update to latest CRS v4.14 (#304)

Author: M4tteoP

ftw/Dockerfile

@@ -8,8 +8,10 @@ RUN apk update && apk add curl
 WORKDIR /workspace
 
 # Keep this CRS version aligned with the one embedded in wasmplugin/rules
-ADD https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.5.0.tar.gz /workspace/coreruleset/
-RUN cd coreruleset && tar -xf v4.5.0.tar.gz --strip-components 1
+ARG CRS_VERSION=v4.14.0
+
+ADD https://github.com/coreruleset/coreruleset/archive/refs/tags/${CRS_VERSION}.tar.gz /workspace/coreruleset/
+RUN cd coreruleset && tar -xf ${CRS_VERSION}.tar.gz --strip-components 1
 
 COPY ftw.yml /workspace/ftw.yml
 COPY tests.sh /workspace/tests.sh

ftw/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   albedo:
-    image: ghcr.io/coreruleset/albedo:0.1.0
+    image: ghcr.io/coreruleset/albedo:0.2.0
   chown:
     image: alpine:3.16
     command:

ftw/ftw.yml

@@ -57,9 +57,15 @@ testoverride:
     '934120-26': 'Rule 934120 partially detected. With HTTP/1.1 Envoy return 400. With HTTP/2 Enclosed alphanumerics not detected. Coraza Side'
     '934120-39': 'Rule 934120 partially detected. With HTTP/1.1 Envoy return 400. With HTTP/2 Enclosed alphanumerics not detected. Coraza Side'
     '932200-13': 'Unfortunate match inside logs against a different rule log. wip'
-    '930110-7': 'Coraza/CRS side: See https://github.com/corazawaf/coraza/pull/1081'
 
     '920274-1': 'Host validation. Apache expects status 400, investigate Coraza-proxy-wasm behavior'
     '920430-5': 'To be investigated Coraza side'
     '932300-10': 'To be investigated Coraza side, failing only with multiphase evaluation'
     '933120-2': 'To be investigated Coraza side, failing only with multiphase evaluation'
+
+    '921140-1': 'Expected 400. To be investigated'
+    '921250-1': 'Expected to match $Version in cookies, To be investigated Coraza side'
+    '921250-2': 'Expected to match $Version in cookies, To be investigated Coraza side'
+    '922130-1': 'match_regex, likely different error message. To be investigated'
+    '922130-2': 'match_regex, likely different error message. To be investigated'
+    '922130-7': 'match_regex, likely different error message. To be investigated'

wasmplugin/rules/coraza-demo.conf

@@ -28,32 +28,32 @@ SecRule REQUEST_HEADERS:Content-Type "^(?:application(?:/soap\+|/)|text/)xml" \
 SecRule REQUEST_HEADERS:Content-Type "^application/json" \
      "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
 
-# Sample rule to enable JSON request body parser for more subtypes.
-# Uncomment or adapt this rule if you want to engage the JSON
-# Processor for "+json" subtypes
+# Enable JSON request body parser for more subtypes.
+# Adapt this rule if you want to engage the JSON Processor for "+json" subtypes
 #
-#SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \
-#     "id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \
+     "id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
 
 # Maximum request body size we will accept for buffering. If you support
-# file uploads then the value given on the first line has to be as large
-# as the largest file you are willing to accept. The second value refers
-# to the size of data, with files excluded. You want to keep that value as
-# low as practical.
-#
-# Running as a Wasm plugin, we expect Limit equal to MemoryLimit: it would be prevented buffering request body to files anyways.
-
+# file uploads, this value must has to be as large as the largest file
+# you are willing to accept.
 SecRequestBodyLimit 131072
 
+# Maximum request body size that Coraza will store in memory. If the body
+# size exceeds this value, it will be saved to a temporary file on disk.
 SecRequestBodyInMemoryLimit 131072
 
-# SecRequestBodyNoFilesLimit is currently not supported by Coraza
+# Maximum request body size we will accept for buffering, with files excluded.
+# You want to keep that value as low as practical.
+# Note: SecRequestBodyNoFilesLimit is currently NOT supported by Coraza
 # SecRequestBodyNoFilesLimit 131072
 
