updates to CRS v4.0.0-rc2, sets equal BodyLimits in default configs

corazawaf · Oct 25, 2023 · da7df91 · da7df91
1 parent 5ce7285
commit da7df91
Show file tree

Hide file tree

Showing 53 changed files with 3,097 additions and 2,328 deletions.
diff --git a/README.md b/README.md
@@ -106,7 +106,7 @@ configuration:
                 "Include @demo-conf",
                 "SecDebugLogLevel 9",
                 "SecRuleEngine On",
-                "Include @crs-setup-demo-conf",
+                "Include @crs-setup-conf",
                 "Include @owasp_crs/*.conf"
             ]
         },
@@ -126,7 +126,7 @@ configuration:
                 "Include @demo-conf",
                 "SecDebugLogLevel 9",
                 "SecRuleEngine On",
-                "Include @crs-setup-demo-conf",
+                "Include @crs-setup-conf",
                 "Include @owasp_crs/REQUEST-901-INITIALIZATION.conf"
             ]
         },
@@ -159,7 +159,7 @@ FTW_INCLUDE=920410 go run mage.go ftw
 Once the filter is built, via the commands `go run mage.go runEnvoyExample`, `go run mage.go reloadEnvoyExample`, and `go run mage.go teardownEnvoyExample` you can spin up, test, and tear down the test environment. 
 Envoy with the coraza-wasm filter will be reachable at `localhost:8080`. 
 The filter is configured with the CRS loaded working in Anomaly Scoring mode. 
-For details and locally tweaking the configuration refer to [@demo-conf](./wasmplugin/rules/coraza-demo.conf) and [@crs-setup-demo-conf](./wasmplugin/rules/crs-setup-demo.conf).
+For details and locally tweaking the configuration refer to [@recommended-conf](./wasmplugin/rules/coraza.conf-recommended.conf) and [@crs-setup-conf](./wasmplugin/rules/crs-setup.conf.example).
 
 In order to monitor envoy logs while performing requests you can run:
 

diff --git a/example/envoy/envoy-config.yaml b/example/envoy/envoy-config.yaml
@@ -56,7 +56,7 @@ static_resources:
                               "directives_map": {
                                   "rs1": [
                                     "Include @demo-conf",
-                                    "Include @crs-setup-demo-conf",
+                                    "Include @crs-setup-conf",
                                     "SecDefaultAction \"phase:3,log,auditlog,pass\"",
                                     "SecDefaultAction \"phase:4,log,auditlog,pass\"",
                                     "SecDefaultAction \"phase:5,log,auditlog,pass\"",
@@ -66,7 +66,7 @@ static_resources:
                                   ],
                                   "rs2": [
                                     "Include @demo-conf",
-                                    "Include @crs-setup-demo-conf",
+                                    "Include @crs-setup-conf",
                                     "SecDefaultAction \"phase:3,log,auditlog,pass\"",
                                     "SecDefaultAction \"phase:4,log,auditlog,pass\"",
                                     "SecDefaultAction \"phase:5,log,auditlog,pass\"",

diff --git a/example/istio/README.md b/example/istio/README.md
@@ -45,7 +45,7 @@ spec:
       - Include @demo-conf
       - SecDebugLogLevel 9
       - SecRuleEngine On
-      - Include @crs-setup-demo-conf
+      - Include @crs-setup-conf
       - Include @owasp_crs/*.conf
   selector:
     matchLabels:
@@ -82,7 +82,7 @@ spec:
       - Include @demo-conf
       - SecDebugLogLevel 9
       - SecRuleEngine On
-      - Include @crs-setup-demo-conf
+      - Include @crs-setup-conf
       - Include @owasp_crs/*.conf
   selector:
     matchLabels:
@@ -127,4 +127,4 @@ Coraza: Warning. Javascript method detected [file "@owasp_crs/REQUEST-941-APPLIC
 [tag "application-multi"] [tag "language-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] 
 [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "my-hostname"] [uri "/anything/?arg=<script>alert(0)</script>"] 
 [unique_id "wTueIQloYpvpWNLzVfy"]	thread=27
-```
+```
diff --git a/ftw/Dockerfile b/ftw/Dockerfile
@@ -7,9 +7,9 @@ RUN apk update && apk add curl
 
