search

coreruleset / nextcloud-rule-exclusions-plugin

Rule exclusion plugin for Nextcloud
Apache License 2.0
11 stars 7 forks source link

Nextcloud Deck: reordering a list on a board hits rule 911100: Method is not allowed by policy #84

Closed jessebot closed 2 months ago

jessebot commented 2 months ago

Description

When I try to reorder a list on a board with multiple lists, by dragging a list from one side of the board to the other, I hit this rule, 911100, I think because of the PUT:

{
  "transaction": {
    "client_ip": "xxx.xxx.xxx.xxx",
    "time_stamp": "Sat Jul 13 09:45:30 2024",
    "server_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "client_port": 29992,
    "host_ip": "xx.xx.x.xxx",
    "host_port": 443,
    "unique_id": "xxxxxxxxxxxxxxxxxxx",
    "request": {
      "method": "PUT",
      "http_version": 2.0,
      "uri": "/apps/deck/stacks/78/reorder",
      "body": "{\"order\":0}",
      "headers": {
        "origin": "https://nextcloud.example.com",
        "dnt": "1",
        "requesttoken": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "x-requested-with": "XMLHttpRequest, XMLHttpRequest",
        "content-type": "application/json",
        "accept-encoding": "gzip, deflate, br, zstd",
        "cookie": "__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc_sessionPassphrase=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; xxxxxxxxxxxx=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; xxxxxxxxxxx=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "content-length": "11",
        "accept-language": "en-US,en;q=0.5",
        "te": "trailers",
        "accept": "application/json, text/plain, */*",
        "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0",
        "sec-fetch-site": "same-origin",
        "host": "nextcloud.example.com",
        "sec-fetch-dest": "empty",
        "sec-fetch-mode": "cors"
      }
    },
    "response": {
      "http_code": 403,
      "headers": {
        "Server": "",
        "Date": "Sat, 13 Jul 2024 07:45:30 GMT",
        "Content-Length": "146",
        "Content-Type": "text/html",
        "Connection": "close",
        "Strict-Transport-Security": "max-age=31536000; includeSubDomains"
      }
    },
    "producer": {
      "modsecurity": "ModSecurity v3.0.12 (Linux)",
      "connector": "ModSecurity-nginx v1.0.3",
      "secrules_engine": "Enabled",
      "components": [
        "OWASP_CRS/4.4.0\""
      ]
    },
    "messages": [
      {
        "message": "Method is not allowed by policy",
        "details": {
          "match": "Matched \"Operator `Within' with parameter `GET HEAD POST OPTIONS' against variable `REQUEST_METHOD' (Value: `PUT')",
          "reference": "v0,3",
          "ruleId": "911100",
          "file": "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf",
          "lineNumber": "28",
          "data": "PUT",
          "severity": "2",
          "ver": "OWASP_CRS/4.4.0",
          "rev": "",
          "tags": [
            "application-multi",
            "language-multi",
            "platform-multi",
            "attack-generic",
            "paranoia-level/1",
            "OWASP_CRS",
            "capec/1000/210/272/220/274",
            "PCI/12.1"
          ],
          "maturity": "0",
          "accuracy": "0"
        }
      },
      {
        "message": "Inbound Anomaly Score Exceeded (Total Score: 5)",
        "details": {
          "match": "Matched \"Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' )",
          "reference": "",
          "ruleId": "949110",
          "file": "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf",
          "lineNumber": "222",
          "data": "",
          "severity": "0",
          "ver": "OWASP_CRS/4.4.0",
          "rev": "",
          "tags": [
            "anomaly-evaluation",
            "OWASP_CRS"
          ],
          "maturity": "0",
          "accuracy": "0"
        }
      }
    ]
  }
}

Maybe solution

I think fixing it might look something like this, but I'm not great at modsecurity rule exclusion stuff:

    # allow reorder deck lists
    SecRule REQUEST_URI "@rx ^/apps/deck/stacks/[0-9]+/reorder$" \
        "id:9000000,\
        phase:1,\
        pass,\
        t:none,\
        nolog,\
        setvar:'tx.allowed_methods=GET HEAD POST PUT'"

Env

CRS version: 4.4.0 ModSecurity version: ModSecurity v3.0.12 (Linux) type of web server: ingress-nginx controller via k8s

Thanks for any help you can provide!

EsadCetiner commented 2 months ago

@jessebot Thanks for the report, I can confirm the false positive

I think that rule you wrote is good, however you could do a bit better in terms of maintainability. The way your allowing the PUT request method will need to be kept in sync with any changes CRS may make in the future, or if you ever decide to edit the allowed request methods in crs-setup.conf. If you look at how additional request methods are allowed within the plugin, the %{tx.allowed_methods} is specified (which is the default allowed request methods or whatever you configured in crs-setup.conf) along with the additional request method you want to allow.

I've opened a PR to fix this within the plugin #85

jessebot commented 2 months ago

Awesome, thank you for the tips and for submitting the PR 🙏 Maybe next one I can try to submit it myself :)

EsadCetiner commented 2 months ago

@jessebot Sounds great! Contributions are always welcome.