From 6078a190a21c8ecb1b4ad10bfb0d061651f25368 Mon Sep 17 00:00:00 2001 From: Esad Cetiner <104706115+EsadCetiner@users.noreply.github.com> Date: Tue, 4 Jun 2024 23:42:15 +1000 Subject: [PATCH] refactor: remove character whitelisting (#7) --- plugins/iredadmin-rule-exclusions-before.conf | 38 ++--------- .../9521100.yaml | 68 +++++++++++++++++++ .../9521101.yaml | 41 ----------- .../9521102.yaml | 41 ----------- 4 files changed, 74 insertions(+), 114 deletions(-) delete mode 100644 tests/regression/iredadmin-rule-exclusions-plugin/9521101.yaml delete mode 100644 tests/regression/iredadmin-rule-exclusions-plugin/9521102.yaml diff --git a/plugins/iredadmin-rule-exclusions-before.conf b/plugins/iredadmin-rule-exclusions-before.conf index b0a7751..280982f 100644 --- a/plugins/iredadmin-rule-exclusions-before.conf +++ b/plugins/iredadmin-rule-exclusions-before.conf @@ -17,52 +17,26 @@ SecRule TX:iredadmin-rule-exclusions-plugin "@eq 0" "id:9521010,phase:1,pass,nolog,ctl:ruleRemoveById=9521100-9521999" # -# [ Cookies ] +# [ General rule exclusions ] # # Fix iRedAdmin session cookie false positive -# This rule exclusions is always applied regardless of the URI path since clients will always send this cookie -# for the domain it was issued on -SecRule REQUEST_COOKIES:iRedAdmin-MYSQL "@rx ^[a-z0-9]+$" \ +# This rule exclusions is always applied unconditionally since clients will always send this cookie +# for the domain it was issued on, regardless of the URL path. +SecRule REQUEST_FILENAME "@unconditionalMatch" \ "id:9521100,\ phase:1,\ pass,\ t:none,\ nolog,\ + ctl:ruleRemoveTargetById=932236;REQUEST_COOKIES:iRedAdmin-LDAP,\ + ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES:iRedAdmin-LDAP,\ ctl:ruleRemoveTargetById=932236;REQUEST_COOKIES:iRedAdmin-MYSQL,\ ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES:iRedAdmin-MYSQL,\ - ver:'iredadmin-rule-exclusions-plugin/1.0.1'" - -# Fix iRedAdmin session cookie false positive -# This rule exclusions is always applied regardless of the URI path since clients will always send this cookie -# for the domain it was issued on -SecRule REQUEST_COOKIES:iRedAdmin-PGSQL "@rx ^[a-z0-9]+$" \ - "id:9521101,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ ctl:ruleRemoveTargetById=932236;REQUEST_COOKIES:iRedAdmin-PGSQL,\ ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES:iRedAdmin-PGSQL,\ ver:'iredadmin-rule-exclusions-plugin/1.0.1'" -# Fix iRedAdmin session cookie false positive -# This rule exclusions is always applied regardless of the URI path since clients will always send this cookie -# for the domain it was issued on -SecRule REQUEST_COOKIES:iRedAdmin-LDAP "@rx ^[a-z0-9]+$" \ - "id:9521102,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetById=932236;REQUEST_COOKIES:iRedAdmin-LDAP,\ - ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES:iRedAdmin-LDAP,\ - ver:'iredadmin-rule-exclusions-plugin/1.0.1'" - -# -# [ General rule exclusions ] -# - # iRedAdmin displays domain names inside the request uri, domains most commonly end in .com which triggers 920440. SecRule REQUEST_FILENAME "@rx ^/iredadmin/.+\.