 WORKDIR /workspace
 
-# TODO update when new CRS version is tagged: https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0-rc1.tar.gz
-ADD https://github.com/coreruleset/coreruleset/tarball/477d8c3431d042294af2651f08d63d10b6f3fd60 /workspace/coreruleset/
-RUN cd coreruleset && tar -xf 477d8c3431d042294af2651f08d63d10b6f3fd60 --strip-components 1
+# TODO update when new CRS version is tagged: https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0-rc2.tar.gz
+ADD https://github.com/coreruleset/coreruleset/tarball/2b92d53ea708babbca8da06cd13decffbc9e31b5 /workspace/coreruleset/
+RUN cd coreruleset && tar -xf 2b92d53ea708babbca8da06cd13decffbc9e31b5 --strip-components 1
 
 COPY ftw.yml /workspace/ftw.yml
 COPY tests.sh /workspace/tests.sh

diff --git a/ftw/ftw.yml b/ftw/ftw.yml
@@ -14,8 +14,6 @@ testoverride:
     '920100-16': 'Invalid HTTP request line. Rejected by Envoy with Error 400'
     '949110-4': 'Related to 920100. Invalid HTTP method. Rejected by Envoy with Error 400'
     '941110-4': 'Referer header is sanitized by Envoy and removed from the request'
-    '941110-9': 'Referer header is sanitized by Envoy and removed from the request'
-    '920270-5': 'Referer header is sanitized by Envoy and removed from the request'
     '941101-1': 'Referer header is sanitized by Envoy and removed from the request'
     '920210-2': 'Connection header is stripped out by Envoy'
     '920210-3': 'Connection header is stripped out by Envoy'
@@ -26,17 +24,13 @@ testoverride:
     '920274-3': 'PL4 - False positive. Envoy Populates :path header, therefore invalid character are detected'
     '920274-5': 'PL4 - False positive. Envoy Populates :path header, therefore invalid character are detected'
     '932161-7': 'Referer header is sanitized by Envoy and removed from the request'
-    '932161-8': 'Referer header is sanitized by Envoy and removed from the request'
     '932161-9': 'Referer header is sanitized by Envoy and removed from the request'
     '932161-10': 'Referer header is sanitized by Envoy and removed from the request'
     '932161-11': 'Referer header is sanitized by Envoy and removed from the request'
     '932161-12': 'Referer header is sanitized by Envoy and removed from the request'
-    '932236-6': 'Referer header is sanitized by Envoy and removed from the request'
-    '932236-7': 'Referer header is sanitized by Envoy and removed from the request'
-    '932236-28': 'Referer header is sanitized by Envoy and removed from the request'
-    '932237-6': 'Referer header is sanitized by Envoy and removed from the request'
-    '932237-7': 'Referer header is sanitized by Envoy and removed from the request'
-    '932237-8': 'Referer header is sanitized by Envoy and removed from the request'
+    '932239-6': 'Referer header is sanitized by Envoy and removed from the request'
+    '932239-7': 'Referer header is sanitized by Envoy and removed from the request'
+    '932239-19': 'Referer header is sanitized by Envoy and removed from the request'
 
