From cb58e3e8cf29bb8dbb105cedac95b0c5c0064fbe Mon Sep 17 00:00:00 2001 From: franbuehler Date: Mon, 27 Apr 2020 13:47:00 +0000 Subject: [PATCH 1/4] Resolve issue with allowed_request_content_types --- crs-setup.conf.example | 2 +- rules/REQUEST-901-INITIALIZATION.conf | 2 +- rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf | 7 ++-- .../920420.yaml | 35 ++++++++++++++++++- 4 files changed, 39 insertions(+), 7 deletions(-) diff --git a/crs-setup.conf.example b/crs-setup.conf.example index 621e2fa0a..a653a2724 100644 --- a/crs-setup.conf.example +++ b/crs-setup.conf.example @@ -398,7 +398,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # nolog,\ # pass,\ # t:none,\ -# setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|multipart/related|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|application/csp-report|application/xss-auditor-report|text/plain'" +# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain|'" # Allowed HTTP versions. # Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf index 46ecaedc2..0d9d68854 100644 --- a/rules/REQUEST-901-INITIALIZATION.conf +++ b/rules/REQUEST-901-INITIALIZATION.conf @@ -168,7 +168,7 @@ SecRule &TX:allowed_request_content_type "@eq 0" \ phase:1,\ pass,\ nolog,\ - setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|multipart/related|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|application/csp-report|application/xss-auditor-report|text/plain'" + setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain|'" # Default HTTP policy: allowed_request_content_type_charset (rule 900270) SecRule &TX:allowed_request_content_type_charset "@eq 0" \ diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf index 880c8c4b3..50984981a 100644 --- a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +++ b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf @@ -964,11 +964,10 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \ tag:'PCI/12.1',\ ver:'OWASP_CRS/3.2.0',\ severity:'CRITICAL',\ + setvar:'tx.content_type_%{tx.0}=|%{tx.0}|',\ chain" - SecRule TX:0 "!@rx ^%{tx.allowed_request_content_type}$" \ - "t:none,\ - ctl:forceRequestBodyVariable=On,\ - setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + SecRule TX:/^CONTENT_TYPE_/ "!@within %{tx.allowed_request_content_type}" \ + "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml index 3aab60b3e..bcb2563da 100644 --- a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml +++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml @@ -1,6 +1,6 @@ --- meta: - author: "csanders-git" + author: "csanders-git, Franziska Bühler" enabled: true name: "920420.yaml" description: "Description" @@ -218,4 +218,37 @@ data: "test" output: no_log_contains: "id \"920420\"" + - + test_title: 920420-10 + stages: + - + stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "OPTIONS" + headers: + User-Agent: "ModSecurity CRS 3 Tests" + Host: "localhost" + Content-Type: "application/soap+xml" + data: "test" + output: + no_log_contains: "id \"920420\"" + - + test_title: 920420-11 + stages: + - + stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "OPTIONS" + headers: + User-Agent: "ModSecurity CRS 3 Tests" + Host: "localhost" + Content-Type: "application" + data: "test" + output: + log_contains: "id \"920420\"" + From 2e1eda8d3af44452392cdb04e7b7683105cde040 Mon Sep 17 00:00:00 2001 From: franbuehler Date: Tue, 28 Apr 2020 05:35:44 +0000 Subject: [PATCH 2/4] Set var to lowercase and change comment --- crs-setup.conf.example | 6 +++--- rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/crs-setup.conf.example b/crs-setup.conf.example index a653a2724..99957c6bb 100644 --- a/crs-setup.conf.example +++ b/crs-setup.conf.example @@ -388,9 +388,9 @@ SecDefaultAction "phase:2,log,auditlog,pass" # setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" # Content-Types that a client is allowed to send in a request. -# Default: application/x-www-form-urlencoded|multipart/form-data|multipart/related|\ -# text/xml|application/xml|application/soap+xml|application/x-amf|application/json|\ -# application/octet-stream|application/csp-report|application/xss-auditor-report|text/plain +# Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| +# |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| +# |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| # Uncomment this rule to change the default. #SecAction \ # "id:900220,\ diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf index 50984981a..4dcd9ac82 100644 --- a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +++ b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf @@ -966,7 +966,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \ severity:'CRITICAL',\ setvar:'tx.content_type_%{tx.0}=|%{tx.0}|',\ chain" - SecRule TX:/^CONTENT_TYPE_/ "!@within %{tx.allowed_request_content_type}" \ + SecRule TX:/^content_type_/ "!@within %{tx.allowed_request_content_type}" \ "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" From 71d6e0d11b9b96d6f871082699a82231f24ae1dc Mon Sep 17 00:00:00 2001 From: franbuehler Date: Tue, 28 Apr 2020 05:44:39 +0000 Subject: [PATCH 3/4] Change to preferred lowercase var --- rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf index 4dcd9ac82..022f802f4 100644 --- a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +++ b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf @@ -966,7 +966,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \ severity:'CRITICAL',\ setvar:'tx.content_type_%{tx.0}=|%{tx.0}|',\ chain" - SecRule TX:/^content_type_/ "!@within %{tx.allowed_request_content_type}" \ + SecRule TX:/(?i)^CONTENT_TYPE_/ "!@within %{tx.allowed_request_content_type}" \ "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" From 8eab11b04f2f92e25ef8e3b522b695222132319e Mon Sep 17 00:00:00 2001 From: franbuehler Date: Tue, 28 Apr 2020 15:49:14 +0000 Subject: [PATCH 4/4] Update nextcloud excl rules and shorten var --- rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf | 8 ++++---- rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf b/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf index e1dca51c9..4a19348b5 100644 --- a/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf +++ b/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf @@ -98,7 +98,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \ pass,\ t:none,\ nolog,\ - setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|text/vcard'" + setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'" # Allow the data type 'application/octet-stream' @@ -110,7 +110,7 @@ SecRule REQUEST_METHOD "@rx ^(?:PUT|MOVE)$" \ nolog,\ chain" SecRule REQUEST_FILENAME "@rx /remote\.php/dav/(?:files|uploads)/" \ - "setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|application/octet-stream'" + "setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |application/octet-stream|'" # Allow data types like video/mp4 @@ -260,7 +260,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \ pass,\ t:none,\ nolog,\ - setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|text/vcard'" + setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'" # [ Calendar ] @@ -273,7 +273,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \ pass,\ t:none,\ nolog,\ - setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|text/calendar'" + setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/calendar|'" # [ Notes ] diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf index 022f802f4..e7b9d81ca 100644 --- a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +++ b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf @@ -964,9 +964,9 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \ tag:'PCI/12.1',\ ver:'OWASP_CRS/3.2.0',\ severity:'CRITICAL',\ - setvar:'tx.content_type_%{tx.0}=|%{tx.0}|',\ + setvar:'tx.content_type=|%{tx.0}|',\ chain" - SecRule TX:/(?i)^CONTENT_TYPE_/ "!@within %{tx.allowed_request_content_type}" \ + SecRule TX:content_type "!@within %{tx.allowed_request_content_type}" \ "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"