-
-
Notifications
You must be signed in to change notification settings - Fork 212
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
169 additions
and
49 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,23 @@ | ||
--- | ||
testoverride: | ||
ignore: | ||
920100-4: 'Invalid uri, Coraza not reached - 404 page not found' | ||
920100-5: 'Invalid uri, Coraza not reached - 404 page not found' | ||
920100-8: 'Go/http allows a colon in the path. Test expects status 400 or 403 (Apache behaviour)' | ||
920270-4: 'Rule works, log contains 920270. Test expects status 400 (Apache behaviour)' | ||
920272-5: 'Rule works, log contains 920272. Test expects status 400 (Apache behaviour)' | ||
920290-1: 'Rule works, log contains 920290. Test expects status 400 (Apache behaviour)' | ||
920290-4: 'Go/http returns 400 Bad Request: missing required Host header' | ||
920430-8: 'Go/http does not allow HTTP/3.0 - 505 HTTP Version Not Supported' | ||
932200-13: 'wip' | ||
930110-7: 'CRS issue: https://github.com/coreruleset/coreruleset/issues/3736' | ||
|
||
# TODO: investigate | ||
932200-13: 'Failing only in multiphase evalution' | ||
932300-10: 'Failing only in multiphase evalution' | ||
933120-2: 'Failing only in multiphase evalution' | ||
920274-1: '' | ||
920280-3: '' | ||
920430-3: '' | ||
920430-5: '' | ||
920430-9: '' | ||
920610-2: '' | ||
920620-1: '' | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,124 @@ | ||
// Copyright 2024 Juan Pablo Tosso and the OWASP Coraza contributors | ||
// SPDX-License-Identifier: Apache-2.0 | ||
|
||
// These benchmarks don't currently compile with TinyGo | ||
//go:build !tinygo | ||
// +build !tinygo | ||
|
||
// Note: The following code has been extracted from https://github.com/coreruleset/albedo/blob/main/server/server.go | ||
// TODO: Make it possible to import albedo. | ||
package coreruleset | ||
|
||
import ( | ||
"encoding/base64" | ||
"encoding/json" | ||
"errors" | ||
"fmt" | ||
"io" | ||
"log" | ||
"net/http" | ||
"strings" | ||
"testing" | ||
) | ||
|
||
type reflectionSpec struct { | ||
Status int `json:"status"` | ||
Headers map[string]string `json:"headers"` | ||
Body string `json:"body"` | ||
EncodedBody string `json:"encodedBody"` | ||
LogMessage string `json:"logMessage"` | ||
} | ||
|
||
func handleReflect(t testing.TB, w http.ResponseWriter, r *http.Request) { | ||
log.Println("Received reflection request") | ||
|
||
body, err := io.ReadAll(r.Body) | ||
if err != nil { | ||
w.WriteHeader(http.StatusBadRequest) | ||
_, err = w.Write([]byte("Failed to parse request body")) | ||
if err != nil { | ||
log.Printf("Failed to write response body: %s", err.Error()) | ||
} | ||
log.Println("Failed to parse request body") | ||
return | ||
} | ||
spec := &reflectionSpec{} | ||
if err = json.Unmarshal(body, spec); err != nil { | ||
w.WriteHeader(http.StatusBadRequest) | ||
_, err = w.Write([]byte("Invalid JSON in request body")) | ||
if err != nil { | ||
log.Printf("Failed to write response body: %s", err.Error()) | ||
} | ||
log.Println("Invalid JSON in request body") | ||
return | ||
} | ||
|
||
if spec.LogMessage != "" { | ||
log.Println(spec.LogMessage) | ||
} | ||
|
||
for name, value := range spec.Headers { | ||
log.Printf("Reflecting header '%s':'%s'", name, value) | ||
w.Header().Add(name, value) | ||
} | ||
|
||
if spec.Status > 0 && spec.Status < 100 || spec.Status >= 600 { | ||
w.WriteHeader(http.StatusBadRequest) | ||
_, err = w.Write([]byte(fmt.Sprintf("Invalid status code: %d", spec.Status))) | ||
if err != nil { | ||
log.Printf("Failed to write response body: %s", err.Error()) | ||
} | ||
log.Printf("Invalid status code: %d", spec.Status) | ||
return | ||
} | ||
status := spec.Status | ||
if status == 0 { | ||
status = http.StatusOK | ||
} | ||
log.Printf("Reflecting status '%d'", status) | ||
w.WriteHeader(status) | ||
|
||
responseBody, err := decodeBody(t, spec) | ||
if err != nil { | ||
w.WriteHeader(http.StatusBadRequest) | ||
_, err = w.Write([]byte(err.Error())) | ||
if err != nil { | ||
log.Printf("Failed to write response body: %s", err.Error()) | ||
} | ||
log.Println(err.Error()) | ||
return | ||
} | ||
|
||
if responseBody == "" { | ||
return | ||
} | ||
|
||
responseBodyBytes := []byte(responseBody) | ||
if len(responseBody) > 200 { | ||
responseBody = responseBody[:min(len(responseBody), 200)] + "..." | ||
} | ||
log.Printf("Reflecting body '%s'", responseBody) | ||
_, err = w.Write(responseBodyBytes) | ||
if err != nil { | ||
log.Printf("Failed to write response body: %s", err.Error()) | ||
} | ||
} | ||
|
||
func decodeBody(t testing.TB, spec *reflectionSpec) (string, error) { | ||
t.Helper() | ||
if spec.Body != "" { | ||
return spec.Body, nil | ||
} | ||
|
||
if spec.EncodedBody == "" { | ||
return "", nil | ||
} | ||
|
||
decoder := base64.NewDecoder(base64.StdEncoding, strings.NewReader(spec.EncodedBody)) | ||
bodyBytes, err := io.ReadAll(decoder) | ||
if err != nil { | ||
return "", errors.New("invalid base64 encoding of response body") | ||
|
||
} | ||
return string(bodyBytes), nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters