updates CRS to v4.5, uses albedo as backend, updates failing tests

corazawaf · Aug 3, 2024 · 926323c · 926323c
1 parent c56c66c
commit 926323c
Show file tree

Hide file tree

Showing 7 changed files with 24 additions and 67 deletions.
diff --git a/ftw/Caddyfile b/ftw/Caddyfile
@@ -50,5 +50,5 @@
 		Include @owasp_crs/*.conf
 		`
 	}
-	reverse_proxy httpbin:8081
+	reverse_proxy backend:8081
 }
diff --git a/ftw/Dockerfile.ftw b/ftw/Dockerfile.ftw
@@ -8,14 +8,13 @@ RUN apk update && apk add curl
 WORKDIR /workspace
 
 # TODOs: 
-# - update when new CRS version is tagged: https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.3.0.tar.gz
-# - keep it aligned with the https://github.com/corazawaf/coraza-coreruleset commit used
-ADD https://github.com/coreruleset/coreruleset/tarball/386f8db6e5f21ed8f0dc9fe8d15d4f59dd213d7a /workspace/coreruleset/
-RUN cd coreruleset && tar -xf 386f8db6e5f21ed8f0dc9fe8d15d4f59dd213d7a --strip-components 1
+# - update when new CRS version is tagged: https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.5.0.tar.gz
+# - keep it aligned with the github.com/corazawaf/coraza-coreruleset/v4 dependency version used
+ADD https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.5.0.tar.gz /workspace/coreruleset/
+RUN cd coreruleset && tar -xf v4.5.0.tar.gz --strip-components 1
 
 COPY ftw.yml /workspace/ftw.yml
 COPY tests.sh /workspace/tests.sh
 
 ENTRYPOINT ["sh"]
 CMD ["-c", "/workspace/tests.sh"]
-
diff --git a/ftw/docker-compose.yml b/ftw/docker-compose.yml
@@ -1,7 +1,7 @@
 services:
-  httpbin:
-    image: mccutchen/go-httpbin:v2.14.0
-    command: [ "/bin/go-httpbin", "-port", "8081" ]
+  backend:
+    image: ghcr.io/coreruleset/albedo:0.0.15
+    command: ["--port", "8081"]
     ports:
       - 8081:8081
 
@@ -17,7 +17,7 @@ services:
   caddy:
     depends_on:
       - chown
-      - httpbin
+      - backend
     build:
       context: ..
       dockerfile: ./ftw/Dockerfile.caddy

diff --git a/ftw/ftw.yml b/ftw/ftw.yml
@@ -10,24 +10,12 @@ testoverride:
     920100-4: 'Invalid uri, Coraza not reached - 404 page not found'
     920100-5: 'Invalid uri, Coraza not reached - 404 page not found'
     920100-8: 'Go/http allows a colon in the path. Test expects status 400 or 403 (Apache behaviour)'
-    920170-3: 'HEAD request with data. Go/http does not allow it - 400 Bad Request'
     920270-4: 'Rule works, log contains 920270. Test expects status 400 (Apache behaviour)'
-    920272-5: 'Rule works, log contains 920272. Test expects status 400 (Apache behaviour)'
     920290-1: 'Rule works, log contains 920290. Test expects status 400 (Apache behaviour)'
-    920420-8: 'HEAD request with data. Go/http does not allow it - 400 Bad Request'
     920430-5: 'Test has expect_error, Go/http and Envoy return 400'
     920430-8: 'Go/http does no allow HTTP/3.0 - 505 HTTP Version Not Supported'
 
