Support Cospend App

[mhastu]

When using the Android sync client for Cospend, "Moneybuster", the following FP appears upon creation of a new bill: ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/modsecurity/crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "44"] [id "911100"] [msg "Method is not allowed by policy"] [data "PUT"] [severity "CRITICAL"] [ver "OWASP_CRS/4.0.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272/220/274"] [tag "PCI/12.1"] [uri "/ocs/v2.php/apps/cospend/api/v1/projects/personal/bills/1374"]].

I was able to fix it using the following exclusion rule, but can guarantee no safety:

SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]+\.php/apps/cospend/api/v[0-9]+/" \
    "id:9509000,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ver:'nextcloud-rule-exclusions-plugin/1.0.0',\
    setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT'"

[EsadCetiner]

@mhastu I think that rule is fine, but you could improve the regex so that your matching if the request uri ends with instead of contains by using negated sets like so:

SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]+\.php/apps/cospend/api/v[0-9]+/(?:[^/]+/){3}[0-9]+$" \
    "id:9509000,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ver:'nextcloud-rule-exclusions-plugin/1.0.0',\
    setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT'"

May need to be adjusted depending on how cospend works exactly

Cospend is an 3rd party Nextcloud app, this plugin is already pretty big(about 160 rules) and it'll continue to grow. 3rd party plugins for WordPress isn't supported so for Nextcloud I think a similar policy is reasonable.

[mhastu]

I understand that not every app can be supported so you can close this issue. But thanks for your feedback on the regex :)