I think WAF is more complicated, and we can solve some of the WAF problems
through regularization.
Here is an issue about this. https://github.com/apache/apisix/issues/5780
Zhiyuan Ju <juzhiy...@apache.org> 于2021年12月17日周五 10:50写道:
> Hi,
>
> > Apache APISIX can add a general WAF plug-in to solve similar security
> problems
> I support adding Security Plugins to prevent common vulnerabilities, then
> fulfill the Gateway abilities.
>
> BTW, for the specific log4j2 issue, we should also pay attention to more
> encode algorithms, e.g Hex, Unicode. Because if we use some keywords like
> `${` to check requests, if the hacker converts it to `"\x24\u007b"`, it may
> bypass the WAF check :)
>
> Best Regards!
> @ Zhiyuan Ju <https://github.com/juzhiyuan>
>
>
> Ming Wen <wenm...@apache.org> 于2021年12月17日周五 09:52写道:
>
> > hello, community,
> > Apache APISIX does not yet have a WAF plug-in, so when encountering a
> > security vulnerability in log4j2, users of Apache APISIX need to write
> > their own plug-ins.
> >
> > In my opinion, Apache APISIX can add a general WAF plug-in to solve
> > similar security problems. We can deal with HTTP header, URI args,
> request
> > body (this needs to be cautious and affect performance).
> >
> > What do you think?
> >
> > Thanks,
> > Ming Wen, Apache APISIX PMC Chair
> > Twitter: _WenMing
> >
>
