Re: [Mod-security-developers] JSON body processor
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] JSON body processor
|
From: Breno S. <bre...@gm...> - 2012-09-23 15:58:15
|
Hello Ulisses, Your work on this task will help a lot of people! Let me point some comments 1 - Please take a look at http://www.apache.org/legal/3party.html. There is a list of authorized licenses to use. If you find some good library with a different kind of license we can try to determine if it is compatible of not. 2 - The first idea is to populate already used modsecurity collections ARGS, ARGS_NAMES etc. However we can discuss if necessary some additional collection for example JSON_*. Use ARGS* collection will make user's life easier to apply the current ruleset against JSON data. 3 - This is a good question. Currenlty we don't have exact numbers to make it. But we must keep in mind we don't want to add too much latency into http transactions. So we always try to work in a small range of microseconds. As you said, you can try to generate compatible dataset and compare the performance numbers. 4 - This is fine to discuss it here. Once we have defined what to do you can document it in the Jira ticket. Thanks Breno On Sun, Sep 23, 2012 at 8:31 AM, Ulisses Montenegro < uli...@gm...> wrote: > Team > > As my first attempt in contributing to mod_security I've decided to > tackle MODSEC-253, a JSON body processor. I've gone through the XML > and multipart body processors and found them apparently > straightforward. I would like some pointers on issues which I need to > address before deciding on my solution, though. > > 1. The XML body processor uses libxml for the actual XML parsing, I > assume adding a JSON parser library would be acceptable as well. If > so, what licenses would be acceptable? > 2. XML processor offers a XPath interface for rules to match XML > contents, which is a standard, but AFAIK there is nothing equivalent > for JSON (aside from evaluating Javascript object references). What > interface would work best for the rules to gain access to the JSON > contents? > 3. Are there any guidelines/rules regarding memory usage and > performance, i.e., how can if my code or the library I'm using is > performing acceptably? I know I can always benchmark/profile other > body processors and compare the results directly, but I'm looking more > towards hard numbers, if they're available. > 4. Finally, do these kind of questions go into JIRA? I decided to try > the mailing list first as I did not want to add possibly irrelevant > information to the JIRA issue, but I think at least items [1] and [2] > should be registered there -- is that how it usually works? > > Thanks a lot for the great work on mod_security > Ulisses > > -- > “If debugging is the process of removing software bugs, then > programming must be the process of putting them in.” - Edsger Dijkstra > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://ad.doubleclick.net/clk;258768047;13503038;j? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php |