(?:com|inc)$" \ "id:9521110,\ diff --git a/tests/regression/iredadmin-rule-exclusions-plugin/9521100.yaml b/tests/regression/iredadmin-rule-exclusions-plugin/9521100.yaml index b2ec794..e7bb0dc 100644 --- a/tests/regression/iredadmin-rule-exclusions-plugin/9521100.yaml +++ b/tests/regression/iredadmin-rule-exclusions-plugin/9521100.yaml @@ -39,3 +39,71 @@ tests: version: HTTP/1.1 output: no_log_contains: id "932236" + - test_title: 9521100-3 + desc: Disable 942450 for iRedAdmin-PGSQL cookie + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: iRedAdmin rule exclusions plugin + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + cookie: iRedAdmin-PGSQL=0x86dd + port: 80 + method: POST + uri: /post + version: HTTP/1.1 + output: + no_log_contains: id "942450" + - test_title: 9521100-4 + desc: Disable 932236 for iRedAdmin-PGSQL cookie + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: iRedAdmin rule exclusions plugin + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + cookie: iRedAdmin-PGSQL=ls + port: 80 + method: POST + uri: /post + version: HTTP/1.1 + output: + no_log_contains: id "932236" + - test_title: 9521100-5 + desc: Disable 942450 for iRedAdmin-LDAP cookie + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: iRedAdmin rule exclusions plugin + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + cookie: iRedAdmin-LDAP=0x86dd + port: 80 + method: POST + uri: /post + version: HTTP/1.1 + output: + no_log_contains: id "942450" + - test_title: 9521100-6 + desc: Disable 932236 for iRedAdmin-LDAP cookie + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: iRedAdmin rule exclusions plugin + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + cookie: iRedAdmin-LDAP=ls + port: 80 + method: POST + uri: /post + version: HTTP/1.1 + output: + no_log_contains: id "932236" diff --git a/tests/regression/iredadmin-rule-exclusions-plugin/9521101.yaml b/tests/regression/iredadmin-rule-exclusions-plugin/9521101.yaml deleted file mode 100644 index 99afd48..0000000 --- a/tests/regression/iredadmin-rule-exclusions-plugin/9521101.yaml +++ /dev/null @@ -1,41 +0,0 @@ ---- -meta: - author: "Esad Cetiner" - description: "iRedAdmin Rule Exclusions Plugin" - enabled: true - name: 9521101.yaml -tests: - - test_title: 9521101-1 - desc: Disable 942450 for iRedAdmin-PGSQL cookie - stages: - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - User-Agent: iRedAdmin rule exclusions plugin - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - cookie: iRedAdmin-PGSQL=0x86dd - port: 80 - method: POST - uri: /post - version: HTTP/1.1 - output: - no_log_contains: id "942450" - - test_title: 9521101-2 - desc: Disable 932236 for iRedAdmin-PGSQL cookie - stages: - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - User-Agent: iRedAdmin rule exclusions plugin - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - cookie: iRedAdmin-PGSQL=ls - port: 80 - method: POST - uri: /post - version: HTTP/1.1 - output: - no_log_contains: id "932236" diff --git a/tests/regression/iredadmin-rule-exclusions-plugin/9521102.yaml b/tests/regression/iredadmin-rule-exclusions-plugin/9521102.yaml deleted file mode 100644 index 5dbc90a..0000000 --- a/tests/regression/iredadmin-rule-exclusions-plugin/9521102.yaml +++ /dev/null @@ -1,41 +0,0 @@ ---- -meta: - author: "Esad Cetiner" - description: "iRedAdmin Rule Exclusions Plugin" - enabled: true - name: 9521102.yaml -tests: - - test_title: 9521102-1 - desc: Disable 942450 for iRedAdmin-LDAP cookie - stages: - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - User-Agent: iRedAdmin rule exclusions plugin - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - cookie: iRedAdmin-LDAP=0x86dd - port: 80 - method: POST - uri: /post - version: HTTP/1.1 - output: - no_log_contains: id "942450" - - test_title: 9521102-2 - desc: Disable 932236 for iRedAdmin-LDAP cookie - stages: - - stage: - input: - dest_addr: 127.0.0.1 - headers: - Host: localhost - User-Agent: iRedAdmin rule exclusions plugin - Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 - cookie: iRedAdmin-LDAP=ls - port: 80 - method: POST - uri: /post - version: HTTP/1.1 - output: - no_log_contains: id "932236"