Skip to content

Commit

Permalink
fix: differences between modsec v2 and v3 json variables (#2)
Browse files Browse the repository at this point in the history
  • Loading branch information
@EsadCetiner
EsadCetiner authored Mar 5, 2024
1 parent 726e4d6 commit bee2d48
Show file tree
Hide file tree
Showing 10 changed files with 116 additions and 207 deletions.
21 changes: 21 additions & 0 deletions plugins/sogo-rule-exclusions-before.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ SecRule REQUEST_FILENAME "@streq /SOGo/connect" \
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.password,\
ver:'sogo-rule-exclusions-plugin/1.0.0'"

Expand Down Expand Up @@ -91,10 +92,14 @@ SecRule REQUEST_FILENAME "@rx ^/SOGo/so/[^/]+/Mail/[0-9]/folderDrafts/newDraft[0
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=942131;ARGS:from,\
ctl:ruleRemoveTargetById=942131;ARGS:json.from,\
ctl:ruleRemoveTargetById=942131;ARGS:json.to.array_0,\
ctl:ruleRemoveTargetById=942131;ARGS:to.array_0,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.subject,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.text,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:subject,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:text,\
ver:'sogo-rule-exclusions-plugin/1.0.0'"

#
Expand All @@ -110,6 +115,8 @@ SecRule REQUEST_FILENAME "@streq /SOGo/so/changePassword" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.oldPassword,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.newPassword,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:oldPassword,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:newPassword,\
ver:'sogo-rule-exclusions-plugin/1.0.0'"

# When changing settings in SOGo
Expand All @@ -120,6 +127,9 @@ SecRule REQUEST_FILENAME "@rx ^/SOGo/so/[^/]+/Preferences/save$" \
t:none,\
nolog,\
ctl:ruleRemoveTargetById=920272;REQUEST_BODY,\
ctl:ruleRemoveTargetById=920272;ARGS:defaults.SOGoTimeFormat,\
ctl:ruleRemoveTargetById=920272;ARGS:defaults.SOGoLongDateFormat,\
ctl:ruleRemoveTargetById=920272;ARGS:defaults.SOGoShortDateFormat,\
ctl:ruleRemoveTargetById=920272;ARGS:json.defaults.SOGoTimeFormat,\
ctl:ruleRemoveTargetById=920272;ARGS:json.defaults.SOGoLongDateFormat,\
ctl:ruleRemoveTargetById=920272;ARGS:json.defaults.SOGoShortDateFormat,\
Expand Down Expand Up @@ -147,15 +157,18 @@ SecRule REQUEST_FILENAME "@rx ^/SOGo/so/[^/]+/Contacts/[^/]+/[^/]+\.vcf/saveAsCo
ctl:ruleRemoveTargetById=931130;ARGS:json.urls.array_5.value,\
ctl:ruleRemoveTargetById=931130;ARGS:json.urls.array_6.value,\
ctl:ruleRemoveTargetById=931130;ARGS:json.urls.array_7.value,\
ctl:ruleRemoveTargetById=931130;ARGS:urls.urls.value,\
ver:'sogo-rule-exclusions-plugin/1.0.0'"

# When modifying properties for Addressbook
# Enabling/disabling Microsoft ActiveSync
SecRule REQUEST_FILENAME "@rx ^/SOGo/so/[^/]+/Contacts/[^/]+/save$" \
"id:9520121,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=931130;ARGS:cardDavURL,\
ctl:ruleRemoveTargetById=931130;ARGS:json.cardDavURL,\
ver:'sogo-rule-exclusions-plugin/1.0.0'"

