CVE-2022-25757: Apache APISIX: the body_schema check in request-validation plugin can be bypassed

[Zexuan Luo <spacewander () apache org>]

Severity: low

Description:

When decoding JSON with duplicate keys, lua-cjson will choose the last
occurred value as the result. By passing a JSON with a duplicate key,
the attacker can bypass the body_schema validation in the
request-validation plugin. For example,
`{"string_payload":"bad","string_payload":"good"}` can be used to hide
the "bad" input.

Systems satisfy three conditions below are affected by this attack:
1. use body_schema validation in the request-validation plugin
2. upstream application uses a special JSON library that chooses the
first occurred value, like jsoniter or gojay
3. upstream application does not validate the input anymore.

The fix in APISIX is to re-encode the validated JSON input back into
the request body at the side of APISIX.

Mitigation:

1. upgrade APISIX to 2.13.0 if you need to use the body_schema
validation in the request-validation plugin
2. add additional validation in the application code, embrace
defensive programming

Credit:

Thanks for Guangli Dong from https://www.huoxian.cn/