 # What to do if the request body size is above our configured limit.
 # Keep in mind that this setting will automatically be set to ProcessPartial
 # when SecRuleEngine is set to DetectionOnly mode in order to minimize
 # disruptions when initially deploying Coraza.
+# Warning: Setting this directive to ProcessPartial introduces a potential bypass
+# risk, as attackers could prepend junk data equal to or greater than the inspected body size.
 #
 SecRequestBodyLimitAction ProcessPartial
 
@@ -67,87 +67,18 @@ SecRule REQBODY_ERROR "!@eq 0" \
 
 # By default be strict with what we accept in the multipart/form-data
 # request body. If the rule below proves to be too strict for your
-# environment consider changing it to detection-only. You are encouraged
-# _not_ to remove it altogether.
+# environment consider changing it to detection-only.
+# Do NOT remove it, as it will catch many evasion attempts.
 #
 SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
-"id:'200003',phase:2,t:none,log,deny,status:400, \
-msg:'Multipart request body failed strict validation: \
-PE %{REQBODY_PROCESSOR_ERROR}, \
-BQ %{MULTIPART_BOUNDARY_QUOTED}, \
-BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
-DB %{MULTIPART_DATA_BEFORE}, \
-DA %{MULTIPART_DATA_AFTER}, \
-HF %{MULTIPART_HEADER_FOLDING}, \
-LF %{MULTIPART_LF_LINE}, \
-SM %{MULTIPART_MISSING_SEMICOLON}, \
-IQ %{MULTIPART_INVALID_QUOTING}, \
-IP %{MULTIPART_INVALID_PART}, \
-IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
-FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
-
-# Did we see anything that might be a boundary?
-#
-# Here is a short description about the Coraza Multipart parser: the
-# parser returns with value 0, if all "boundary-like" line matches with
-# the boundary string which given in MIME header. In any other cases it returns
-# with different value, eg. 1 or 2.
-#
-# The RFC 1341 descript the multipart content-type and its syntax must contains
-# only three mandatory lines (above the content):
-# * Content-Type: multipart/mixed; boundary=BOUNDARY_STRING
-# * --BOUNDARY_STRING
-# * --BOUNDARY_STRING--
-#
-# First line indicates, that this is a multipart content, second shows that
-# here starts a part of the multipart content, third shows the end of content.
-#
-# If there are any other lines, which starts with "--", then it should be
-# another boundary id - or not.
-#
-# After 3.0.3, there are two kinds of types of boundary errors: strict and permissive.
-#
-# If multipart content contains the three necessary lines with correct order, but
-# there are one or more lines with "--", then parser returns with value 2 (non-zero).
-#
-# If some of the necessary lines (usually the start or end) misses, or the order
-# is wrong, then parser returns with value 1 (also a non-zero).
-#
-# You can choose, which one is what you need. The example below contains the
-# 'strict' mode, which means if there are any lines with start of "--", then
-# Coraza blocked the content. But the next, commented example contains
-# the 'permissive' mode, then you check only if the necessary lines exists in
-# correct order. Whit this, you can enable to upload PEM files (eg "----BEGIN.."),
-# or other text files, which contains eg. HTTP headers.
-#
-# The difference is only the operator - in strict mode (first) the content blocked
-# in case of any non-zero value. In permissive mode (second, commented) the
-# content blocked only if the value is explicit 1. If it 0 or 2, the content will
-# allowed.
-#
-
-#
-# See #1747 and #1924 for further information on the possible values for
-# MULTIPART_UNMATCHED_BOUNDARY.
-#
-SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
-    "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
-
-# Some internal errors will set flags in TX and we will need to look for these.
-# All of these are prefixed with "MSC_".  The following flags currently exist:
-#
-# COR_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
-#
-SecRule TX:/^COR_/ "!@streq 0" \
-        "id:'200005',phase:2,t:none,deny,msg:'Coraza internal error flagged: %{MATCHED_VAR_NAME}'"
-
+"id:'200003',phase:2,t:none,log,deny,status:400, msg:'Multipart request body failed strict validation.'"
 