Expand All @@ -171,6 +184,7 @@ SecRule REQUEST_FILENAME "@rx ^/SOGo/so/[^/]+/Calendar/[^/]+/[^/]+\.ics/(?:saveA
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=931130;ARGS:attachUrls.attachUrls.value,\
ctl:ruleRemoveTargetById=931130;ARGS:json.attachUrls.array_0.value,\
ctl:ruleRemoveTargetById=931130;ARGS:json.attachUrls.array_1.value,\
ctl:ruleRemoveTargetById=931130;ARGS:json.attachUrls.array_2.value,\
Expand All @@ -189,6 +203,7 @@ SecRule REQUEST_FILENAME "@rx ^/SOGo/so/[^/]+/Calendar/[^/]+/[^/]+\.ics/(?:saveA
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=931130;ARGS:attachUrls.attachUrls.value,\
ctl:ruleRemoveTargetById=931130;ARGS:json.attachUrls.array_0.value,\
ctl:ruleRemoveTargetById=931130;ARGS:json.attachUrls.array_1.value,\
ctl:ruleRemoveTargetById=931130;ARGS:json.attachUrls.array_2.value,\
Expand All @@ -213,6 +228,11 @@ SecRule REQUEST_FILENAME "@rx ^/SOGo/so/[^/]+/Calendar/[^/]+/save$" \
ctl:ruleRemoveTargetById=931130;ARGS:json.urls.webDavURL,\
ctl:ruleRemoveTargetById=931130;ARGS:json.urls.calDavURL,\
ctl:ruleRemoveTargetById=931130;ARGS:json.urls.webCalendarURL,\
ctl:ruleRemoveTargetById=931130;ARGS:urls.webDavICSURL,\
ctl:ruleRemoveTargetById=931130;ARGS:urls.webDavXMLURL,\
ctl:ruleRemoveTargetById=931130;ARGS:urls.webDavURL,\
ctl:ruleRemoveTargetById=931130;ARGS:urls.calDavURL,\
ctl:ruleRemoveTargetById=931130;ARGS:urls.webCalendarURL,\
ver:'sogo-rule-exclusions-plugin/1.0.0'"

# When adding a remote web calendar
Expand All @@ -223,6 +243,7 @@ SecRule REQUEST_FILENAME "@rx ^/SOGo/so/[^/]+/Calendar/addWebCalendar$" \
t:none,\
nolog,\
ctl:ruleRemoveTargetById=931130;ARGS:json.url,\
ctl:ruleRemoveTargetById=931130;ARGS:url,\
ver:'sogo-rule-exclusions-plugin/1.0.0'"

