updates to CRS v4.0.0-rc2, sets equal BodyLimits in default configs (#…

…243)

README.md

@@ -2,6 +2,8 @@
 
 Web Application Firewall WASM filter built on top of [Coraza](https://github.com/corazawaf/coraza) and implementing the [proxy-wasm ABI](https://github.com/proxy-wasm/spec). It can be loaded directly from Envoy or also used as an Istio plugin.
 
+Mind that a WAF is not a plug-and-play security solution. It requires a configuration and tuning tailored to the environment and traffic the WAF is meant to protect to be effective. For production usage, it is strongly recommended to be fully aware of the deployed configurations (See [@recommended-conf](./wasmplugin/rules/coraza.conf-recommended.conf) and [@crs-setup-conf](./wasmplugin/rules/crs-setup.conf.example)) and to perform a tuning phase of the rule set used. For more information on tuning the OWASP Core Rule Set (CRS), please refer to the [False Positives and Tuning](https://coreruleset.org/docs/concepts/false_positives_tuning/) guide.
+
 ## Getting started
 
 `go run mage.go -l` lists all the available commands:
@@ -106,7 +108,7 @@ configuration:
                 "Include @demo-conf",
                 "SecDebugLogLevel 9",
                 "SecRuleEngine On",
-                "Include @crs-setup-demo-conf",
+                "Include @crs-setup-conf",
                 "Include @owasp_crs/*.conf"
             ]
         },
@@ -126,15 +128,15 @@ configuration:
                 "Include @demo-conf",
                 "SecDebugLogLevel 9",
                 "SecRuleEngine On",
-                "Include @crs-setup-demo-conf",
+                "Include @crs-setup-conf",
                 "Include @owasp_crs/REQUEST-901-INITIALIZATION.conf"
             ]
         },
         "default_directives": "default"
     }
 ```
 
-#### Recommendations using CRS with proxy-wasm
+#### Recommendations using CRS with coraza-proxy-wasm
 
 - In order to mitigate as much as possible malicious requests (or connections open) sent upstream, it is recommended to keep the [CRS Early Blocking](https://coreruleset.org/20220302/the-case-for-early-blocking/) feature enabled (SecAction [`900120`](./wasmplugin/rules/crs-setup.conf.example)).
 
@@ -159,7 +161,7 @@ FTW_INCLUDE=920410 go run mage.go ftw
 Once the filter is built, via the commands `go run mage.go runEnvoyExample`, `go run mage.go reloadEnvoyExample`, and `go run mage.go teardownEnvoyExample` you can spin up, test, and tear down the test environment. 
 Envoy with the coraza-wasm filter will be reachable at `localhost:8080`. 
 The filter is configured with the CRS loaded working in Anomaly Scoring mode. 
-For details and locally tweaking the configuration refer to [@demo-conf](./wasmplugin/rules/coraza-demo.conf) and [@crs-setup-demo-conf](./wasmplugin/rules/crs-setup-demo.conf).
+For details and locally tweaking the configuration refer to [@recommended-conf](./wasmplugin/rules/coraza.conf-recommended.conf) and [@crs-setup-conf](./wasmplugin/rules/crs-setup.conf.example).
 
 In order to monitor envoy logs while performing requests you can run:
 

example/envoy/envoy-config.yaml

@@ -56,7 +56,7 @@ static_resources:
                               "directives_map": {
                                   "rs1": [
                                     "Include @demo-conf",
-                                    "Include @crs-setup-demo-conf",
+                                    "Include @crs-setup-conf",
                                     "SecDefaultAction \"phase:3,log,auditlog,pass\"",
                                     "SecDefaultAction \"phase:4,log,auditlog,pass\"",
                                     "SecDefaultAction \"phase:5,log,auditlog,pass\"",
@@ -66,7 +66,7 @@ static_resources:
                                   ],
                                   "rs2": [
                                     "Include @demo-conf",
-                                    "Include @crs-setup-demo-conf",
+                                    "Include @crs-setup-conf",
                                     "SecDefaultAction \"phase:3,log,auditlog,pass\"",
                                     "SecDefaultAction \"phase:4,log,auditlog,pass\"",
                                     "SecDefaultAction \"phase:5,log,auditlog,pass\"",

example/istio/README.md

@@ -45,7 +45,7 @@ spec:
       - Include @demo-conf
       - SecDebugLogLevel 9
       - SecRuleEngine On
-      - Include @crs-setup-demo-conf
+      - Include @crs-setup-conf
       - Include @owasp_crs/*.conf
   selector:
     matchLabels:
@@ -82,7 +82,7 @@ spec:
       - Include @demo-conf
       - SecDebugLogLevel 9
       - SecRuleEngine On
-      - Include @crs-setup-demo-conf
+      - Include @crs-setup-conf
       - Include @owasp_crs/*.conf
   selector:
