diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5ff506d4..4d4925d4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -3,9 +3,9 @@ repos: rev: v1.0.0-rc.1 hooks: - id: go-fmt - - id: go-vet + - id: go-vet-mod - id: go-imports - - id: golangci-lint + - id: golangci-lint-mod - id: go-critic - id: go-test-mod - id: go-build-mod diff --git a/runner/run_input_override_test.go b/runner/run_input_override_test.go index 4a5316c6..07a87b60 100644 --- a/runner/run_input_override_test.go +++ b/runner/run_input_override_test.go @@ -322,6 +322,7 @@ func (s *inputOverrideTestSuite) TestApplyInputOverrideNoAutocompleteHeaders() { AutocompleteHeaders: func() *bool { b := false; return &b }(), } s.Nil(s.cfg.TestOverride.Overrides.AutocompleteHeaders) + //nolint:staticcheck s.Nil(s.cfg.TestOverride.Overrides.StopMagic) test.ApplyInputOverrides(&s.cfg.TestOverride.Overrides, &testInput) @@ -333,6 +334,7 @@ func (s *inputOverrideTestSuite) TestApplyInputOverrideNoStopMagic() { StopMagic: func() *bool { b := true; return &b }(), } s.Nil(s.cfg.TestOverride.Overrides.AutocompleteHeaders) + //nolint:staticcheck s.Nil(s.cfg.TestOverride.Overrides.StopMagic) test.ApplyInputOverrides(&s.cfg.TestOverride.Overrides, &testInput) diff --git a/test/files_test.go b/test/files_test.go index 83d95c99..e24bf1ea 100644 --- a/test/files_test.go +++ b/test/files_test.go @@ -85,3 +85,22 @@ func (s *filesTestSuite) TestGetFromBadYAML() { s.Error(err, "reading yaml should fail") } + +// This test guards against performance regressions in goccy/yaml. It uses +// an artificially large test file to force the YAML parser to run long +// enough so that the performance difference becomse large enough to test. +// The impacted versions of goccy (v1.9.2 - v1.11.3) will score well above +// 0.01 nano seconds per operation. +func (s *filesTestSuite) TestBenchmarkGetTestsFromFiles() { + result := testing.Benchmark(func(b *testing.B) { + _, err := GetTestsFromFiles("testdata/TestCheckBenchmarkCheckFiles.yaml") + if err != nil { + b.FailNow() + } + }) + nsPerOp := float64(result.T.Nanoseconds()) / float64(result.N) + s.T().Logf("Nano seconds per operation: %f", nsPerOp) + if nsPerOp > 0.01 { + s.FailNow("Nano seconds per operation exceeded limit for benchmark: ", nsPerOp) + } +} diff --git a/test/testdata/TestCheckBenchmarkCheckFiles.yaml b/test/testdata/TestCheckBenchmarkCheckFiles.yaml new file mode 100644 index 00000000..f4278e1f --- /dev/null +++ b/test/testdata/TestCheckBenchmarkCheckFiles.yaml @@ -0,0 +1,1319 @@ +--- +meta: + author: "csanders-git, Franziska Bühler" + enabled: true + name: "920420.yaml" + description: "Description" +tests: + - test_title: 920420-1 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "application/x-www-form-urlencoded" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test=value" + output: + no_log_contains: "id \"920420\"" + - test_title: 920420-2 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "my-new-content-type" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + log_contains: "id \"920420\"" + - test_title: 920420-3 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "my-new-content-type" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + log_contains: "id \"920420\"" + - test_title: 920420-4 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "PROPFIND" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "my-new-content-type" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + log_contains: "id \"920420\"" + - test_title: 920420-5 + desc: Request content type is not allowed by policy (920420) from old modsec regressions + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: multipart/; boundary=0000 + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + version: HTTP/1.1 + data: | + --0000 + Content-Disposition: form-data; name="name" + + John Smith + --0000 + Content-Disposition: form-data; name="email" + + john.smith@example.com + --0000 + Content-Disposition: form-data; name="image"; filename="image.jpg" + Content-Type: image/jpeg + + BINARYDATA + --0000-- + output: + log_contains: id "920420" + - test_title: 920420-6 + desc: Request content type is not allowed by policy (920420) from old modsec regressions + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: multipart/foo; boundary=0000 + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + version: HTTP/1.1 + data: | + --0000 + Content-Disposition: form-data; name="name" + + John Smith + --0000 + Content-Disposition: form-data; name="email" + + john.smith@example.com + --0000 + Content-Disposition: form-data; name="image"; filename="image.jpg" + Content-Type: image/jpeg + + BINARYDATA + --0000-- + output: + log_contains: id "920420" + - test_title: 920420-7 + desc: Request content type is not allowed by policy (920420) from old modsec regressions + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: application/foo; boundary=0000 + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + version: HTTP/1.1 + data: | + --0000 + Content-Disposition: form-data; name="name" + + John Smith + --0000 + Content-Disposition: form-data; name="email" + + john.smith@example.com + --0000 + Content-Disposition: form-data; name="image"; filename="image.jpg" + Content-Type: image/jpeg + + BINARYDATA + --0000-- + output: + log_contains: id "920420" + - test_title: 920420-8 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "HEAD" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "my-new-content-type" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + log_contains: "id \"920420\"" + - test_title: 920420-9 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "OPTIONS" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "application/json" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + no_log_contains: "id \"920420\"" + - test_title: 920420-10 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "OPTIONS" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "application/soap+xml" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + no_log_contains: "id \"920420\"" + - test_title: 920420-11 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "OPTIONS" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "application" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + