Skip to content

Commit 61e2746

Browse files
sjoukedvM4tteoP
andauthored
bump waf CRS to 4.25.0 (#299)
CRS 4.25.0 is the latest version of the ruleset --------- Signed-off-by: Sjouke de Vries <info@sdvservices.nl> Signed-off-by: Matteo Pace <pace.matteo96@gmail.com> Co-authored-by: Matteo Pace <pace.matteo96@gmail.com>
1 parent de911e4 commit 61e2746

37 files changed

Lines changed: 894 additions & 1003 deletions

extensions/composer/integration/ftw.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,7 @@ testoverride:
4242
"932239-19": "Referer header is sanitized by Envoy and removed from the request"
4343
"932239-27": "Referer header is sanitized by Envoy and removed from the request"
4444
"932239-29": "Referer header is sanitized by Envoy and removed from the request"
45+
"932390-9": "Referer header is sanitized by Envoy and removed from the request"
4546
"941101-1": "Referer header is sanitized by Envoy and removed from the request"
4647
"941110-4": "Referer header is sanitized by Envoy and removed from the request"
4748
"941120-50": "Referer header is sanitized by Envoy and removed from the request"
@@ -70,6 +71,9 @@ testoverride:
7071
"930110-7": "Coraza or CRS side. See https://github.com/corazawaf/coraza/pull/1081"
7172
"920274-1": "Failing on Coraza upstream as well"
7273
"920290-4": "Failing on Coraza upstream as well"
74+
"941310-1": "upstream issue, see https://github.com/corazawaf/coraza/pull/1580"
75+
"941310-3": "upstream issue, see https://github.com/corazawaf/coraza/pull/1580"
76+
"941310-12": "upstream issue, see https://github.com/corazawaf/coraza/pull/1580"
7377

7478
# Excluding individual failing tests probably not compatible with Envoy
7579
"920180-1": ""

extensions/composer/waf/README.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,22 @@ To upgrade to a new CRS version:
1212
1. Replace the contents of `coraza/rules/owasp_crs/` with the `.conf` and `.data` files from the new release `rules/` directory.
1313
1. Update `coraza/rules/crs-setup.conf` with the new `crs-setup.conf.example` available in the new release root folder, reviewing any changes and merging them into the existing `crs-setup.conf` as needed. Note that some configurations are specific for this repository, and this should not be overwritten.
1414

15+
Or as a one-liner:
16+
17+
```bash
18+
CRS_VERSION="4.25.0"; TMP_DIR="/tmp/coreruleset-v$CRS_VERSION"; \
19+
mkdir -p "$TMP_DIR" && \
20+
curl -fsSL "https://github.com/coreruleset/coreruleset/releases/download/v$CRS_VERSION/coreruleset-$CRS_VERSION-minimal.tar.gz" -o "$TMP_DIR/crs.tar.gz" && \
21+
tar -xzf "$TMP_DIR/crs.tar.gz" -C "$TMP_DIR" && \
22+
find coraza/rules/owasp_crs -type f \( -name '*.conf' -o -name '*.data' \) -delete && \
23+
mv "$TMP_DIR/coreruleset-$CRS_VERSION/rules/"*.conf "$TMP_DIR/coreruleset-$CRS_VERSION/rules/"*.data coraza/rules/owasp_crs/ && \
24+
mv "$TMP_DIR/coreruleset-$CRS_VERSION/crs-setup.conf.example" coraza/rules/crs-setup.conf.example.upstream && \
25+
rm -rf "$TMP_DIR"
26+
```
27+
28+
> [!NOTE]
29+
> Manual review is needed afterward. Some configurations in this code are specific to the tetratelabs/built-on-envoy repository and should not be overwritten when making updates or migrations. Please ensure that repository-specific settings are preserved during any refactoring or dependency updates.
30+
1531
## Upgrading Coraza
1632