     matchLabels:
@@ -127,4 +127,4 @@ Coraza: Warning. Javascript method detected [file "@owasp_crs/REQUEST-941-APPLIC
 [tag "application-multi"] [tag "language-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] 
 [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "my-hostname"] [uri "/anything/?arg=<script>alert(0)</script>"] 
 [unique_id "wTueIQloYpvpWNLzVfy"]	thread=27
-```
+```

ftw/Dockerfile

@@ -7,9 +7,9 @@ RUN apk update && apk add curl
 
 WORKDIR /workspace
 
-# TODO update when new CRS version is tagged: https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0-rc1.tar.gz
-ADD https://github.com/coreruleset/coreruleset/tarball/477d8c3431d042294af2651f08d63d10b6f3fd60 /workspace/coreruleset/
-RUN cd coreruleset && tar -xf 477d8c3431d042294af2651f08d63d10b6f3fd60 --strip-components 1
+# TODO update when new CRS version is tagged: https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0-rc2.tar.gz
+ADD https://github.com/coreruleset/coreruleset/tarball/2b92d53ea708babbca8da06cd13decffbc9e31b5 /workspace/coreruleset/
+RUN cd coreruleset && tar -xf 2b92d53ea708babbca8da06cd13decffbc9e31b5 --strip-components 1
 
 COPY ftw.yml /workspace/ftw.yml
 COPY tests.sh /workspace/tests.sh

ftw/ftw.yml

@@ -14,8 +14,6 @@ testoverride:
     '920100-16': 'Invalid HTTP request line. Rejected by Envoy with Error 400'
     '949110-4': 'Related to 920100. Invalid HTTP method. Rejected by Envoy with Error 400'
     '941110-4': 'Referer header is sanitized by Envoy and removed from the request'
-    '941110-9': 'Referer header is sanitized by Envoy and removed from the request'
-    '920270-5': 'Referer header is sanitized by Envoy and removed from the request'
     '941101-1': 'Referer header is sanitized by Envoy and removed from the request'
     '920210-2': 'Connection header is stripped out by Envoy'
     '920210-3': 'Connection header is stripped out by Envoy'
@@ -26,17 +24,13 @@ testoverride:
     '920274-3': 'PL4 - False positive. Envoy Populates :path header, therefore invalid character are detected'
     '920274-5': 'PL4 - False positive. Envoy Populates :path header, therefore invalid character are detected'
     '932161-7': 'Referer header is sanitized by Envoy and removed from the request'
-    '932161-8': 'Referer header is sanitized by Envoy and removed from the request'
     '932161-9': 'Referer header is sanitized by Envoy and removed from the request'
     '932161-10': 'Referer header is sanitized by Envoy and removed from the request'
     '932161-11': 'Referer header is sanitized by Envoy and removed from the request'
     '932161-12': 'Referer header is sanitized by Envoy and removed from the request'
-    '932236-6': 'Referer header is sanitized by Envoy and removed from the request'
-    '932236-7': 'Referer header is sanitized by Envoy and removed from the request'
-    '932236-28': 'Referer header is sanitized by Envoy and removed from the request'
-    '932237-6': 'Referer header is sanitized by Envoy and removed from the request'
-    '932237-7': 'Referer header is sanitized by Envoy and removed from the request'
-    '932237-8': 'Referer header is sanitized by Envoy and removed from the request'
+    '932239-6': 'Referer header is sanitized by Envoy and removed from the request'
+    '932239-7': 'Referer header is sanitized by Envoy and removed from the request'
+    '932239-19': 'Referer header is sanitized by Envoy and removed from the request'
 
     # Rules working, tests excluded for different expected output
     '920270-4': 'Log contains 920270. Test has log_contains disabled.'
@@ -48,7 +42,6 @@ testoverride:
     '920280-3': 'Rule 920280 not detected. Host not present. Coraza side'
     '920290-1': 'Rule 920290 not detected. Empty Host. Coraza side'
     '920430-3': 'Rule 920430 not detected. Proto version. Coraza side'
-    '920430-5': 'Rule 920430 not detected. Proto version. Coraza side'
     '920430-8': 'Rule 920430 not detected. Proto version. Coraza side'
     '920430-9': 'Rule 920430 not detected. Proto version. Coraza side'
     '934120-23': 'Rule 934120 partially detected. With HTTP/1.1 Envoy return 400. With HTTP/2 Enclosed alphanumerics not detected. Coraza Side'
@@ -57,3 +50,5 @@ testoverride:
     '934120-26': 'Rule 934120 partially detected. With HTTP/1.1 Envoy return 400. With HTTP/2 Enclosed alphanumerics not detected. Coraza Side'
     '934120-39': 'Rule 934120 partially detected. With HTTP/1.1 Envoy return 400. With HTTP/2 Enclosed alphanumerics not detected. Coraza Side'
     '932200-13': 'Unfortunate match inside logs against a different rule log. wip'
+    '934131-5': 'See https://github.com/corazawaf/coraza/pull/899'
+    '934131-7': 'See https://github.com/corazawaf/coraza/pull/899'

lifecycle_multiphase_test.go

