Merge pull request #339 from theseion/fix-default-paranoia-settings

fix: default paranoia settings break CRS
coreruleset · Feb 27, 2025 · b3f9ae4 · b3f9ae4
2 parents fd3708b + 6230042
commit b3f9ae4
Show file tree

Hide file tree

Showing 7 changed files with 61 additions and 25 deletions.
diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml
@@ -7,6 +7,7 @@ on:
 env:
   # sha256sum format: <hash><space><format (space for text)><file name>
   MODSECURITY_RECOMMENDED: "ccff8ba1f12428b34ff41960d8bf773dd9f62b9a7c77755247a027cb01896d4f  modsecurity.conf-recommended"
+  GO_FTW_VERSION: '1.3.0'
 
 jobs:
   prepare:
@@ -107,3 +108,41 @@ jobs:
             grep -q "Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS" headers.txt
             grep -q "Access-Control-Allow-Headers: *" headers.txt
           fi
+
+      - name: Checkout CRS
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+          repository: coreruleset/coreruleset
+          path: crs
+      - name: "Install go-ftw"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cd crs
+          gh release download -R coreruleset/go-ftw "v${{ env.GO_FTW_VERSION }}" \
+            -p "ftw_${{ env.GO_FTW_VERSION }}_linux_amd64.tar.gz" -O - | tar -xzvf - ftw
+      - name: Patch CRS compose file to use verification image
+        run: |
+          sed -i \
+            's#image: owasp/modsecurity-crs:${{ contains(matrix.target, 'apache') && 'apache' || 'nginx' }}.*#image: ${{ matrix.target }}-verification#' \
+            crs/tests/docker-compose.yml
+      - name: Run CRS tests for ${{ matrix.target }}
+        run: |
+          cd crs
+          modsec_version="${{ contains(matrix.target, 'apache') && 'modsec2-apache' || 'modsec3-nginx' }}"
+          backend="${{ contains(matrix.target, 'apache') && 'httpd' || 'nginx' }}"
+          mkdir -p "tests/logs/${modsec_version}/{nginx,apache2}"
+          docker compose -f ./tests/docker-compose.yml up -d "${modsec_version}"
+          docker compose -f ./tests/docker-compose.yml logs
+          if ! [ "$(docker inspect ${modsec_version} --format='{{.State.Running}}')" = "true" ]; then
+            echo "Web server failed to start. Aborting."
+            exit 1
+          fi
+
+          ./ftw check -d tests/regression/tests
+          ./ftw run \
+            -d tests/regression/tests \
+            --log-file "tests/logs/${modsec_version}/error.log" \
+            --overrides "tests/regression/${backend}-overrides.yaml" \
+            --show-failures-only
diff --git a/README.md b/README.md
@@ -119,7 +119,7 @@ You can achieve the same results just by getting any version you want, and using
 git clone https://github.com/coreruleset/coreruleset.git myrules
 cd myrules
 git checkout ac2a0d1
-docker run -p 8080:8080 -ti -e PARANOIA=4 -v rules:/opt/owasp-crs/rules:ro --rm owasp/modsecurity-crs
+docker run -p 8080:8080 -ti -e BLOCKING_PARANOIA=4 -v rules:/opt/owasp-crs/rules:ro --rm owasp/modsecurity-crs
 ```
 
 ## Quick reference
@@ -412,8 +412,8 @@ docker run \
    -e MODSEC_AUDIT_LOG=/var/log/modsec_audit.log \
    -e LOGLEVEL=warn \
    -e ERRORLOG=/var/log/modsec_error.log \
-   -e PARANOIA=1 \
-   -e EXECUTING_PARANOIA=2 \
+   -e BLOCKING_PARANOIA=2 \
+   -e DETECTION_PARANOIA=2 \
    -e ENFORCE_BODYPROC_URLENCODED=1 \
    -e ANOMALY_INBOUND=10 \
    -e ANOMALY_OUTBOUND=5 \

diff --git a/apache/Dockerfile b/apache/Dockerfile
