Added workflow integrations/lint and regressiontests for all PL1 rules

Author: eilandert

.github/workflows/integration.yml

@@ -0,0 +1,7 @@
+---
+on: [push, pull_request]          # yamllint disable-line rule:truthy
+name: Integration tests
+
+jobs:
+  integration-tests:
+    uses: coreruleset/crs-plugin-test-action/.github/workflows/integration.yaml@main

.github/workflows/lint.yml

@@ -0,0 +1,6 @@
+---
+on: [push, pull_request]        # yamllint disable-line rule:truthy
+
+jobs:
+  plugin-lint:
+    uses: coreruleset/crs-plugin-test-action/.github/workflows/lint.yaml@main

tests/regression/wordpress-hardening-plugin/9522102.yaml

@@ -0,0 +1,24 @@
+---
+meta:
+  author: Thijs Eilander
+  description: wordpress-hardening-plugin
+  enabled: true
+  name: 9522102.yaml
+tests:
+  - test_title: 9522102
+    desc: Test if xmlrpc.php is blocked
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /xmlrpc.php
+            data: |
+              text
+          output:
+            log_contains: id "9522102"

tests/regression/wordpress-hardening-plugin/9522104.yaml

@@ -0,0 +1,109 @@
+---
+meta:
+  author: Thijs Eilander
+  description: wordpress-hardening-plugin
+  enabled: true
+  name: 9522104.yaml
+tests:
+  - test_title: 9522104-1
+    desc: Test if user enumeration is blocked
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /author=1
+            data: |
+              text
+          output:
+            log_contains: id "9522104"
+  - test_title: 9522104-2
+    desc: Test if user enumeration is blocked
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /AUTHOR=99999999999999999999999
+            data: |
+              text
+          output:
+            log_contains: id "9522104"
+  - test_title: 9522104-3
+    desc: Test if user enumeration is blocked
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /wp-json/wp/v2/users
+            data: |
+              text
+          output:
+            log_contains: id "9522104"
+  - test_title: 9522104-4
+    desc: Test if user enumeration is blocked
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /wp-json/wp/v2/USERS=99999999999999999999999
+            data: |
+              text
+          output:
+            log_contains: id "9522104"
+  - test_title: 9522104-5
+    desc: Test if user enumeration is blocked
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /wp-json/wp/v2/users?search=test
+            data: |
+              text
+          output:
+            log_contains: id "9522104"
+  - test_title: 9522104-6
+    desc: Test if user enumeration is blocked
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /section/news?rest_route=/wp/v2/users
+            data: |
+              text
+          output:
+            log_contains: id "9522104"

tests/regression/wordpress-hardening-plugin/9522107.yaml

@@ -0,0 +1,24 @@
+---
+meta:
+  author: Thijs Eilander
+  description: wordpress-hardening-plugin
+  enabled: true
+  name: 9522107.yaml
+tests:
+  - test_title: 9522107
+    desc: Test if restapi works
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /wp-json/wp-statistics/v2/hit?wp_statistics_hit_rest=yes&track_all=1&current_page_type=home&current_page_id=445&search_query&page_uri=Lw=&referred=&_=1707944400020
+            data: |
+              text
+          output:
+            no_log_contains: id "9522107"

tests/regression/wordpress-hardening-plugin/9522109.yaml

@@ -0,0 +1,23 @@
+---
+meta:
+  author: Thijs Eilander
+  description: wordpress-hardening-plugin
+  enabled: true
+  name: 9522109.yaml
+tests:
+  - test_title: 9522109
+    desc: Test if admin login is blocked (default)
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /wp-login.php
+            data: log=admin&pwd=admin&wp-submit=Log%20In
+          output:
+            log_contains: id "9522109"

tests/regression/wordpress-hardening-plugin/9522111.yaml

@@ -0,0 +1,24 @@
+---
+meta:
+  author: Thijs Eilander
+  description: wordpress-hardening-plugin
+  enabled: true
+  name: 9522111.yaml
+tests:
+  - test_title: 95222111
+    desc: Test if wp-cron.php works
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /wp-cron.php
+            data: |
+              text
+          output:
+            no_log_contains: id "95222111"

tests/regression/wordpress-hardening-plugin/9522202.yaml

@@ -0,0 +1,92 @@
+---
+meta:
+  author: Thijs Eilander
+  description: wordpress-hardening-plugin
+  enabled: true
+  name: 9522202.yaml
+tests:
+  - test_title: 9522202-1
+    desc: test for no direct access to files/dirs in wordpress-hardening-files.data
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /readme.txt
+            data: |
+              text
+          output:
+            log_contains: id "9522202"
+  - test_title: 9522202-2
+    desc: test for no direct access to files/dirs in wordpress-hardening-files.data
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /wp-config.php
+            data: |
+              text
+          output:
+            log_contains: id "9522202"
+  - test_title: 9522202-3
+    desc: test for no direct access to files/dirs in wordpress-hardening-files.data
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /wp-config-sample.php
+            data: |
+              text
+          output:
+            log_contains: id "9522202"
+  - test_title: 9522202-4
+    desc: test for no direct access to files/dirs in wordpress-hardening-files.data
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /wp-content/wp-rocket-config/dynamic-lists.json
+            data: |
+              text
+          output:
+            log_contains: id "9522202"
+  - test_title: 9522202-5
+    desc: test for no direct access to files/dirs in wordpress-hardening-files.data
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /wp-content/mu-plugins/test.php
+            data: |
+              text
+          output:
+            log_contains: id "9522202"

tests/regression/wordpress-hardening-plugin/9522205.yaml

@@ -0,0 +1,58 @@
+---
+meta:
+  author: Thijs Eilander
+  description: wordpress-hardening-plugin
+  enabled: true
+  name: 9522102.yaml
+tests:
+  - test_title: 9522205-1
+    desc: Test nasty shit in /wp-content/uploads
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /wp-content/uploads/2024/15/2/test.lua
+            data: |
+              text
+          output:
+            log_contains: id "9522205"
+  - test_title: 9522205-2
+    desc: Test nasty shit in /wp-content/uploads
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /wp-content/uploads/test/test/test/test/test/test/test/test/test/test/test/test.js
+            data: |
+              text
+          output:
+            log_contains: id "9522205"
+  - test_title: 9522205-3
+    desc: Test nasty shit in /wp-content/uploads
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: GET
+            uri: /wp-content/uploads/2024/15/2/test.webp
+            data: |
+              text
+          output:
+            no_log_contains: id "9522205"