Merge pull request #890 from lifeforms/merge-v3.0-commits

Merge v3.0/dev commits into v3.1/dev

Author: dune73

.travis.yml

@@ -1,12 +1,30 @@
+sudo: required
+services:
+- docker
 language: python
 python:
-  - "2.7"
-install: "pip install -r ./util/integration/requirements.txt"
+  - 2.7
+before_install:
+  - docker pull owasp/modsecurity-crs
+  - docker run -ti -e PARANOIA=5 -d --rm -p 80:80 -v /var/log/httpd:/var/log/httpd/ owasp/modsecurity-crs
+install: 
+  - pip install -r ./util/integration/requirements.txt
+  - pip install -r ./util/regression-tests/requirements.txt
 script:
-    - py.test -vs ./util/integration/format_tests.py
+  - py.test -vs ./util/integration/format_tests.py
+  - py.test -vs util/regression-tests/CRS_Tests.py --rule=util/regression-tests/tests/test.yaml
+  - py.test -vs util/regression-tests/CRS_Tests.py --ruledir=util/regression-tests/tests/REQUEST-911-METHOD-ENFORCEMENT
+  - py.test -vs util/regression-tests/CRS_Tests.py --ruledir=util/regression-tests/tests/REQUEST-913-SCANNER-DETECTION
+  - py.test -vs util/regression-tests/CRS_Tests.py --ruledir=util/regression-tests/tests/REQUEST-921-PROTOCOL-ATTACK
+  - py.test -vs util/regression-tests/CRS_Tests.py --ruledir=util/regression-tests/tests/REQUEST-930-APPLICATION-ATTACK-LFI
+  - py.test -vs util/regression-tests/CRS_Tests.py --ruledir=util/regression-tests/tests/REQUEST-941-APPLICATION-ATTACK-XSS
+  - py.test -vs util/regression-tests/CRS_Tests.py --ruledir=util/regression-tests/tests/REQUEST-942-APPLICATION-ATTACK-SQLI
+  - py.test -vs util/regression-tests/CRS_Tests.py --ruledir=util/regression-tests/tests/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION
 # safelist
 branches:
   only:
   - v3.0/dev
   - v3.0/master
   - v3.1/dev
+notifications:
+  irc: "chat.freenode.net#modsecurity"

CHANGES

@@ -7,7 +7,7 @@
 
 == Version 3.1.0 - 6/5/2017 ==
 
-== Version 3.0.2 - 5/FIXME/2017 ==
+== Version 3.0.2 - 5/12/2017 ==
 
  * Remove debug rule that popped up in 3.0.1 (Christian Folini)
 

CONTRIBUTORS

@@ -0,0 +1,45 @@
+## Project Lead:
+
+- [Chaim Sanders](https://github.com/csanders-git)
+
+## Core Developers:
+
+- [Christian Folini](https://github.com/dune73)
+- [Walter Hop](https://github.com/lifeforms)
+
+## Developers:
+
+- [Franziska Bühler](https://github.com/franbuehler)
+- [Christoph Hansen](https://github.com/emphazer)
+- [Victor Hora](https://github.com/victorhora)
+
+## Contributors:
+
+- [Zack Allen](https://github.com/zmallen)
+- [Ryan Barnett](https://github.com/rcbarnett)
+- [Jeremy Brown](https://github.com/jwbrown77)
+- [Jonathan Claudius](https://github.com/claudijd)
+- [Ashish Dixit](https://github.com/tundal45)
+- [FrozenSolid](https://github.com/frozenSolid)
+- [Michael Haas](https://github.com/MichaelHaas)
+- [jamuse](https://github.com/jamuse)
+- [Krzysztof Kotowicz](https://github.com/koto)
+- [Evgeny Marmalstein](https://github.com/shimshon70)
+- [Christian Mehlmauer](https://github.com/FireFart)
+- [Glyn Mooney](https://github.com/skidoosh)
+- [Robert Paprocki](https://github.com/p0pr0ck5)
+- [Christian Peron](https://github.com/csjperon)
+- [Elia Pinto](https://github.com/yersinia)
+- [Brian Rectanus](https://github.com/b1v1r)
+- [Federico G. Schwindt](https://github.com/fgsch)
+- Ofer Shezaf
+- Breno Silva
+- Marc Stern
+- [Ben Williams](https://github.com/benwilliams)
+- [Greg Wroblewski](https://github.com/gwroblew)
+- [ygrek](https://github.com/ygrek)
+- [Zino](https://github.com/zinoe)
+- [Felipe Zimmerle](https://github.com/zimmerle)
+- Josh Zlatin
+- [Zou Guangxian](https://github.com/zouguangxian)
+- [4ft35t](https://github.com/4ft35t)