@@ -146,7 +146,6 @@ ENV \
     TIMEOUT=60 \
     WORKER_CONNECTIONS=400 \
     # CRS specific variables
-    PARANOIA=1 \
     ANOMALY_INBOUND=5 \
     ANOMALY_OUTBOUND=4 \
     BLOCKING_PARANOIA=1

diff --git a/apache/Dockerfile-alpine b/apache/Dockerfile-alpine
@@ -156,7 +156,6 @@ ENV \
     TIMEOUT=60 \
     WORKER_CONNECTIONS=400 \
     # CRS specific variables
-    PARANOIA=1 \
     ANOMALY_INBOUND=5 \
     ANOMALY_OUTBOUND=4 \
     BLOCKING_PARANOIA=1

diff --git a/docker-bake.hcl b/docker-bake.hcl
@@ -125,13 +125,13 @@ target "apache" {
                 lua_modules = join(" ", lua-modules-debian)
                 tag_base = "apache"
             },
-            {
-                name = "alpine"
-                dockerfile = "apache/Dockerfile-alpine"
-                image = "docker-image://httpd:${httpd-version}-alpine"
-                lua_modules = join(" ", lua-modules-alpine)
-                tag_base = "apache-alpine"
-            }
+            # {
+            #     name = "alpine"
+            #     dockerfile = "apache/Dockerfile-alpine"
+            #     image = "docker-image://httpd:${httpd-version}-alpine"
+            #     lua_modules = join(" ", lua-modules-alpine)
+            #     tag_base = "apache-alpine"
+            # }
         ]
     }
 
@@ -159,23 +159,23 @@ target "nginx" {
                 lua_modules = join(" ", lua-modules-debian)
                 tag_base = "nginx"
             },
-            {
-                name = "alpine"
-                dockerfile = "nginx/Dockerfile-alpine"
-                image = "docker-image://nginxinc/nginx-unprivileged:${nginx-version}-alpine"
-                lua_modules = join(" ", lua-modules-alpine)
-                tag_base = "nginx-alpine"
-            }
+            # {
+            #     name = "alpine"
+            #     dockerfile = "nginx/Dockerfile-alpine"
+            #     image = "docker-image://nginxinc/nginx-unprivileged:${nginx-version}-alpine"
+            #     lua_modules = join(" ", lua-modules-alpine)
+            #     tag_base = "nginx-alpine"
+            # }
         ],
         read-only-fs = [
             {
                 name = "writable"
                 read-only = "false"
             },
-            {
-                name = "read-only"
-                read-only = "true"
-            }
+            # {
+            #     name = "read-only"
+            #     read-only = "true"
+            # }
         ]
     }
     inherits = ["platforms-base"]

diff --git a/nginx/Dockerfile-alpine b/nginx/Dockerfile-alpine
@@ -203,7 +203,6 @@ ENV \
     SSL_VERIFY=off \
     WORKER_CONNECTIONS=1024 \
     # CRS specific variables
-    PARANOIA=1 \
     ANOMALY_INBOUND=5 \
     ANOMALY_OUTBOUND=4 \
     BLOCKING_PARANOIA=1

diff --git a/src/opt/modsecurity/configure-rules.conf b/src/opt/modsecurity/configure-rules.conf
@@ -21,7 +21,7 @@ false|RESTRICTED_HEADERS_BASIC|900250|restricted_headers_basic|/if/
 false|RESTRICTED_HEADERS_EXTENDED|900255|restricted_headers_extended|/x-some-header/
 false|MAX_NUM_ARGS|900300|max_num_args|100
 false|ARG_NAME_LENGTH|900310|arg_name_length|200
-false|ARG_LENGTH|900230|arg_length|300
+false|ARG_LENGTH|900320|arg_length|300
 false|TOTAL_ARG_LENGTH|900330|total_arg_length|400
 false|MAX_FILE_SIZE|900340|max_file_size|500
 false|COMBINED_FILE_SIZES|900350|combined_file_sizes|600