log_contains: "id \"920420\"" + - test_title: 920420-12 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "HEAD" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "multipart/related" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + no_log_contains: "id \"920420\"" + - test_title: 920420-13 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "HEAD" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "Multipart/Related" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + no_log_contains: "id \"920420\"" + - test_title: 920420-14 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + method: "POST" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Content-Type: text/plain + data: 'cmd=/bin/unxz -c /var/log/something_sensitive.xz' + protocol: "http" + output: + log_contains: "id \"920420\"" + - test_title: 920420-15 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Host: localhost + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + Content-Type: text/plain + method: GET + port: 80 + uri: / + version: HTTP/1.0 + data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}" + output: + log_contains: "id \"920420\"" + - test_title: 920420-16 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Host: localhost + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + Content-Type: application/x-amf + method: GET + port: 80 + uri: / + version: HTTP/1.0 + data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}" + output: + log_contains: "id \"920420\"" + - test_title: 920420-17 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Host: localhost + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + Content-Type: application/octet-stream + method: GET + port: 80 + uri: / + version: HTTP/1.0 + data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}" + output: + log_contains: "id \"920420\"" + - test_title: 920420-1 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "application/x-www-form-urlencoded" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test=value" + output: + no_log_contains: "id \"920420\"" + - test_title: 920420-2 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "my-new-content-type" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + log_contains: "id \"920420\"" + - test_title: 920420-3 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "my-new-content-type" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + log_contains: "id \"920420\"" + - test_title: 920420-4 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "PROPFIND" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "my-new-content-type" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + log_contains: "id \"920420\"" + - test_title: 920420-5 + desc: Request content type is not allowed by policy (920420) from old modsec regressions + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: multipart/; boundary=0000 + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + version: HTTP/1.1 + data: | + --0000 + Content-Disposition: form-data; name="name" + + John Smith + --0000 + Content-Disposition: form-data; name="email" + + john.smith@example.com + --0000 + Content-Disposition: form-data; name="image"; filename="image.jpg" + Content-Type: image/jpeg + + BINARYDATA + --0000-- + output: + log_contains: id "920420" + - test_title: 920420-6 + desc: Request content type is not allowed by policy (920420) from old modsec regressions + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: multipart/foo; boundary=0000 + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + version: HTTP/1.1 + data: | + --0000 + Content-Disposition: form-data; name="name" + + John Smith + --0000 + Content-Disposition: form-data; name="email" + + john.smith@example.com + --0000 + Content-Disposition: form-data; name="image"; filename="image.jpg" + Content-Type: image/jpeg + + BINARYDATA + --0000-- + output: + log_contains: id "920420" + - test_title: 920420-7 + desc: Request content type is not allowed by policy (920420) from old modsec regressions + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: application/foo; boundary=0000 + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + version: HTTP/1.1 + data: | + --0000 + Content-Disposition: form-data; name="name" + + John Smith + --0000 + Content-Disposition: form-data; name="email" + + john.smith@example.com + --0000 + Content-Disposition: form-data; name="image"; filename="image.jpg" + Content-Type: image/jpeg + + BINARYDATA + --0000-- + output: + log_contains: id "920420" + - test_title: 920420-8 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "HEAD" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "my-new-content-type" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + log_contains: "id \"920420\"" + - test_title: 920420-9 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "OPTIONS" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "application/json" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + no_log_contains: "id \"920420\"" + - test_title: 920420-10 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "OPTIONS" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "application/soap+xml" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + no_log_contains: "id \"920420\"" + - test_title: 920420-11 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "OPTIONS" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "application" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + log_contains: "id \"920420\"" + - test_title: 920420-12 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "HEAD" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "multipart/related" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + no_log_contains: "id \"920420\"" + - test_title: 920420-13 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "HEAD" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "Multipart/Related" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + no_log_contains: "id \"920420\"" + - test_title: 920420-14 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + method: "POST" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Content-Type: text/plain + data: 'cmd=/bin/unxz -c /var/log/something_sensitive.xz' + protocol: "http" + output: + log_contains: "id \"920420\"" + - test_title: 920420-15 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Host: localhost + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + Content-Type: text/plain + method: GET + port: 80 + uri: / + version: HTTP/1.0 + data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}" + output: + log_contains: "id \"920420\"" + - test_title: 920420-16 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Host: localhost + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + Content-Type: application/x-amf + method: GET + port: 80 + uri: / + version: HTTP/1.0 + data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}" + output: + log_contains: "id \"920420\"" + - test_title: 920420-17 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Host: localhost + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + Content-Type: application/octet-stream + method: GET + port: 80 + uri: / + version: HTTP/1.0 + data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}" + output: + log_contains: "id \"920420\"" + - test_title: 920420-1 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "application/x-www-form-urlencoded" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test=value" + output: + no_log_contains: "id \"920420\"" + - test_title: 920420-2 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "my-new-content-type" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + log_contains: "id \"920420\"" + - test_title: 920420-3 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "my-new-content-type" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + log_contains: "id \"920420\"" + - test_title: 920420-4 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "PROPFIND" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "my-new-content-type" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + log_contains: "id \"920420\"" + - test_title: 920420-5 + desc: Request content type is not allowed by policy (920420) from old modsec regressions + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: multipart/; boundary=0000 + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + version: HTTP/1.1 + data: | + --0000 + Content-Disposition: form-data; name="name" + + John Smith + --0000 + Content-Disposition: form-data; name="email" + + john.smith@example.com + --0000 + Content-Disposition: form-data; name="image"; filename="image.jpg" + Content-Type: image/jpeg + + BINARYDATA + --0000-- + output: + log_contains: id "920420" + - test_title: 920420-6 + desc: Request content type is not allowed by policy (920420) from old modsec regressions + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: multipart/foo; boundary=0000 + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + version: HTTP/1.1 + data: | + --0000 + Content-Disposition: form-data; name="name" + + John Smith + --0000 + Content-Disposition: form-data; name="email" + + john.smith@example.com + --0000 + Content-Disposition: form-data; name="image"; filename="image.jpg" + Content-Type: image/jpeg + + BINARYDATA + --0000-- + output: + log_contains: id "920420" + - test_title: 920420-7 + desc: Request content type is not allowed by policy (920420) from old modsec regressions + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: application/foo; boundary=0000 + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + version: HTTP/1.1 + data: | + --0000 + Content-Disposition: form-data; name="name" + + John Smith + --0000 + Content-Disposition: form-data; name="email" + + john.smith@example.com + --0000 + Content-Disposition: form-data; name="image"; filename="image.jpg" + Content-Type: image/jpeg + + BINARYDATA + --0000-- + output: + log_contains: id "920420" + - test_title: 920420-8 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "HEAD" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "my-new-content-type" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + log_contains: "id \"920420\"" + - test_title: 920420-9 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "OPTIONS" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "application/json" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + no_log_contains: "id \"920420\"" + - test_title: 920420-10 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "OPTIONS" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "application/soap+xml" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + no_log_contains: "id \"920420\"" + - test_title: 920420-11 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "OPTIONS" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "application" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + log_contains: "id \"920420\"" + - test_title: 920420-12 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "HEAD" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "multipart/related" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + no_log_contains: "id \"920420\"" + - test_title: 920420-13 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "HEAD" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "Multipart/Related" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + no_log_contains: "id \"920420\"" + - test_title: 920420-14 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + method: "POST" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Content-Type: text/plain + data: 'cmd=/bin/unxz -c /var/log/something_sensitive.xz' + protocol: "http" + output: + log_contains: "id \"920420\"" + - test_title: 920420-15 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Host: localhost + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + Content-Type: text/plain + method: GET + port: 80 + uri: / + version: HTTP/1.0 + data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}" + output: + log_contains: "id \"920420\"" + - test_title: 920420-16 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Host: localhost + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + Content-Type: application/x-amf + method: GET + port: 