     # TODO investigate failing tests:
-    913100-3: ''
-    913100-6: ''
-    913101-1: ''
-    913102-1: ''
-    913110-1: ''
-    913110-2: ''
-    913120-1: ''
-    913120-2: ''
-    913120-3: ''
     920100-10: ''
     920100-14: ''
     920100-16: ''
@@ -42,15 +30,14 @@ testoverride:
     920200-6: ''
     920200-8: ''
     920201-1: ''
+    920201-2: ''
     920202-1: ''
+    920202-2: ''
     920210-2: ''
     920210-3: ''
     920210-4: ''
     920210-6: ''
     920210-7: ''
-    920220-1: ''
-    920220-4: ''
-    920220-5: ''
     920230-1: ''
     920240-1: ''
     920240-5: ''
@@ -61,7 +48,10 @@ testoverride:
     920250-4: ''
     920260-1: ''
     920260-3: ''
+    920274-1: ''
     920280-1: ''
+    920280-3: ''
+    920290-4: 'investigate, test related to empty host header'
     920300-1: ''
     920310-1: ''
     920310-4: ''
@@ -75,47 +65,14 @@ testoverride:
     920350-4: ''
     920350-5: ''
     920350-6: ''
-    920450-7: ''
-    932115-1: ''
-    932115-2: ''
-    932115-3: ''
-    932115-4: ''
-    932115-7: ''
-    932115-8: ''
-    932115-10: ''
-    932200-13: ''
-    942110-1: ''
-    942110-2: ''
+    920430-3: 'investigate, expect_error: true'
+    920430-9: ''
+    920610-2: ''
+    920620-1: ''
+    930110-7: ''
     942420-1: ''
     942421-1: ''
     942430-1: ''
     942431-1: ''
     942432-1: ''
     942460-1: ''
-    951110-1: ''
-    951120-1: ''
-    951130-1: ''
-    951140-1: ''
-    951150-1: ''
-    951160-1: ''
-    951170-1: ''
-    951180-1: ''
-    951190-1: ''
-    951200-1: ''
-    951210-1: ''
-    951220-1: ''
-    951230-1: ''
-    951240-1: ''
-    951250-1: ''
-    951260-1: ''
-    953120-1: ''
-    953120-3: ''
-    953120-5: ''
-    953120-7: ''
-    954120-1: ''
-    954120-2: ''
-    959100-1: ''
-    959100-3: ''
-    980170-1: ''
-    980170-2: ''
-    980170-3: ''
diff --git a/ftw/tests.sh b/ftw/tests.sh
@@ -22,12 +22,13 @@ while [[ "$status_code" -eq "000" ]]; do
   let "max_retries--"
   if [[ "$max_retries" -eq 0 ]]; then
     echo "[Fail] Timeout waiting for response from $health_url, make sure the server is running."
-    echo "Caddy Logs:" && cat /home/envoy/logs/envoy.log
+    echo "Caddy Logs:" && cat /home/caddy/logs/caddy.log
     exit 1
   fi
 done
 if [[ "${status_code}" -ne "200" ]]; then
   echo "[Fail] Unexpected response with code ${status_code} from ${health_url}, expected 200."
+  echo "Caddy Logs:" && cat /home/caddy/logs/caddy.log
   exit 1
 fi
 echo -e "\n[Ok] Got status code $status_code, expected 200. Ready to start."

diff --git a/go.mod b/go.mod
@@ -6,7 +6,7 @@ toolchain go1.21.12
 
 require (
 	github.com/caddyserver/caddy/v2 v2.8.4
-	github.com/corazawaf/coraza-coreruleset/v4 v4.3.0
+	github.com/corazawaf/coraza-coreruleset/v4 v4.5.0
 	github.com/corazawaf/coraza/v3 v3.2.1
 	github.com/jcchavezs/mergefs v0.0.0-20230503083351-07f27d256761
 	github.com/magefile/mage v1.15.0

diff --git a/go.sum b/go.sum
@@ -97,8 +97,8 @@ github.com/chzyer/test v1.0.0 h1:p3BQDXSxOhOG0P9z6/hGnII4LGiEPOYBhs8asl/fC04=
 github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
 github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I=
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
-github.com/corazawaf/coraza-coreruleset/v4 v4.3.0 h1:izzVRUxfvVf1OXhRQXpFm1jj3g/cIlLu9SiNzXOW7XU=
-github.com/corazawaf/coraza-coreruleset/v4 v4.3.0/go.mod h1:RQMGurig+irQq7v21yq7rM/9SAEf1bT6hCSplJ0ByKY=
+github.com/corazawaf/coraza-coreruleset/v4 v4.5.0 h1:4BDr9/yWKSJ7Ch3h7SvSqJBASju73+EqIIF0WxjsFgQ=
+github.com/corazawaf/coraza-coreruleset/v4 v4.5.0/go.mod h1:1FQt1p+JSQ6tYrafMqZrEEdDmhq6aVuIJdnk+bM9hMY=
 github.com/corazawaf/coraza/v3 v3.2.1 h1:zBIji4ut9FtFe8lXdqFwXMAkUoDJZ7HsOlEUYWERLI8=
 github.com/corazawaf/coraza/v3 v3.2.1/go.mod h1:fVndCGdUHJWl9c26VZPcORQRzUYwMPnRkC6TyTkhbUg=
 github.com/corazawaf/libinjection-go v0.2.1 h1:vNJ7L6c4xkhRgYU6sIO0Tl54TmeCQv/yfxBma30Dy/Y=