revert WAF and deploy item list block MVP

composer.json

@@ -54,7 +54,7 @@
         "ministryofjustice/ppo": "dev-main",
         "ministryofjustice/sifocc": "dev-main",
         "ministryofjustice/wp-gov-uk-notify": "*",
-        "ministryofjustice/wp-moj-blocks": "dev-latest-tax",
+        "ministryofjustice/wp-moj-blocks": "dev-item-list-block-new",
         "ministryofjustice/wp-s3-uploads": "dev-main",
         "oscarotero/env": "^1.0",
         "php": ">=7.4",

helm_deploy/wordpress/templates/ingress.yaml

@@ -8,22 +8,81 @@ metadata:
     external-dns.alpha.kubernetes.io/aws-weight: "100"
     nginx.ingress.kubernetes.io/enable-modsecurity: "true"
     nginx.ingress.kubernetes.io/modsecurity-snippet: |
-      # Default WAF rules
+      # Apply specific WAF rules
       SecRuleEngine On
       SecDefaultAction 
         "phase:2,\
         pass,\
         log,\
         tag:github_team=hale-platform,\
         tag:environment=hale-platform-{{ .Values.configmap.envtype }}"
-      # Set WAF Config for Authenticated Users
-      SecRule REQUEST_HEADERS:Cookie "@contains WAF_CONFIG={{ .Values.secrets.wafconfig }}"
+      # Limit ModSecurity excemptions to only the options page - these rules were breaking the hale components plugin
+      SecRule REQUEST_URI "@contains /wp-admin/" \
         "id:1001,\
         phase:2,\
-        allow,\
-        tag:github_team=hale-platform,\
-        tag:environment=hale-platform-{{ .Values.configmap.envtype }}-auth,\
-        ctl:ruleEngine=DetectionOnly"
+        pass,\
+        nolog,\
+         ctl:ruleRemoveById=932110,\
+         ctl:ruleRemoveById=932130,\
+         ctl:ruleRemoveById=941180
+      # Limit ModSecurity excemptions to only the options page - these rules were breaking the hale components plugin
+      SecRule REQUEST_URI "@contains /wp-admin/options.php" \
+        "id:1002,\
+        phase:2,\
+        pass,\
+        nolog,\
+         ctl:ruleRemoveById=921130,\
+         ctl:ruleRemoveById=941100,\
+         ctl:ruleRemoveById=941140,\
+         ctl:ruleRemoveById=941160
+      # Limit ModSecurity excemptions to only the WP API
+      SecRule REQUEST_URI "@contains /wp-json/" \
+        "id:1003,\
+        phase:2,\
+        pass,\
+        nolog,\
+        ctl:ruleRemoveById=921110,\
+        ctl:ruleRemoveById=932100,\
+        ctl:ruleRemoveById=932105,\
+        ctl:ruleRemoveById=932110,\
+        ctl:ruleRemoveById=932130,\
+        ctl:ruleRemoveById=933210,\
+        ctl:ruleRemoveById=933160,\
+        ctl:ruleRemoveById=941100,\
+        ctl:ruleRemoveById=941110,\
+        ctl:ruleRemoveById=941130,\
+        ctl:ruleRemoveById=941140,\
+        ctl:ruleRemoveById=941160,\
+        ctl:ruleRemoveById=941180,\
+        ctl:ruleRemoveById=941300,\
+        ctl:ruleRemoveById=941310,\
+        ctl:ruleRemoveById=942230,\
+        ctl:ruleRemoveById=942320"  
+      # Limit ModSecurity excemptions to the wp-admin/post.php endpoint
+      SecRule REQUEST_URI "@contains /wp-admin/post.php" \
+        "id:1004,\
+        phase:2,\
+        pass,\
+        nolog,\
+        ctl:ruleRemoveById=921110,\
+        ctl:ruleRemoveById=941100,\
+        ctl:ruleRemoveById=941160"
+      # Limit ModSecurity excemptions to the wp-admin/nav-menus.php endpoint
+      SecRule REQUEST_URI "@contains /wp-admin/nav-menus.php" \
+        "id:1005,\
+        phase:2,\
+        pass,\
+        nolog,\
+        ctl:ruleRemoveById=921110"
+      # Limit ModSecurity excemptions to the wp-admin/admin-ajax.php endpoint
+      SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
+        "id:1006,\
+        phase:2,\
+        pass,\
+        nolog,\
+        ctl:ruleRemoveById=921110,\
+        ctl:ruleRemoveById=941100,\
+        ctl:ruleRemoveById=941160"
     {{- if eq .Values.configmap.envtype "staging" }}
       SecRule REMOTE_ADDR "@ipMatch 80.195.27.199/32" "phase:2,id:200000001,nolog,allow"
     {{- end }}