CONTRIBUTORS.md

@@ -1,4 +1,5 @@
 [![Join the chat at https://gitter.im/owasp-crs/Lobby](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/owasp-crs/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+[![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-38a047.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Flagship_Projects)
 
 # OWASP ModSecurity Core Rule Set (CRS)
 

README.md

@@ -645,7 +645,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #
 # Blocking based on reputation is permanent in the CRS. Unlike other rules,
 # which look at the indvidual request, the blocking of IPs is based on
-# a persistent record in the IP collection, which remains active for a 
+# a persistent record in the IP collection, which remains active for a
 # certain amount of time.
 #
 # There are two ways an individual client can become flagged for blocking:

crs-setup.conf.example

@@ -63,7 +63,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 #
 # [ PHP Script Uploads ]
 #
-# Block file uploads with PHP extensions (.php, .php5, .phtml etc).
+# Block file uploads with filenames ending in PHP related extensions
+# (.php, .phps, .phtml, .php5 etc).
 #
 # Many application contain Unrestricted File Upload vulnerabilities.
 # https://www.owasp.org/index.php/Unrestricted_File_Upload
@@ -588,8 +589,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
 #
 # [ PHP Script Uploads: Superfluous extension ]
 #
-# Block file uploads with PHP extensions (.php, .php5, .phtml etc)
-# anywhere in the name, followed by a dot.
+# Block file uploads with PHP related extensions (.php, .phps, .phtml,
+# .php5 etc) anywhere in the name, followed by a dot.
 #
 # Example: index.php.tmp
 #

rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf

@@ -52,7 +52,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}"
 
 
-SecRule ARGS_NAMES "@rx ^(jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
+SecRule ARGS_NAMES "@rx ^(jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
     "id:943110,\
     phase:2,\
     block,\

rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf

@@ -0,0 +1,27 @@
+FROM owasp/modsecurity:v2_master
+MAINTAINER Chaim Sanders [email protected]
+
+ENV PARANOIA=1
+
+RUN dnf -y update
+
+RUN dnf -y install python
+
+RUN cd /opt && \
+  #wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0.2.tar.gz && \
+  #tar -xvzf v3.0.2.tar.gz && \
+  git clone https://github.com/csanders-git/owasp-modsecurity-crs owasp-modsecurity-crs-3.0.2 && \
+  cp -R /opt/owasp-modsecurity-crs-3.0.2/ /etc/httpd/modsecurity.d/owasp-crs/ && \
+  mv /etc/httpd/modsecurity.d/owasp-crs/crs-setup.conf.example /etc/httpd/modsecurity.d/owasp-crs/crs-setup.conf && \
+  cd /etc/httpd/modsecurity.d/owasp-crs/ && \
+  git checkout v3.0/dev-za && \
+  cd /etc/httpd/modsecurity.d && \
+  printf "include modsecurity.d/owasp-crs/crs-setup.conf\ninclude modsecurity.d/owasp-crs/rules/*.conf" > include.conf && \
+  sed -i -e 's/SecRuleEngine DetectionOnly/SecRuleEngine On/g' /etc/httpd/modsecurity.d/modsecurity.conf
+
+COPY docker-entrypoint.sh /
+
+EXPOSE 80
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+CMD ["httpd", "-k", "start", "-D", "FOREGROUND"]

util/Dockerfile

@@ -1,2 +1,19 @@
 The util directory contains many supporting tools/scripts that may be used with
 the OWASP ModSecurity CRS files.
+
+Docker Support
+==============
+You can optionally specify
+the paranoia level
+of the resulting CRS image,
+using the PARANOIA build arg,
+as follows:
+```docker build -t owasp/modsecurity-crs .```
+```docker run -p 80:80 -ti -e PARANOIA=5 --rm owasp/modsecurity-crs```
+
+Regression Tests
+================
+The regression tests
+are in the
+util/regression-tests
+folder.