Merge remote-tracking branch 'upstream/main' into HEAD

Author: M4tteoP

.github/workflows/ci.yaml

@@ -19,8 +19,8 @@ env:
     envoyproxy/envoy:v1.29-latest
     envoyproxy/envoy:v1.28-latest
     envoyproxy/envoy-dev:latest
-    istio/proxyv2:1.20.1
-    istio/proxyv2:1.19.5
+    istio/proxyv2:1.21.0
+    istio/proxyv2:1.20.4
 
 jobs:
   build:
@@ -89,9 +89,12 @@ jobs:
           name: ftw-envoy-logs
           path: build/ftw-envoy.log
 
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
       - name: Set up Docker Buildx
         if: ${{ matrix.multiphase_eval=='true' }}
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Docker meta
         if: ${{ matrix.multiphase_eval=='true' }}
@@ -131,11 +134,12 @@ jobs:
 
       - name: Build and push busybox based image
         if: ${{ matrix.multiphase_eval=='true' }}
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta-busybox.outputs.tags }}
+          platforms: linux/amd64,linux/arm64
           labels: ${{ steps.meta-busybox.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
@@ -144,7 +148,7 @@ jobs:
 
       - name: Build and push
         if: ${{ matrix.multiphase_eval=='true' }}
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}

README.md

@@ -167,8 +167,8 @@ For details and locally tweaking the configuration refer to [@recommended-conf](
 
 In order to individually monitor envoy logs while performing requests, in another terminal you can run:
 
-- Envoy logs: `docker-compose -f ./example/envoy/docker-compose.yml logs -f envoy-logs`.
-- Critical wasm (audit) logs: `docker-compose -f ./example/envoy/docker-compose.yml logs -f wasm-logs`
+- Envoy logs: `docker compose -f ./example/envoy/docker-compose.yml logs -f envoy-logs`.
+- Critical wasm (audit) logs: `docker compose -f ./example/envoy/docker-compose.yml logs -f wasm-logs`
 
 The Envoy example comes also with a Grafana dashboard that can be accessed at `localhost:3000` (admin/admin) in order to monitor the memory consumption.
 

ftw/Dockerfile

@@ -8,8 +8,8 @@ RUN apk update && apk add curl
 WORKDIR /workspace
 
 # TODO update when new CRS version is tagged: https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0-rc2.tar.gz
-ADD https://github.com/coreruleset/coreruleset/tarball/2b92d53ea708babbca8da06cd13decffbc9e31b5 /workspace/coreruleset/
-RUN cd coreruleset && tar -xf 2b92d53ea708babbca8da06cd13decffbc9e31b5 --strip-components 1
+ADD https://github.com/coreruleset/coreruleset/tarball/1d95422bb31983a5290720b7fb662ce3dd51f753 /workspace/coreruleset/
+RUN cd coreruleset && tar -xf 1d95422bb31983a5290720b7fb662ce3dd51f753 --strip-components 1
 
 COPY ftw.yml /workspace/ftw.yml
 COPY tests.sh /workspace/tests.sh

ftw/ftw.yml

@@ -12,9 +12,6 @@ testoverride:
     '920100-10': 'Invalid HTTP method. Rejected by Envoy with Error 400'
     '920100-14': 'Invalid HTTP method. Rejected by Envoy with Error 400'
     '920100-16': 'Invalid HTTP request line. Rejected by Envoy with Error 400'
-    '949110-4': 'Related to 920100. Invalid HTTP method. Rejected by Envoy with Error 400'
-    '941110-4': 'Referer header is sanitized by Envoy and removed from the request'
-    '941101-1': 'Referer header is sanitized by Envoy and removed from the request'
     '920210-2': 'Connection header is stripped out by Envoy'
     '920210-3': 'Connection header is stripped out by Envoy'
     '920210-4': 'Connection header is stripped out by Envoy'
@@ -28,9 +25,18 @@ testoverride:
     '932161-10': 'Referer header is sanitized by Envoy and removed from the request'
     '932161-11': 'Referer header is sanitized by Envoy and removed from the request'
     '932161-12': 'Referer header is sanitized by Envoy and removed from the request'
+    '932237-8': 'Referer header is sanitized by Envoy and removed from the request'
+    '932237-18': 'Referer header is sanitized by Envoy and removed from the request'
     '932239-6': 'Referer header is sanitized by Envoy and removed from the request'
     '932239-7': 'Referer header is sanitized by Envoy and removed from the request'
     '932239-19': 'Referer header is sanitized by Envoy and removed from the request'
+    '932239-27': 'Referer header is sanitized by Envoy and removed from the request'
+    '932239-29': 'Referer header is sanitized by Envoy and removed from the request'  
+    '941101-1': 'Referer header is sanitized by Envoy and removed from the request'
+    '941110-4': 'Referer header is sanitized by Envoy and removed from the request'
+    '949110-4': 'Related to 920100. Invalid HTTP method. Rejected by Envoy with Error 400'
+    '920181-1': 'Content-Length with Transfer-Encoding chunked is rejected by Envoy with Error 400' 
+    '932260-28': 'test bug, fixed upstream https://github.com/coreruleset/coreruleset/pull/3580'
 