1733
To upgrade to a new Coraza version:

extensions/composer/waf/coraza/rules/crs-setup.conf

Lines changed: 37 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
# ------------------------------------------------------------------------
2-
# OWASP CRS ver.4.24.1
2+
# OWASP CRS ver.4.25.0
33
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
44
# Copyright (c) 2021-2026 CRS project. All rights reserved.
55
#
@@ -182,7 +182,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
182182
# t:none,\
183183
# nolog,\
184184
# tag:'OWASP_CRS',\
185-
# ver:'OWASP_CRS/4.24.1',\
185+
# ver:'OWASP_CRS/4.25.0',\
186186
# setvar:tx.blocking_paranoia_level=1"
187187

188188

@@ -210,7 +210,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
210210
# t:none,\
211211
# nolog,\
212212
# tag:'OWASP_CRS',\
213-
# ver:'OWASP_CRS/4.24.1',\
213+
# ver:'OWASP_CRS/4.25.0',\
214214
# setvar:tx.detection_paranoia_level=1"
215215

216216

@@ -236,7 +236,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
236236
# t:none,\
237237
# nolog,\
238238
# tag:'OWASP_CRS',\
239-
# ver:'OWASP_CRS/4.24.1',\
239+
# ver:'OWASP_CRS/4.25.0',\
240240
# setvar:tx.enforce_bodyproc_urlencoded=1"
241241

242242

@@ -271,7 +271,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
271271
# t:none,\
272272
# nolog,\
273273
# tag:'OWASP_CRS',\
274-
# ver:'OWASP_CRS/4.24.1',\
274+
# ver:'OWASP_CRS/4.25.0',\
275275
# setvar:tx.critical_anomaly_score=5,\
276276
# setvar:tx.error_anomaly_score=4,\
277277
# setvar:tx.warning_anomaly_score=3,\
@@ -332,7 +332,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
332332
# t:none,\
333333
# nolog,\
334334
# tag:'OWASP_CRS',\
335-
# ver:'OWASP_CRS/4.24.1',\
335+
# ver:'OWASP_CRS/4.25.0',\
336336
# setvar:tx.inbound_anomaly_score_threshold=5,\
337337
# setvar:tx.outbound_anomaly_score_threshold=4"
338338

@@ -393,7 +393,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
393393
# t:none,\
394394
# nolog,\
395395
# tag:'OWASP_CRS',\
396-
# ver:'OWASP_CRS/4.24.1',\
396+
# ver:'OWASP_CRS/4.25.0',\
397397
# setvar:tx.reporting_level=4"
398398

399399

@@ -418,15 +418,15 @@ SecDefaultAction "phase:2,log,auditlog,pass"
418418
# does not get evaluated if the request is being blocked early. So when you
419419
# disabled early blocking again at some point in the future, then new alerts
420420
# from phase 2 might pop up.
421-
SecAction \
422-
"id:900120,\
423-
phase:1,\
424-
pass,\
425-
t:none,\
426-
nolog,\
427-
tag:'OWASP_CRS',\
428-
ver:'OWASP_CRS/4.24.1',\
429-
setvar:tx.early_blocking=1"
421+
SecAction \
422+
"id:900120,\
423+
phase:1,\
424+
pass,\
425+
t:none,\
426+
nolog,\
427+
tag:'OWASP_CRS',\
428+
ver:'OWASP_CRS/4.25.0',\
429+
setvar:tx.early_blocking=1"
430430

431431

432432
#
@@ -446,7 +446,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
446446
# t:none,\
447447
# nolog,\
448448
# tag:'OWASP_CRS',\
449-
# ver:'OWASP_CRS/4.24.1',\
449+
# ver:'OWASP_CRS/4.25.0',\
450450
# setvar:tx.enable_default_collections=1"
451451

452452

@@ -484,7 +484,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
484484
# t:none,\
485485
# nolog,\
486486
# tag:'OWASP_CRS',\
487-
# ver:'OWASP_CRS/4.24.1',\
487+
# ver:'OWASP_CRS/4.25.0',\
488488
# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
489489