80 + uri: / + version: HTTP/1.0 + data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}" + output: + log_contains: "id \"920420\"" + - test_title: 920420-17 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Host: localhost + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + Content-Type: application/octet-stream + method: GET + port: 80 + uri: / + version: HTTP/1.0 + data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}" + output: + log_contains: "id \"920420\"" + - test_title: 920420-1 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "application/x-www-form-urlencoded" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test=value" + output: + no_log_contains: "id \"920420\"" + - test_title: 920420-2 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "POST" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "my-new-content-type" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + log_contains: "id \"920420\"" + - test_title: 920420-3 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "GET" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "my-new-content-type" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + log_contains: "id \"920420\"" + - test_title: 920420-4 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "PROPFIND" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "my-new-content-type" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + log_contains: "id \"920420\"" + - test_title: 920420-5 + desc: Request content type is not allowed by policy (920420) from old modsec regressions + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: multipart/; boundary=0000 + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + version: HTTP/1.1 + data: | + --0000 + Content-Disposition: form-data; name="name" + + John Smith + --0000 + Content-Disposition: form-data; name="email" + + john.smith@example.com + --0000 + Content-Disposition: form-data; name="image"; filename="image.jpg" + Content-Type: image/jpeg + + BINARYDATA + --0000-- + output: + log_contains: id "920420" + - test_title: 920420-6 + desc: Request content type is not allowed by policy (920420) from old modsec regressions + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: multipart/foo; boundary=0000 + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + version: HTTP/1.1 + data: | + --0000 + Content-Disposition: form-data; name="name" + + John Smith + --0000 + Content-Disposition: form-data; name="email" + + john.smith@example.com + --0000 + Content-Disposition: form-data; name="image"; filename="image.jpg" + Content-Type: image/jpeg + + BINARYDATA + --0000-- + output: + log_contains: id "920420" + - test_title: 920420-7 + desc: Request content type is not allowed by policy (920420) from old modsec regressions + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Content-Type: application/foo; boundary=0000 + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + method: POST + port: 80 + uri: / + version: HTTP/1.1 + data: | + --0000 + Content-Disposition: form-data; name="name" + + John Smith + --0000 + Content-Disposition: form-data; name="email" + + john.smith@example.com + --0000 + Content-Disposition: form-data; name="image"; filename="image.jpg" + Content-Type: image/jpeg + + BINARYDATA + --0000-- + output: + log_contains: id "920420" + - test_title: 920420-8 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "HEAD" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "my-new-content-type" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + log_contains: "id \"920420\"" + - test_title: 920420-9 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "OPTIONS" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "application/json" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + no_log_contains: "id \"920420\"" + - test_title: 920420-10 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "OPTIONS" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "application/soap+xml" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + no_log_contains: "id \"920420\"" + - test_title: 920420-11 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "OPTIONS" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "application" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + log_contains: "id \"920420\"" + - test_title: 920420-12 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "HEAD" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "multipart/related" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + no_log_contains: "id \"920420\"" + - test_title: 920420-13 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + port: 80 + method: "HEAD" + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Content-Type: "Multipart/Related" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: "test" + output: + no_log_contains: "id \"920420\"" + - test_title: 920420-14 + stages: + - stage: + input: + dest_addr: "127.0.0.1" + method: "POST" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Content-Type: text/plain + data: 'cmd=/bin/unxz -c /var/log/something_sensitive.xz' + protocol: "http" + output: + log_contains: "id \"920420\"" + - test_title: 920420-15 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Host: localhost + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + Content-Type: text/plain + method: GET + port: 80 + uri: / + version: HTTP/1.0 + data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}" + output: + log_contains: "id \"920420\"" + - test_title: 920420-16 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Host: localhost + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + Content-Type: application/x-amf + method: GET + port: 80 + uri: / + version: HTTP/1.0 + data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}" + output: + log_contains: "id \"920420\"" + - test_title: 920420-17 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Host: localhost + Proxy-Connection: keep-alive + User-Agent: "OWASP CRS test agent" + Content-Type: application/octet-stream + method: GET + port: 80 + uri: / + version: HTTP/1.0 + data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}" + output: + log_contains: "id \"920420\""