     # Rules working, tests excluded for different expected output
     '920270-4': 'Log contains 920270. Test has log_contains disabled.'
@@ -50,5 +56,5 @@ testoverride:
     '934120-26': 'Rule 934120 partially detected. With HTTP/1.1 Envoy return 400. With HTTP/2 Enclosed alphanumerics not detected. Coraza Side'
     '934120-39': 'Rule 934120 partially detected. With HTTP/1.1 Envoy return 400. With HTTP/2 Enclosed alphanumerics not detected. Coraza Side'
     '932200-13': 'Unfortunate match inside logs against a different rule log. wip'
-    '934131-5': 'See https://github.com/corazawaf/coraza/pull/899'
-    '934131-7': 'See https://github.com/corazawaf/coraza/pull/899'
+    '942440-19': 'Coraza side: Seems like ARGS is not splitted in _GET and _POST in ruleRemoveTargetById. Further investigation needed.'
+    '942440-20': 'Coraza side: Seems like ARGS is not splitted in _GET and _POST in ruleRemoveTargetById. Further investigation needed.'

magefiles/loadtest.go

@@ -29,14 +29,14 @@ func LoadTest() error {
 }
 
 func doLoadTest(conf string, payloadSize int, threads int) error {
-	if err := sh.RunV("docker-compose", "--file", "ftw/docker-compose.yml", "build", "--pull"); err != nil {
+	if err := sh.RunV("docker", "compose", "--file", "ftw/docker-compose.yml", "build", "--pull"); err != nil {
 		return err
 	}
 	defer func() {
-		_ = sh.RunV("docker-compose", "--file", "ftw/docker-compose.yml", "kill")
-		_ = sh.RunV("docker-compose", "--file", "ftw/docker-compose.yml", "down", "-v")
+		_ = sh.RunV("docker", "compose", "--file", "ftw/docker-compose.yml", "kill")
+		_ = sh.RunV("docker", "compose", "--file", "ftw/docker-compose.yml", "down", "-v")
 	}()
-	if err := sh.RunWithV(map[string]string{"ENVOY_CONFIG": fmt.Sprintf("/conf/%s", conf)}, "docker-compose",
+	if err := sh.RunWithV(map[string]string{"ENVOY_CONFIG": fmt.Sprintf("/conf/%s", conf)}, "docker", "compose",
 		"--file", "ftw/docker-compose.yml", "run", "--service-ports", "--rm", "-d", "envoy"); err != nil {
 		return err
 	}

magefiles/magefile.go

@@ -223,14 +223,14 @@ func Build() error {
 	return patchWasm(filepath.Join("build", "mainraw.wasm"), filepath.Join("build", "main.wasm"), initialPages)
 }
 
-// E2e runs e2e tests with a built plugin against the example deployment. Requires docker-compose.
+// E2e runs e2e tests with a built plugin against the example deployment. Requires docker.
 func E2e() error {
 	var err error
-	if err = sh.RunV("docker-compose", "--file", "e2e/docker-compose.yml", "up", "-d", "envoy"); err != nil {
+	if err = sh.RunV("docker", "compose", "--file", "e2e/docker-compose.yml", "up", "-d", "envoy"); err != nil {
 		return err
 	}
 	defer func() {
-		_ = sh.RunV("docker-compose", "--file", "e2e/docker-compose.yml", "down", "-v")
+		_ = sh.RunV("docker", "compose", "--file", "e2e/docker-compose.yml", "down", "-v")
 	}()
 
 	envoyHost := os.Getenv("ENVOY_HOST")
@@ -245,18 +245,18 @@ func E2e() error {
 	// --nulled-body is needed because coraza-proxy-wasm returns a 200 OK with a nulled body when if the interruption happens after phase 3
 	if err = sh.RunV("go", "run", "github.com/corazawaf/coraza/v3/http/e2e/cmd/httpe2e@main", "--proxy-hostport",
 		"http://"+envoyHost, "--httpbin-hostport", "http://"+httpbinHost, "--nulled-body"); err != nil {
-		sh.RunV("docker-compose", "-f", "e2e/docker-compose.yml", "logs", "envoy")
+		sh.RunV("docker", "compose", "-f", "e2e/docker-compose.yml", "logs", "envoy")
 	}
 	return err
 }
 