490490
#
@@ -514,7 +514,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
514514
# pass,\
515515
# nolog,\
516516
# tag:'OWASP_CRS',\
517-
# ver:'OWASP_CRS/4.24.1',\
517+
# ver:'OWASP_CRS/4.25.0',\
518518
# setvar:'tx.allow_method_override_parameter=1'"
519519

520520
# Content-Types that a client is allowed to send in a request.
@@ -554,7 +554,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
554554
# t:none,\
555555
# nolog,\
556556
# tag:'OWASP_CRS',\
557-
# ver:'OWASP_CRS/4.24.1',\
557+
# ver:'OWASP_CRS/4.25.0',\
558558
# chain"
559559
# SecRule REQUEST_URI "@rx ^/foo/bar" \
560560
# "t:none,\
@@ -573,7 +573,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
573573
# t:none,\
574574
# nolog,\
575575
# tag:'OWASP_CRS',\
576-
# ver:'OWASP_CRS/4.24.1',\
576+
# ver:'OWASP_CRS/4.25.0',\
577577
# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |text/xml| |application/xml| |application/soap+xml| |application/json|'"
578578

579579
# Allowed HTTP versions.
@@ -589,7 +589,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
589589
# t:none,\
590590
# nolog,\
591591
# tag:'OWASP_CRS',\
592-
# ver:'OWASP_CRS/4.24.1',\
592+
# ver:'OWASP_CRS/4.25.0',\
593593
# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
594594

595595
# Forbidden file extensions.
@@ -613,7 +613,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
613613
# t:none,\
614614
# nolog,\
615615
# tag:'OWASP_CRS',\
616-
# ver:'OWASP_CRS/4.24.1',\
616+
# ver:'OWASP_CRS/4.25.0',\
617617
# setvar:'tx.restricted_extensions=.ani/ .asa/ .asax/ .ascx/ .back/ .backup/ .bak/ .bck/ .bk/ .bkp/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .cnf/ .com/ .compositefont/ .config/ .conf/ .copy/ .crt/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dist/ .dll/ .dos/ .dpkg-dist/ .drv/ .gadget/ .hta/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .inf/ .ini/ .jks/ .jse/ .key/ .licx/ .lnk/ .log/ .mdb/ .msc/ .ocx/ .old/ .pass/ .pdb/ .pfx/ .pif/ .pem/ .pol/ .prf/ .printer/ .pwd/ .rdb/ .rdp/ .reg/ .resources/ .resx/ .sav/ .save/ .scr/ .sct/ .sh/ .shs/ .sql/ .sqlite/ .sqlite3/ .swap/ .swo/ .swp/ .sys/ .temp/ .tfstate/ .tlb/ .tmp/ .vb/ .vbe/ .vbs/ .vbproj/ .vsdisco/ .vxd/ .webinfo/ .ws/ .wsc/ .wsf/ .wsh/ .xsd/ .xsx/'"
618618

619619
# Restricted request headers.
@@ -669,7 +669,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
669669
# t:none,\
670670
# nolog,\
671671
# tag:'OWASP_CRS',\
672-
# ver:'OWASP_CRS/4.24.1',\
672+
# ver:'OWASP_CRS/4.25.0',\
673673
# setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/ /x-middleware-subrequest/ /expect/'"
674674
#
675675
# [ Extended ]
@@ -695,7 +695,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
695695
# t:none,\
696696
# nolog,\
697697
# tag:'OWASP_CRS',\
698-
# ver:'OWASP_CRS/4.24.1',\
698+
# ver:'OWASP_CRS/4.25.0',\
699699
# setvar:'tx.restricted_headers_extended=/accept-charset/'"
700700

