chore: updates coraza, fixes tests accordingly (#147)

Co-authored-by: José Carlos Chávez <[email protected]>
corazawaf · Feb 9, 2023 · 0d6d8a3 · 0d6d8a3
1 parent e5c8ad0
commit 0d6d8a3
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 10 deletions.
diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ module github.com/corazawaf/coraza-proxy-wasm
 go 1.19
 
 require (
-	github.com/corazawaf/coraza/v3 v3.0.0-20230203191834-6a4986af664c
+	github.com/corazawaf/coraza/v3 v3.0.0-20230209180956-ec9d46c1b177
 	github.com/stretchr/testify v1.8.0
 	github.com/tetratelabs/proxy-wasm-go-sdk v0.21.0
 	github.com/tidwall/gjson v1.14.4
@@ -23,7 +23,7 @@ require (
 	github.com/tetratelabs/wazero v1.0.0-pre.8 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
-	golang.org/x/net v0.5.0 // indirect
+	golang.org/x/net v0.6.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -1,5 +1,5 @@
-github.com/corazawaf/coraza/v3 v3.0.0-20230203191834-6a4986af664c h1:M9t+XPN3amVVuhFQcH3eOHD0ye7Wi1IquMyinqrfKFI=
-github.com/corazawaf/coraza/v3 v3.0.0-20230203191834-6a4986af664c/go.mod h1:dXFswKzaDVm4SsHAyvi12A4yLfg2bVx/myCBkyGALGU=
+github.com/corazawaf/coraza/v3 v3.0.0-20230209180956-ec9d46c1b177 h1:8EroLK+J6fi4q7xdgu3izy46aFgXL5nVC93RHxol1Z0=
+github.com/corazawaf/coraza/v3 v3.0.0-20230209180956-ec9d46c1b177/go.mod h1:dXFswKzaDVm4SsHAyvi12A4yLfg2bVx/myCBkyGALGU=
 github.com/corazawaf/libinjection-go v0.1.2 h1:oeiV9pc5rvJ+2oqOqXEAMJousPpGiup6f7Y3nZj5GoM=
 github.com/corazawaf/libinjection-go v0.1.2/go.mod h1:OP4TM7xdJ2skyXqNX1AN1wN5nNZEmJNuWbNPOItn7aw=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -43,9 +43,9 @@ github.com/wasilibs/go-re2 v0.1.0/go.mod h1:F91Yac+zPNDFrrd8fl4mSd7+TTu2tYiX56BE
 github.com/wasilibs/nottinygc v0.0.0-20230202022930-bb230a97db8e h1:xzrL/Fd514ijzrySqTQgCLyGVOWbQBs7qhwLqSrR/2s=
 github.com/wasilibs/nottinygc v0.0.0-20230202022930-bb230a97db8e/go.mod h1:oDcIotskuYNMpqMF23l7Z8uzD4TC0WXHK8jetlB3HIo=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s=
-golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw=
-golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
-golang.org/x/sys v0.4.0 h1:Zr2JFtRQNX3BCZ8YtxRE9hNJYC8J6I1MVbMg6owUp18=
+golang.org/x/net v0.6.0 h1:L4ZwwTvKW9gr0ZMS1yrHD9GZhIuVjOBBnaKH+SPQK0Q=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
 golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=

diff --git a/main_test.go b/main_test.go
@@ -251,7 +251,7 @@ func TestLifecycle(t *testing.T) {
 		{
 			name: "request body denied, above limits",
 			inlineRules: `
-			SecRuleEngine On\nSecRequestBodyAccess On\nSecRequestBodyLimit 2\nSecRule REQUEST_BODY \"name=yogi\" \"id:101,phase:2,t:lowercase,deny\"
+			SecRuleEngine On\nSecRequestBodyAccess On\nSecRequestBodyLimit 2\nSecRequestBodyLimitAction Reject\nSecRule REQUEST_BODY \"name=yogi\" \"id:101,phase:2,t:lowercase,deny\"
 			`,
 			requestHdrsAction:  types.ActionContinue,
 			requestBodyAction:  types.ActionPause,
@@ -361,7 +361,7 @@ func TestLifecycle(t *testing.T) {
 		{
 			name: "response body denied, end of body",
 			inlineRules: `
-			SecRuleEngine On\nSecResponseBodyAccess On\nSecRule RESPONSE_BODY \"@contains yogi\" \"id:101,phase:4,t:lowercase,deny\"
+			SecRuleEngine On\nSecResponseBodyAccess On\nSecResponseBodyMimeType text/plain\nSecRule RESPONSE_BODY \"@contains yogi\" \"id:101,phase:4,t:lowercase,deny\"
 			`,
 			requestHdrsAction:  types.ActionContinue,
 			requestBodyAction:  types.ActionContinue,
@@ -372,7 +372,7 @@ func TestLifecycle(t *testing.T) {
 		{
 			name: "response body denied, start of body",
 			inlineRules: `
-			SecRuleEngine On\nSecResponseBodyAccess On\nSecRule RESPONSE_BODY \"@contains hello\" \"id:101,phase:4,t:lowercase,deny\"
+			SecRuleEngine On\nSecResponseBodyAccess On\nSecResponseBodyMimeType text/plain\nSecRule RESPONSE_BODY \"@contains hello\" \"id:101,phase:4,t:lowercase,deny\"
 			`,
 			requestHdrsAction:  types.ActionContinue,
 			requestBodyAction:  types.ActionContinue,

diff --git a/wasmplugin/rules/coraza-demo.conf b/wasmplugin/rules/coraza-demo.conf
@@ -42,6 +42,9 @@ SecRule REQUEST_HEADERS:Content-Type "^application/json" \
 # low as practical.
 #
 SecRequestBodyLimit 13107200
+
+SecRequestBodyInMemoryLimit 131072
+
 SecRequestBodyNoFilesLimit 131072
 
 # What to do if the request body size is above our configured limit.

diff --git a/wasmplugin/rules/coraza.conf-recommended.conf b/wasmplugin/rules/coraza.conf-recommended.conf
@@ -42,6 +42,9 @@ SecRule REQUEST_HEADERS:Content-Type "^application/json" \
 # low as practical.
 #
 SecRequestBodyLimit 13107200
+
+SecRequestBodyInMemoryLimit 131072
+
 SecRequestBodyNoFilesLimit 131072
 
 # What to do if the request body size is above our configured limit.