     # Rules working, tests excluded for different expected output
     '920270-4': 'Log contains 920270. Test has log_contains disabled.'
@@ -48,7 +42,6 @@ testoverride:
     '920280-3': 'Rule 920280 not detected. Host not present. Coraza side'
     '920290-1': 'Rule 920290 not detected. Empty Host. Coraza side'
     '920430-3': 'Rule 920430 not detected. Proto version. Coraza side'
-    '920430-5': 'Rule 920430 not detected. Proto version. Coraza side'
     '920430-8': 'Rule 920430 not detected. Proto version. Coraza side'
     '920430-9': 'Rule 920430 not detected. Proto version. Coraza side'
     '934120-23': 'Rule 934120 partially detected. With HTTP/1.1 Envoy return 400. With HTTP/2 Enclosed alphanumerics not detected. Coraza Side'
@@ -57,3 +50,8 @@ testoverride:
     '934120-26': 'Rule 934120 partially detected. With HTTP/1.1 Envoy return 400. With HTTP/2 Enclosed alphanumerics not detected. Coraza Side'
     '934120-39': 'Rule 934120 partially detected. With HTTP/1.1 Envoy return 400. With HTTP/2 Enclosed alphanumerics not detected. Coraza Side'
     '932200-13': 'Unfortunate match inside logs against a different rule log. wip'
+
+    # TODO: check why we are failing to deobfuscate these payloads
+    # tests added via https://github.com/coreruleset/coreruleset/commit/da0314056c4816629bf51ed143dc959a1757db8b
+    '934131-5': ''
+    '934131-7': ''
diff --git a/wasmplugin/fs.go b/wasmplugin/fs.go
@@ -23,7 +23,7 @@ func init() {
 		map[string]string{
 			"@recommended-conf":    "coraza.conf-recommended.conf",
 			"@demo-conf":           "coraza-demo.conf",
-			"@crs-setup-demo-conf": "crs-setup-demo.conf",
+			"@crs-setup-demo-conf": "crs-setup.conf.example", // Deprecated, points to @crs-setup-conf
 			"@ftw-conf":            "ftw-config.conf",
 			"@crs-setup-conf":      "crs-setup.conf.example",
 		},

diff --git a/wasmplugin/rules/coraza-demo.conf b/wasmplugin/rules/coraza-demo.conf
@@ -41,9 +41,11 @@ SecRule REQUEST_HEADERS:Content-Type "^application/json" \
 # to the size of data, with files excluded. You want to keep that value as
 # low as practical.
 #
+# Running as a Wasm plugin, we expect Limit equal to MemoryLimit: it would be prevented buffering request body to files anyways.
+
 SecRequestBodyLimit 13107200
 
-SecRequestBodyInMemoryLimit 131072
+SecRequestBodyInMemoryLimit 13107200
 
 SecRequestBodyNoFilesLimit 131072
 
@@ -168,19 +170,11 @@ SecResponseBodyLimitAction ProcessPartial
 
 # -- Filesystem configuration ------------------------------------------------
 
-# The location where Coraza stores temporary files (for example, when
-# it needs to handle a file upload that is larger than the configured limit).
-#
-# This default setting is chosen due to all systems have /tmp available however,
-# this is less than ideal. It is recommended that you specify a location that's private.
-#
-SecTmpDir /tmp/
-
 # The location where Coraza will keep its persistent data.  This default setting
 # is chosen due to all systems have /tmp available however, it
 # too should be updated to a place that other users can't access.
 #
-SecDataDir /tmp/
+# SecDataDir /tmp/
 
 
 # -- File uploads handling configuration -------------------------------------

diff --git a/wasmplugin/rules/coraza.conf-recommended.conf b/wasmplugin/rules/coraza.conf-recommended.conf
@@ -41,9 +41,11 @@ SecRule REQUEST_HEADERS:Content-Type "^application/json" \
 # to the size of data, with files excluded. You want to keep that value as
 # low as practical.
 #
+# Running as a Wasm plugin, we expect Limit equal to MemoryLimit: it would be prevented buffering request body to files anyways.
+
 SecRequestBodyLimit 13107200
 
-SecRequestBodyInMemoryLimit 131072
+SecRequestBodyInMemoryLimit 13107200
 
 SecRequestBodyNoFilesLimit 131072
 
@@ -168,19 +170,11 @@ SecResponseBodyLimitAction ProcessPartial
 
 # -- Filesystem configuration ------------------------------------------------
 
-# The location where Coraza stores temporary files (for example, when
-# it needs to handle a file upload that is larger than the configured limit).
-#
-# This default setting is chosen due to all systems have /tmp available however,
-# this is less than ideal. It is recommended that you specify a location that's private.
-#
-SecTmpDir /tmp/
-
-# The location where Coraza will keep its persistent data.  This default setting
+# The location where Coraza will keep its persistent data.  This default setting 
 # is chosen due to all systems have /tmp available however, it
 # too should be updated to a place that other users can't access.
 #
-SecDataDir /tmp/
+# SecDataDir /tmp/
 
 
 # -- File uploads handling configuration -------------------------------------