701701
# Content-Types charsets that a client is allowed to send in a request.
@@ -714,7 +714,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
714714
# t:none,\
715715
# nolog,\
716716
# tag:'OWASP_CRS',\
717-
# ver:'OWASP_CRS/4.24.1',\
717+
# ver:'OWASP_CRS/4.25.0',\
718718
# setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
719719

720720
#
@@ -740,7 +740,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
740740
# t:none,\
741741
# nolog,\
742742
# tag:'OWASP_CRS',\
743-
# ver:'OWASP_CRS/4.24.1',\
743+
# ver:'OWASP_CRS/4.25.0',\
744744
# setvar:tx.max_num_args=255"
745745

746746
# Block request if the length of any argument name is too high
@@ -754,7 +754,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
754754
# t:none,\
755755
# nolog,\
756756
# tag:'OWASP_CRS',\
757-
# ver:'OWASP_CRS/4.24.1',\
757+
# ver:'OWASP_CRS/4.25.0',\
758758
# setvar:tx.arg_name_length=100"
759759

760760
# Block request if the length of any argument value is too high
@@ -768,7 +768,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
768768
# t:none,\
769769
# nolog,\
770770
# tag:'OWASP_CRS',\
771-
# ver:'OWASP_CRS/4.24.1',\
771+
# ver:'OWASP_CRS/4.25.0',\
772772
# setvar:tx.arg_length=400"
773773

774774
# Block request if the total length of all combined arguments is too high
@@ -782,7 +782,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
782782
# t:none,\
783783
# nolog,\
784784
# tag:'OWASP_CRS',\
785-
# ver:'OWASP_CRS/4.24.1',\
785+
# ver:'OWASP_CRS/4.25.0',\
786786
# setvar:tx.total_arg_length=64000"
787787

788788
# Block request if the file size of any individual uploaded file is too high
@@ -796,7 +796,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
796796
# t:none,\
797797
# nolog,\
798798
# tag:'OWASP_CRS',\
799-
# ver:'OWASP_CRS/4.24.1',\
799+
# ver:'OWASP_CRS/4.25.0',\
800800
# setvar:tx.max_file_size=1048576"
801801

802802
# Block request if the total size of all combined uploaded files is too high
@@ -810,7 +810,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
810810
# t:none,\
811811
# nolog,\
812812
# tag:'OWASP_CRS',\
813-
# ver:'OWASP_CRS/4.24.1',\
813+
# ver:'OWASP_CRS/4.25.0',\
814814
# setvar:tx.combined_file_sizes=1048576"
815815

816816

@@ -850,7 +850,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
850850
# pass,\
851851
# nolog,\
852852
# tag:'OWASP_CRS',\
853-
# ver:'OWASP_CRS/4.24.1',\
853+
# ver:'OWASP_CRS/4.25.0',\
854854
# setvar:tx.sampling_percentage=100"
855855

856856

@@ -871,7 +871,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
871871
# t:none,\
872872
# nolog,\
873873
# tag:'OWASP_CRS',\
874-
# ver:'OWASP_CRS/4.24.1',\
874+
# ver:'OWASP_CRS/4.25.0',\
875875
# setvar:tx.crs_validate_utf8_encoding=1"
876876

877877
# -- [[ Skip Checking Responses ]] ------------------------------------------------
@@ -893,7 +893,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
893893
# t:none,\
894894
# nolog,\
895895
# tag:'OWASP_CRS',\
896-
# ver:'OWASP_CRS/4.24.1',\
896+
# ver:'OWASP_CRS/4.25.0',\
897897
# setvar:tx.crs_skip_response_analysis=1"
898898

899899
#
@@ -914,5 +914,5 @@ SecAction \
914914
t:none,\
915915
nolog,\
916916
tag:'OWASP_CRS',\
917-
ver:'OWASP_CRS/4.24.1',\
918-
setvar:tx.crs_setup_version=4241"
917+
ver:'OWASP_CRS/4.25.0',\
918+
setvar:tx.crs_setup_version=4250"

0 commit comments

Comments
 (0)