#
Expand Down
5 changes: 4 additions & 1 deletion tests/regression/sogo-rule-exclusions-plugin/9520101.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,11 @@ tests:
Host: localhost
User-Agent: SOGo rule exclusions plugin
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Content-Type: application/json;charset=UTF-8
port: 80
method: POST
uri: /SOGo/connect?json.password=<script>
uri: /SOGo/connect
data: |
{ "userName": "[email protected]", "password": "<script>", "domain": null, "rememberLogin": 0 }
output:
no_log_contains: id "941110"
118 changes: 13 additions & 105 deletions tests/regression/sogo-rule-exclusions-plugin/9520104.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ meta:
name: 9520104.yaml
tests:
- test_title: 9520104-1
desc: Disable OWASP CRS for email body when sending an email
desc: Sending an email
stages:
- stage:
input:
Expand All @@ -15,14 +15,16 @@ tests:
Host: localhost
User-Agent: SOGo rule exclusions plugin
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Content-Type: text/vcard
Content-Type: application/json;charset=UTF-8
port: 80
method: GET
uri: /SOGo/so/[email protected]/Mail/4/folderDrafts/newDraft-4/send?json.text=<script>
method: POST
uri: /SOGo/so/[email protected]/Mail/4/folderDrafts/newDraft-4/send
data: |
{"to":["postmaster <[email protected]>"],"cc":[],"bcc":[],"isHTML":1,"text":"<p>&lt;script&gt;</p>","from":"postmaster <[email protected]>","locale":"en","subject":"<script>"}
output:
no_log_contains: id "941110"
- test_title: 9520104-2
desc: Disable OWASP CRS for email body when saving an email
desc: Saving an draft email
stages:
- stage:
input:
Expand All @@ -31,105 +33,11 @@ tests:
Host: localhost
User-Agent: SOGo rule exclusions plugin
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Content-Type: text/vcard
Content-Type: application/json;charset=UTF-8
port: 80
method: GET
uri: /SOGo/so/[email protected]/Mail/4/folderDrafts/newDraft-4/save?json.text=<script>
output:
no_log_contains: id "941110"
- test_title: 9520104-3
desc: Disable OWASP CRS for email subject when sending an email
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: SOGo rule exclusions plugin
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Content-Type: text/vcard
port: 80
method: GET
uri: /SOGo/so/[email protected]/Mail/4/folderDrafts/newDraft-4/send?json.subject=<script>
output:
no_log_contains: id "941110"
- test_title: 9520104-4
desc: Disable OWASP CRS for email subject when saving an email
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: SOGo rule exclusions plugin
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Content-Type: text/vcard
port: 80
method: GET
uri: /SOGo/so/[email protected]/Mail/4/folderDrafts/newDraft-4/save?json.subject=<script>
output:
method: POST
uri: /SOGo/so/[email protected]/Mail/4/folderDrafts/newDraft-4/save
data: |
{"to":["postmaster <[email protected]>"],"cc":[],"bcc":[],"isHTML":1,"text":"<p>&lt;script&gt;</p>","from":"postmaster <[email protected]>","locale":"en","subject":"<script>"}
output:
no_log_contains: id "941110"
- test_title: 9520104-5
desc: Disable 942131 for source email address when saving an email
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: SOGo rule exclusions plugin
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Content-Type: text/vcard
port: 80
method: GET
uri: /SOGo/so/[email protected]/Mail/4/folderDrafts/newDraft-4/save?json.from=<[email protected]>Postmaster
output:
no_log_contains: id "942131"
- test_title: 9520104-6
desc: Disable 942131 for source email address when sending an email
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: SOGo rule exclusions plugin
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Content-Type: text/vcard
port: 80
method: GET
uri: /SOGo/so/[email protected]/Mail/4/folderDrafts/newDraft-4/send?json.from=<[email protected]>Postmaster
output:
no_log_contains: id "942131"
- test_title: 9520104-7
desc: Disable 942131 for destination email address when saving an email
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: SOGo rule exclusions plugin
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Content-Type: text/vcard
port: 80
method: GET
uri: /SOGo/so/[email protected]/Mail/4/folderDrafts/newDraft-4/save?json.to.array_0=<[email protected]>Postmaster
output:
no_log_contains: id "942131"
- test_title: 9520104-8
desc: Disable 942131 for destination email address when sending an email
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: SOGo rule exclusions plugin
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Content-Type: text/vcard
port: 80
method: GET
uri: /SOGo/so/[email protected]/Mail/4/folderDrafts/newDraft-4/send?json.to.array_0=<[email protected]>Postmaster
output:
no_log_contains: id "942131"
26 changes: 6 additions & 20 deletions tests/regression/sogo-rule-exclusions-plugin/9520110.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ meta:
name: 9520110.yaml
tests:
- test_title: 9520110-1
desc: Disable OWASP CRS when changing passwords
desc: Changing passwords
stages:
- stage:
input:
Expand All @@ -15,25 +15,11 @@ tests:
Host: localhost
User-Agent: SOGo rule exclusions plugin
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Content-Type: text/vcard
Content-Type: application/json;charset=UTF-8
port: 80
method: GET
uri: /SOGo/so/changePassword?json.oldPassword=<script>
output:
no_log_contains: id "941110"
- test_title: 9520110-2
desc: Disable OWASP CRS when changing passwords
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: SOGo rule exclusions plugin