 # -- Response body handling --------------------------------------------------
 
-# Allow Coraza to access response bodies.
+# Allow Coraza to access response bodies. 
 # You should have this directive enabled in order to identify errors
 # and data leakage issues.
-#
+# 
 # Do keep in mind that enabling this directive does increases both
 # memory consumption and response latency.
 #
@@ -171,7 +102,7 @@ SecResponseBodyLimitAction ProcessPartial
 
 # -- Filesystem configuration ------------------------------------------------
 
-# The location where Coraza will keep its persistent data.  This default setting
+# The location where Coraza will keep its persistent data. This default setting 
 # is chosen due to all systems have /tmp available however, it
 # too should be updated to a place that other users can't access.
 #
@@ -186,15 +117,16 @@ SecResponseBodyLimitAction ProcessPartial
 #
 #SecUploadDir /opt/coraza/var/upload/
 
-# By default, only keep the files that were determined to be unusual
-# in some way (by an external inspection script). For this to work you
-# will also need at least one file inspection rule.
+# If On, the WAF will store the uploaded files in the SecUploadDir
+# directory.
+# Note: SecUploadKeepFiles is currently NOT supported by Coraza
 #
-#SecUploadKeepFiles RelevantOnly
+#SecUploadKeepFiles Off
 
 # Uploaded files are by default created with permissions that do not allow
 # any other user to access them. You may need to relax that if you want to
 # interface Coraza to an external program (e.g., an anti-virus).
+# Note: SecUploadFileMode is currently NOT supported by Coraza
 #
 #SecUploadFileMode 0600
 
@@ -209,22 +141,21 @@ SecResponseBodyLimitAction ProcessPartial
 # 3:   Info
 # 4-8: Debug
 # 9:   Trace (most verbose)
-# Most logging has not been implemented because it will be replaced with
-# advanced rule profiling options
+# 
 #SecDebugLog /opt/coraza/var/log/debug.log
 SecDebugLogLevel 3
 
 
 # -- Audit log configuration -------------------------------------------------
 
 # Log the transactions that are marked by a rule, as well as those that
-# trigger a server error (determined by a 5xx or 4xx, excluding 404,
+# trigger a server error (determined by a 5xx or 4xx, excluding 404,  
 # level response status codes).
 #
 SecAuditEngine RelevantOnly
 SecAuditLogRelevantStatus "^(?:(5|4)(0|1)[0-9])$"
 
-# Log everything we know about a transaction.
+# Define which parts of the transaction are going to be recorded in the audit log
 SecAuditLogParts ABIJDEFHZ
 
 # Use a single file for logging. This is much easier to look at, but
@@ -234,18 +165,15 @@ SecAuditLogParts ABIJDEFHZ
 # which end up in the proxy logs.
 SecAuditLogType Serial
 SecAuditLog /dev/stdout
-SecAuditLogFormat JSON
-
-# -- Miscellaneous -----------------------------------------------------------
 
-# Use the most commonly used application/x-www-form-urlencoded parameter
-# separator. There's probably only one application somewhere that uses
-# something else so don't expect to change this value.
-#
-SecArgumentSeparator &
+# The format used to write the audit log.
+# Can be one of JSON|JsonLegacy|Native|OCSF
+SecAuditLogFormat JSON
 
-# Settle on version 0 (zero) cookies, as that is what most applications
-# use. Using an incorrect cookie version may open your installation to
-# evasion attacks (against the rules that examine named cookies).
-#
-SecCookieFormat 0
+# The following settings are not supported by Coraza
+# SecCookieFormat 0
+# SecArgumentSeparator &
+# SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
+#    "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
+# SecRule TX:/^COR_/ "!@streq 0" \
+#       "id:'200005',phase:2,t:none,deny,msg:'Coraza internal error flagged: %{MATCHED_VAR_NAME}'"