search

corazawaf / coraza-caddy

OWASP Coraza middleware for Caddy. It provides Web Application Firewall capabilities
https://www.coraza.io/
Apache License 2.0
330 stars 41 forks source link

The rule reported an error #28

Closed toadzhou closed 1 year ago

toadzhou commented 1 year ago

Caddyfile

        coraza_waf {
                include /waf/coraza.conf
                include /waf/coreruleset4/crs-setup.conf.example
                include /waf/coreruleset4/rules/*.conf
        }

Start error

# ./caddy start
2022/10/10 04:36:31.694 INFO    using adjacent Caddyfile
2022/10/10 04:36:31.696 WARN    Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies    {"adapter": "caddyfile", "file": "Caddyfile", "line": 2}
2022/10/10 04:36:31.697 INFO    redirected default logger       {"from": "stderr", "to": "/data/test/access.log"}
Error: loading initial config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 0: loading handler modules: position 0: loading module 'waf': provision http.handlers.waf: failed to compile rule (error parsing regexp: invalid or unsupported Perl syntax: `(?<`): FILES_NAMES|FILES "@rx (?<!&(?:[aAoOuUyY]uml)|&(?:[aAeEiIoOuU]circ)|&(?:[eEiIoOuUyY]acute)|&(?:[aAeEiIoOuU]grave)|&(?:[cC]cedil)|&(?:[aAnNoO]tilde)|&(?:amp)|&(?:apos));|['\"=]" "id:920120,phase:2,block,t:none,t:urlDecodeUni,msg:'Attempted multipart/form-data bypass',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/3.3.4',severity:'CRITICAL',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
Error: caddy process exited with error: exit status 1
0x1a8510f2 commented 1 year ago

Same issue using Caddy v2.6.1 and and Coreruleset v3.3.4. Coreruleset Nightly from today produces:

failed to compile rule (error parsing regexp: invalid nested repetition operator: `*+`): REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*(?:\s*+,\s*+(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*)*$" "id:920600,phase:1,block,t:none,t:lowercase,msg:'Illegal Accept header: charset parameter',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',ver:'OWASP_CRS/4.0.0-rc1',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
toadzhou commented 1 year ago

I've tried different versions of Coreruleset and have different problems. Feeling that it cannot be used in production yet

jptosso commented 1 year ago

Hey, since CRS v4,, we have been struggling with regression issues; we are working together with CRS to make this work: https://github.com/coreruleset/coreruleset/issues/2848.

We are adding Github actions to CRS to avoid this to ensure RE2 (golang regex) compatibility.

We also have to upgrade coraza-caddy to the latest coraza v3 commit, as we added support for new ModSecurity features required by CRS 4. (MULTIPART_PARTS_HEADERS)

CRS is not tagging versions, so we can only rely on hash IDs.

We will be posting soon some proper measures to avoid this from happening in the future. It should include new github actions and a CRS compatibility matrix.

toadzhou commented 1 year ago

It is recommended to maintain a set of available rule versions by yourself to avoid production accidents caused by updating the official coreruleset rules.

jptosso commented 1 year ago

Open discussion @corazawaf/core-developers. Until CRS ensures RE2 regression, we could maintain a Coraza-compatible CRS fork.

jptosso commented 1 year ago

This issue is now fixed, please update CRS: https://github.com/coreruleset/coreruleset/pull/2862

rholden3 commented 1 year ago

Is anyone still having this issue? I am still getting it with branches v4.0/dev, v3.3/dev and v3.3/master. I do not have the issue for v4.0/main or v3.4/dev but I would assume these rulesets are out of date.

Barnoux commented 1 year ago

Hello, @rholden3 it actually works for me with OWASP_CRS/4.0.0-RC1. I tried OWASP_CRS/3.2.3 and OWASP_CRS/3.3.4 and i still have the same error "failed to compile rule"

jptosso commented 1 year ago

Upgrading to v4 and https://github.com/corazawaf/coraza-caddy/releases/tag/v1.2.2 is the solution to this