@@ -139,7 +139,7 @@ func TestLifecycleMultiPhase(t *testing.T) {
 		{
 			name: "944150 - Deny anticipated at request headers phase from response headers phase",
 			inlineRules: `
-			Include @demo-conf\nInclude @crs-setup-demo-conf\nInclude @owasp_crs/*.conf
+			Include @demo-conf\nInclude @crs-setup-conf\nInclude @owasp_crs/*.conf
 			`,
 			reqHdrs: [][2]string{
 				{":path", "/"},
@@ -154,7 +154,7 @@ func TestLifecycleMultiPhase(t *testing.T) {
 		{
 			name: "943120 - Deny anticipated at request headers phase from response headers phase",
 			inlineRules: `
-			Include @demo-conf\nInclude @crs-setup-demo-conf\nInclude @owasp_crs/*.conf
+			Include @demo-conf\nInclude @crs-setup-conf\nInclude @owasp_crs/*.conf
 			`,
 			reqHdrs: [][2]string{
 				{":path", "/login.php?jsessionid=74B0CB414BD77D17B5680A6386EF1666"},

wasmplugin/fs.go

@@ -23,7 +23,7 @@ func init() {
 		map[string]string{
 			"@recommended-conf":    "coraza.conf-recommended.conf",
 			"@demo-conf":           "coraza-demo.conf",
-			"@crs-setup-demo-conf": "crs-setup-demo.conf",
+			"@crs-setup-demo-conf": "crs-setup.conf.example", // Deprecated, points to @crs-setup-conf
 			"@ftw-conf":            "ftw-config.conf",
 			"@crs-setup-conf":      "crs-setup.conf.example",
 		},

wasmplugin/rules/coraza-demo.conf

@@ -41,18 +41,21 @@ SecRule REQUEST_HEADERS:Content-Type "^application/json" \
 # to the size of data, with files excluded. You want to keep that value as
 # low as practical.
 #
-SecRequestBodyLimit 13107200
+# Running as a Wasm plugin, we expect Limit equal to MemoryLimit: it would be prevented buffering request body to files anyways.
+
+SecRequestBodyLimit 131072
 
 SecRequestBodyInMemoryLimit 131072
 
-SecRequestBodyNoFilesLimit 131072
+# SecRequestBodyNoFilesLimit is currently not supported by Coraza
+# SecRequestBodyNoFilesLimit 131072
 
 # What to do if the request body size is above our configured limit.
 # Keep in mind that this setting will automatically be set to ProcessPartial
 # when SecRuleEngine is set to DetectionOnly mode in order to minimize
 # disruptions when initially deploying Coraza.
 #
-SecRequestBodyLimitAction Reject
+SecRequestBodyLimitAction ProcessPartial
 
 # Verify that we've correctly processed the request body.
 # As a rule of thumb, when failing to process a request body
@@ -168,19 +171,11 @@ SecResponseBodyLimitAction ProcessPartial
 
 # -- Filesystem configuration ------------------------------------------------
 
-# The location where Coraza stores temporary files (for example, when
-# it needs to handle a file upload that is larger than the configured limit).
-#
-# This default setting is chosen due to all systems have /tmp available however,
-# this is less than ideal. It is recommended that you specify a location that's private.
-#
-SecTmpDir /tmp/
-
 # The location where Coraza will keep its persistent data.  This default setting
 # is chosen due to all systems have /tmp available however, it
 # too should be updated to a place that other users can't access.
 #
-SecDataDir /tmp/
+# SecDataDir /tmp/
 
 
 # -- File uploads handling configuration -------------------------------------

wasmplugin/rules/coraza.conf-recommended.conf

@@ -41,11 +41,13 @@ SecRule REQUEST_HEADERS:Content-Type "^application/json" \
 # to the size of data, with files excluded. You want to keep that value as
 # low as practical.
 #
+# Running as a Wasm plugin, we expect Limit equal to MemoryLimit: it would be prevented buffering request body to files anyways.
+
 SecRequestBodyLimit 13107200
 
-SecRequestBodyInMemoryLimit 131072
+SecRequestBodyInMemoryLimit 13107200
 
-SecRequestBodyNoFilesLimit 131072
+# SecRequestBodyNoFilesLimit 131072
 
 # What to do if the request body size is above our configured limit.
 # Keep in mind that this setting will automatically be set to ProcessPartial
@@ -168,19 +170,11 @@ SecResponseBodyLimitAction ProcessPartial
 
 # -- Filesystem configuration ------------------------------------------------
 
-# The location where Coraza stores temporary files (for example, when
-# it needs to handle a file upload that is larger than the configured limit).
-#
-# This default setting is chosen due to all systems have /tmp available however,
-# this is less than ideal. It is recommended that you specify a location that's private.
-#
-SecTmpDir /tmp/
-
-# The location where Coraza will keep its persistent data.  This default setting
+# The location where Coraza will keep its persistent data.  This default setting 
 # is chosen due to all systems have /tmp available however, it
 # too should be updated to a place that other users can't access.
 #
-SecDataDir /tmp/
+# SecDataDir /tmp/
 
 
 # -- File uploads handling configuration -------------------------------------