-// Ftw runs ftw tests with a built plugin and Envoy. Requires docker-compose.
+// Ftw runs ftw tests with a built plugin and Envoy. Requires docker.
 func Ftw() error {
-	if err := sh.RunV("docker-compose", "--file", "ftw/docker-compose.yml", "build", "--pull"); err != nil {
+	if err := sh.RunV("docker", "compose", "--file", "ftw/docker-compose.yml", "build", "--pull"); err != nil {
 		return err
 	}
 	defer func() {
-		_ = sh.RunV("docker-compose", "--file", "ftw/docker-compose.yml", "down", "-v")
+		_ = sh.RunV("docker", "compose", "--file", "ftw/docker-compose.yml", "down", "-v")
 	}()
 	env := map[string]string{
 		"FTW_CLOUDMODE": os.Getenv("FTW_CLOUDMODE"),
@@ -270,22 +270,22 @@ func Ftw() error {
 	if os.Getenv("MEMSTATS") == "true" {
 		task = "ftw-memstats"
 	}
-	return sh.RunWithV(env, "docker-compose", "--file", "ftw/docker-compose.yml", "run", "--rm", task)
+	return sh.RunWithV(env, "docker", "compose", "--file", "ftw/docker-compose.yml", "run", "--rm", task)
 }
 
-// RunEnvoyExample spins up the test environment of envoy, access at http://localhost:8080. Requires docker-compose.
+// RunEnvoyExample spins up the test environment of envoy, access at http://localhost:8080. Requires docker.
 func RunEnvoyExample() error {
-	return sh.RunWithV(map[string]string{"ENVOY_IMAGE": os.Getenv("ENVOY_IMAGE")}, "docker-compose", "--file", "example/envoy/docker-compose.yml", "up")
+	return sh.RunWithV(map[string]string{"ENVOY_IMAGE": os.Getenv("ENVOY_IMAGE")}, "docker", "compose", "--file", "example/envoy/docker-compose.yml", "up")
 }
 
-// TeardownEnvoyExample tears down the test environment of envoy. Requires docker-compose.
+// TeardownEnvoyExample tears down the test environment of envoy. Requires docker.
 func TeardownEnvoyExample() error {
-	return sh.RunV("docker-compose", "--file", "example/envoy/docker-compose.yml", "down")
+	return sh.RunV("docker", "compose", "--file", "example/envoy/docker-compose.yml", "down")
 }
 
-// ReloadEnvoyExample reload the test environment (container) of envoy in case of envoy or wasm update. Requires docker-compose
+// ReloadEnvoyExample reload the test environment (container) of envoy in case of envoy or wasm update. Requires docker.
 func ReloadEnvoyExample() error {
-	return sh.RunV("docker-compose", "--file", "example/envoy/docker-compose.yml", "restart")
+	return sh.RunV("docker", "compose", "--file", "example/envoy/docker-compose.yml", "restart")
 }
 
 var Default = Build

wasmplugin/rules/crs-setup.conf.example

@@ -1,9 +1,9 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.4.0.0-rc2
+# OWASP CRS ver.4.0.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
+# Copyright (c) 2021-2024 CRS project. All rights reserved.
 #
-# The OWASP ModSecurity Core Rule Set is distributed under
+# The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
 # Please see the enclosed LICENSE file for full details.
 # ------------------------------------------------------------------------
@@ -12,7 +12,7 @@
 #
 # -- [[ Introduction ]] --------------------------------------------------------
 #
-# The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack
+# The OWASP CRS is a set of generic attack
 # detection rules that provide a base level of protection for any web
 # application. They are written for the open source, cross-platform
 # ModSecurity Web Application Firewall.
@@ -619,6 +619,8 @@ SecAction \
 # Block request if number of arguments is too high
 # Default: unlimited
 # Example: 255
+# Note that a hard limit by the engine may also apply here (SecArgumentsLimit).
+# This would override this soft limit.
 # Uncomment this rule to set a limit.
 #SecAction \
 #    "id:900300,\
@@ -692,7 +694,7 @@ SecAction \
 #
 # -- [[ Easing In / Sampling Percentage ]] -------------------------------------
 #
-# Adding the Core Rule Set to an existing productive site can lead to false
+# Adding the CRS to an existing productive site can lead to false
 # positives, unexpected performance issues and other undesired side effects.
 #
 # It can be beneficial to test the water first by enabling the CRS for a
@@ -746,23 +748,6 @@ SecAction \
 #    setvar:tx.crs_validate_utf8_encoding=1"
 
 
-#
-# -- [[ Collection timeout ]] --------------------------------------------------
-#
-# Set the SecCollectionTimeout directive from the ModSecurity default (1 hour)
-# to a lower setting which is appropriate to most sites.
-# This increases performance by cleaning out stale collection (block) entries.
-#
-# This value should be greater than or equal to any block durations or timeouts
-# set by plugins that make use of ModSecurity's persistent collections (e.g. the
-# DoS protection and IP reputation plugins).
-#
-# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecCollectionTimeout
-
-# Please keep this directive uncommented.
-# Default: 600 (10 minutes)
-SecCollectionTimeout 600
-
 
 #
 # -- [[ End of setup ]] --------------------------------------------------------