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Content-Type: text/vcard
port: 80
method: GET
uri: /SOGo/so/changePassword?json.newPassword=<script>
method: POST
uri: /SOGo/so/changePassword
data: |
{ "userName":null,"newPassword":"<script>","oldPassword":"<script>" }
output:
no_log_contains: id "941110"
11 changes: 8 additions & 3 deletions tests/regression/sogo-rule-exclusions-plugin/9520120.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ meta:
name: 9520120.yaml
tests:
- test_title: 9520120-1
desc: Disable 931130 for ARGS:json.urls.array_0.value
desc: Creating/modifying a contact
stages:
- stage:
input:
Expand All @@ -15,8 +15,13 @@ tests:
Host: localhost
User-Agent: SOGo rule exclusions plugin
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Content-Type: application/json;charset=UTF-8
port: 80
method: GET
uri: /SOGo/so/[email protected]/Contacts/work-contacts/john-doe.vcf/saveAsContact?json.urls.array_0.value=https://example.com/
method: POST
uri: /SOGo/so/[email protected]/Contacts/work-contacts/john-doe.vcf/saveAsContact
data: |
{ "refs":[],"categories":[],"c_screenname":null,"pid":"personal","c_component":"vcard","notes":[""],"empty":" ","isNew":true,"id":"1C0-65E5E480-9-2141CA00.vcf",
"urls":[{"type":"work","value":"https://www.fsf.org/"}],"c_cn":"display name","c_givenname":"Firstname","c_sn":"Lastname","nickname":"Nickname","org":"org","title":"title","role":"role",
"addresses":[{"type":"","postoffice":"","street":"","street2":"","locality":"","region":"","country":"","postalcode":""}],"birthday":"" }
output:
no_log_contains: id "931130"
10 changes: 7 additions & 3 deletions tests/regression/sogo-rule-exclusions-plugin/9520121.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ meta:
name: 9520121.yaml
tests:
- test_title: 9520121-1
desc: Disable 931130 for ARGS:json.cardDavURL
desc: Modifying an addressbook properties
stages:
- stage:
input:
Expand All @@ -15,8 +15,12 @@ tests:
Host: localhost
User-Agent: SOGo rule exclusions plugin
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Content-Type: application/json;charset=UTF-8
port: 80
method: GET
uri: /SOGo/so/[email protected]/Contacts/work-contacts/save?json.cardDavURL=https://example.com/
method: POST
uri: /SOGo/so/[email protected]/Contacts/work-contacts/save
data: |
{ "name":"test","isEditable":true,"isRemote":false,"owner":"[email protected]","isOwned":true,"isSubscription":false,"id":"1BE-65E5E580-B-1B22B300",
"publicCardDavURL":"","cardDavURL":"https://sogo.example.com/SOGo/dav/[email protected]/Contacts/1BE-65E5E580-B-1B22B300/","synchronize":1 }
output:
no_log_contains: id "931130"
27 changes: 21 additions & 6 deletions tests/regression/sogo-rule-exclusions-plugin/9520130.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ meta:
name: 9520130.yaml
tests:
- test_title: 9520130-1
desc: Disable 931130 for ARGS:json.attachUrls.array_0.value
desc: Creating a new calendar task
stages:
- stage:
input:
Expand All @@ -15,13 +15,20 @@ tests:
Host: localhost
User-Agent: SOGo rule exclusions plugin
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Content-Type: application/json;charset=UTF-8
port: 80
method: GET
uri: /SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask?json.attachUrls.array_0.value=https://example.com/
method: POST
uri: /SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/saveAsTask
data: |
{"categories":[],"alarm":{},"delta":60,"pid":"personal","type":"task","completed":"2024-03-04T15:37:15.262Z",
"$hasAlarm":false,"classification":"confidential","destinationCalendar":"personal","selected":false,"isNew":true,
"id":"1BB-65E5EA80-1-7B69C580.ics","sendAppointmentNotifications":1,"attachUrls":[{"value":"https://example.com/"}],
"summary":"test","due":"2024-03-04T15:30:26.610Z","dueDate":"2024-03-05","start":"2024-03-04T15:30:27.775Z","priority":4,"comment":"test",
"location":"test","startDate":"2024-03-05","startTime":"02:30","endDate":"","endTime":"","dueTime":"02:30","completedDate":"2024-03-05"}
output:
no_log_contains: id "931130"
- test_title: 9520130-2
desc: Disable 931130 for ARGS:json.attachUrls.array_0.value
desc: Modifying an existing Calendar task
stages:
- stage:
input:
Expand All @@ -30,8 +37,16 @@ tests:
Host: localhost
User-Agent: SOGo rule exclusions plugin
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Content-Type: application/json;charset=UTF-8
port: 80
method: GET
uri: /SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/save?json.attachUrls.array_0.value=https://example.com/
method: POST
uri: /SOGo/so/[email protected]/Calendar/mycalendar/calendar.ics/save
data: |
{"categories":[],"alarm":{},"delta":60,"calendar":"Personal Calendar","component":"vtodo","location":"test",
"localizedDueTime":"02:30","id":"1BB-65E5EA80-1-7B69C580.ics","priority":5,"localizedStartTime":"02:30","dueDate":"2024-03-05",
"sendAppointmentNotifications":1,"isErasable":1,"attachUrls":[{"value":"https://example.com/"}],"comment":"test","startDate":"2024-03-05",
"localizedDueDate":"Tuesday, March 05, 2024","localizedStartDate":"Tuesday, March 05, 2024","summary":"test","classification":"confidential",
"isEditable":1,"pid":"personal","type":"task","start":"2024-03-04T15:30:00.000Z","due":"2024-03-04T15:30:00.000Z","completed":"2024-03-04T15:40:01.319Z",
"$hasAlarm":false,"destinationCalendar":"personal","selected":false,"startTime":"02:30","endDate":"","endTime":"","dueTime":"02:30","completedDate":"2024-03-05"}
output:
no_log_contains: id "931130"
Loading

0 comments on commit bee2d48

Please sign in to comment.