rather than it being changed to a different type of quote.