Closed syinwu closed 2 years ago
Hey @bxlxx , do you have some debug information on this?
Hey @bxlxx , do you have some debug information on this?
test code
func TestRx(t *testing.T) {
waf := coraza.NewWaf()
rules := `SecRule &TX:allowed_request_content_type_charset "@eq 0" \
"id:901168,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.4.0-dev',\
setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \
"id:920480,\
phase:1,\
deny,\
capture,\
t:none,\
msg:'Request content type charset is not allowed by policy',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.4.0-dev',\
severity:'CRITICAL',\
setvar:'tx.content_type_charset=|%{tx.1}|',\
chain"
SecRule TX:content_type_charset "!@within %{tx.allowed_request_content_type_charset}" \
"t:lowercase,\
ctl:forceRequestBodyVariable=On,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"`
parser, err := NewParser(waf)
if err != nil {
t.Error(err)
return
}
err = parser.FromString(rules)
if err != nil {
t.Error()
return
}
tx := waf.NewTransaction()
tx.AddRequestHeader("Content-Type", "text/html; charset=utf-8")
it := tx.ProcessRequestHeaders()
if it != nil {
t.Error("failed test for rx captured")
}
}
I didn't use the pcre plugin. I'm fixing the issue.
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v3.x%29#capture
I look up the modsecurity manual and I think there are some issues with capturing @rx matching.
There are the following rules:
Example request:
The request should not block