updates to CRS v4.0.0 (#260)

ftw/Dockerfile

@@ -8,8 +8,8 @@ RUN apk update && apk add curl
 WORKDIR /workspace
 
 # TODO update when new CRS version is tagged: https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0-rc2.tar.gz
-ADD https://github.com/coreruleset/coreruleset/tarball/2b92d53ea708babbca8da06cd13decffbc9e31b5 /workspace/coreruleset/
-RUN cd coreruleset && tar -xf 2b92d53ea708babbca8da06cd13decffbc9e31b5 --strip-components 1
+ADD https://github.com/coreruleset/coreruleset/tarball/1d95422bb31983a5290720b7fb662ce3dd51f753 /workspace/coreruleset/
+RUN cd coreruleset && tar -xf 1d95422bb31983a5290720b7fb662ce3dd51f753 --strip-components 1
 
 COPY ftw.yml /workspace/ftw.yml
 COPY tests.sh /workspace/tests.sh

ftw/ftw.yml

@@ -12,9 +12,6 @@ testoverride:
     '920100-10': 'Invalid HTTP method. Rejected by Envoy with Error 400'
     '920100-14': 'Invalid HTTP method. Rejected by Envoy with Error 400'
     '920100-16': 'Invalid HTTP request line. Rejected by Envoy with Error 400'
-    '949110-4': 'Related to 920100. Invalid HTTP method. Rejected by Envoy with Error 400'
-    '941110-4': 'Referer header is sanitized by Envoy and removed from the request'
-    '941101-1': 'Referer header is sanitized by Envoy and removed from the request'
     '920210-2': 'Connection header is stripped out by Envoy'
     '920210-3': 'Connection header is stripped out by Envoy'
     '920210-4': 'Connection header is stripped out by Envoy'
@@ -28,9 +25,18 @@ testoverride:
     '932161-10': 'Referer header is sanitized by Envoy and removed from the request'
     '932161-11': 'Referer header is sanitized by Envoy and removed from the request'
     '932161-12': 'Referer header is sanitized by Envoy and removed from the request'
+    '932237-8': 'Referer header is sanitized by Envoy and removed from the request'
+    '932237-18': 'Referer header is sanitized by Envoy and removed from the request'
     '932239-6': 'Referer header is sanitized by Envoy and removed from the request'
     '932239-7': 'Referer header is sanitized by Envoy and removed from the request'
     '932239-19': 'Referer header is sanitized by Envoy and removed from the request'
+    '932239-27': 'Referer header is sanitized by Envoy and removed from the request'
+    '932239-29': 'Referer header is sanitized by Envoy and removed from the request'  
+    '941101-1': 'Referer header is sanitized by Envoy and removed from the request'
+    '941110-4': 'Referer header is sanitized by Envoy and removed from the request'
+    '949110-4': 'Related to 920100. Invalid HTTP method. Rejected by Envoy with Error 400'
+    '920181-1': 'Content-Length with Transfer-Encoding chunked is rejected by Envoy with Error 400' 
+    '932260-28': 'test bug, fixed upstream https://github.com/coreruleset/coreruleset/pull/3580'
 
     # Rules working, tests excluded for different expected output
     '920270-4': 'Log contains 920270. Test has log_contains disabled.'
@@ -50,5 +56,5 @@ testoverride:
     '934120-26': 'Rule 934120 partially detected. With HTTP/1.1 Envoy return 400. With HTTP/2 Enclosed alphanumerics not detected. Coraza Side'
     '934120-39': 'Rule 934120 partially detected. With HTTP/1.1 Envoy return 400. With HTTP/2 Enclosed alphanumerics not detected. Coraza Side'
     '932200-13': 'Unfortunate match inside logs against a different rule log. wip'
-    '934131-5': 'See https://github.com/corazawaf/coraza/pull/899'
-    '934131-7': 'See https://github.com/corazawaf/coraza/pull/899'
+    '942440-19': 'Coraza side: Seems like ARGS is not splitted in _GET and _POST in ruleRemoveTargetById. Further investigation needed.'
+    '942440-20': 'Coraza side: Seems like ARGS is not splitted in _GET and _POST in ruleRemoveTargetById. Further investigation needed.'

wasmplugin/rules/crs-setup.conf.example

@@ -1,9 +1,9 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
+# OWASP CRS ver.4.0.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2024 CRS project. All rights reserved.
 #
-# The OWASP ModSecurity Core Rule Set is distributed under
+# The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
 # Please see the enclosed LICENSE file for full details.
 # ------------------------------------------------------------------------
@@ -12,7 +12,7 @@
 #
 # -- [[ Introduction ]] --------------------------------------------------------
 #
-# The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack
+# The OWASP CRS is a set of generic attack
 # detection rules that provide a base level of protection for any web
 # application. They are written for the open source, cross-platform
 # ModSecurity Web Application Firewall.
@@ -619,6 +619,8 @@ SecAction \
 # Block request if number of arguments is too high
 # Default: unlimited
 # Example: 255
+# Note that a hard limit by the engine may also apply here (SecArgumentsLimit).
+# This would override this soft limit.
 # Uncomment this rule to set a limit.
 #SecAction \
 #    "id:900300,\
@@ -692,7 +694,7 @@ SecAction \
 #
 # -- [[ Easing In / Sampling Percentage ]] -------------------------------------
 #
-# Adding the Core Rule Set to an existing productive site can lead to false
+# Adding the CRS to an existing productive site can lead to false
 # positives, unexpected performance issues and other undesired side effects.
 #
 # It can be beneficial to test the water first by enabling the CRS for a
@@ -746,23 +748,6 @@ SecAction \
 #    setvar:tx.crs_validate_utf8_encoding=1"
 
 
-#
-# -- [[ Collection timeout ]] --------------------------------------------------
-#
-# Set the SecCollectionTimeout directive from the ModSecurity default (1 hour)
-# to a lower setting which is appropriate to most sites.
-# This increases performance by cleaning out stale collection (block) entries.
-#
-# This value should be greater than or equal to any block durations or timeouts
-# set by plugins that make use of ModSecurity's persistent collections (e.g. the
-# DoS protection and IP reputation plugins).
-#
-# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecCollectionTimeout
-
-# Please keep this directive uncommented.
-# Default: 600 (10 minutes)
-SecCollectionTimeout 600
-
 
 #
 # -- [[ End of setup ]] --------------------------------------------------------