Editing an existing Nextcloud Cookbook app recipe triggers 911100 rule false positive

[jessebot]

Here's the ModSecurity transaction log:

{
  "transaction": {
    "client_ip": "192.168.1.1",
    "time_stamp": "Sun Jul 21 17:59:16 2024",
    "server_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "client_port": 11306,
    "host_ip": "xxx.xxx.xxx.xxx",
    "host_port": 443,
    "unique_id": "xxxxxxxxxxxx.xxxxxx",
    "request": {
      "method": "PUT",
      "http_version": 2.0,
      "uri": "/apps/cookbook/webapp/recipes/108316",
      "body": "{\"id\":\"108316\",\"name\":\"white cashew sauce for gnochi?\",\"description\":\"\",\"url\":\"\",\"image\":\"\",\"prepTime\":null,\"cookTime\":null,\"totalTime\":null,\"recipeCategory\":\"\",\"keywords\":\"\",\"recipeYield\":1,\"tool\":[],\"recipeIngredient\":[\"200 g cashews\",\"1 enough boiling water to completely cover the cashews\",\"1 bay leaf\"],\"recipeInstructions\":[\"Soak the cashews in boiling water for an hour\"],\"nutrition\":{\"@type\":\"NutritionInformation\"},\"valueInit\":{\"id\":\"108316\",\"name\":\"white cashew sauce for gnochi?\",\"description\":\"\",\"url\":\"\",\"image\":\"\",\"prepTime\":null,\"cookTime\":null,\"totalTime\":null,\"recipeCategory\":\"\",\"keywords\":\"\",\"recipeYield\":1,\"tool\":[],\"recipeIngredient\":[\"200 gcashews\",\"1 enough boiling water to completely cover the cashews\"],\"recipeInstructions\":[\"Soak the cashews in boiling water for an hour\"],\"nutrition\":{\"@type\":\"NutritionInformation\"},\"valueInit\":{\"id\":0,\"name\":\"\",\"description\":\"\",\"url\":\"\",\"image\":\"\",\"prepTime\":\"\",\"cookTime\":\"\",\"totalTime\":\"\",\"recipeCategory\":\"\",\"keywords\":\"\",\"recipeYield\":\"\",\"tool\":[],\"recipeIngredient\":[],\"recipeInstructions\":[],\"nutrition\":[]},\"@context\":\"http://schema.org\",\"@type\":\"Recipe\",\"dateCreated\":\"2024-07-21T14:25:24+00:00\",\"dateModified\":\"2024-07-21T14:25:24+00:00\",\"datePublished\":null,\"printImage\":true,\"imageUrl\":\"/apps/cookbook/webapp/recipes/108316/image?size=full\"},\"@context\":\"http://schema.org\",\"@type\":\"Recipe\",\"dateCreated\":\"2024-07-21T14:25:24+00:00\",\"dateModified\":\"2024-07-21T14:25:24+00:00\",\"datePublished\":null,\"printImage\":true,\"imageUrl\":\"/apps/cookbook/webapp/recipes/108316/image?size=full\"}",
      "headers": {
        "origin": "https://cloud.example.com",
        "dnt": "1",
        "requesttoken": "U+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=",
        "x-requested-with": "XMLHttpRequest, XMLHttpRequest",
        "content-type": "application/json",
        "accept-encoding": "gzip, deflate, br",
        "cookie": "__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc_sessionPassphrase=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; ocrkhwrly2jb=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "content-length": "1557",
        "accept-language": "en-US,en;q=0.5",
        "te": "trailers",
        "accept": "application/json, text/plain, */*",
        "user-agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0",
        "sec-fetch-site": "same-origin",
        "host": "cloud.example.com",
        "sec-fetch-dest": "empty",
        "sec-fetch-mode": "cors"
      }
    },
    "response": {
      "http_code": 403,
      "headers": {
        "Server": "",
        "Date": "Sun, 21 Jul 2024 15:59:16 GMT",
        "Content-Length": "146",
        "Content-Type": "text/html",
        "Connection": "close",
        "Strict-Transport-Security": "max-age=31536000; includeSubDomains"
      }
    },
    "producer": {
      "modsecurity": "ModSecurity v3.0.12 (Linux)",
      "connector": "ModSecurity-nginx v1.0.3",
      "secrules_engine": "Enabled",
      "components": [
        "OWASP_CRS/4.4.0\""
      ]
    },
    "messages": [
      {
        "message": "Method is not allowed by policy",
        "details": {
          "match": "Matched \"Operator `Within' with parameter `GET HEAD POST OPTIONS' against variable `REQUEST_METHOD' (Value: `PUT' )",
          "reference": "v0,3",
          "ruleId": "911100",
          "file": "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf",
          "lineNumber": "28",
          "data": "PUT",
          "severity": "2",
          "ver": "OWASP_CRS/4.4.0",
          "rev": "",
          "tags": [
            "application-multi",
            "language-multi",
            "platform-multi",
            "attack-generic",
            "paranoia-level/1",
            "OWASP_CRS",
            "capec/1000/210/272/220/274",
            "PCI/12.1"
          ],
          "maturity": "0",
          "accuracy": "0"
        }
      },
      {
        "message": "Inbound Anomaly Score Exceeded (Total Score: 5)",
        "details": {
          "match": "Matched \"Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' )",
          "reference": "",
          "ruleId": "949110",
          "file": "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf",
          "lineNumber": "222",
          "data": "",
          "severity": "0",
          "ver": "OWASP_CRS/4.4.0",
          "rev": "",
          "tags": [
            "anomaly-evaluation",
            "OWASP_CRS"
          ],
          "maturity": "0",
          "accuracy": "0"
        }
      }
    ]
  }
}

If it's helpful, I'm running Nextcloud version 29.0.3 and Cookbook version 0.11.1. Thank you for all your help! 🙏

[EsadCetiner]

@jessebot Thanks for the report, but right now the plugin doesn't support Nextcloud cookbook. I'll have to do some testing before support can be added. Although I can give you this rule exclusion just to get you going for now:

# Editing a recipe in Nextcloud Cookbook
SecRule REQUEST_FILENAME "@rx /apps/cookbook/webapp/recipes/[0-9]+$" \
    "id:1,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT'"

[jessebot]

That's totally fine and thanks so much as always for your help! Perhaps we could have a list of supported Nextcloud apps in the README.md?

[EsadCetiner]

@jessebot I agree, but right now nothing is set in stone. I'll have to see what makes sense to support and what doesn't, it'll be impossible to cover every single Nextcloud app out there with reasonable quality.

[EsadCetiner]

@jessebot I've finished testing cookbook for false positives, PR is available here: https://github.com/coreruleset/nextcloud-rule-exclusions-plugin/pull/91

Supported/unsupported Nextcloud Apps are now documented since #90 was merged