Skip to content

Commit

Permalink
chore: add simple test facility for rule configuration
Browse files Browse the repository at this point in the history
  • Loading branch information
theseion committed Dec 24, 2024
1 parent 7adda10 commit 9f08de4
Show file tree
Hide file tree
Showing 4 changed files with 67 additions and 30 deletions.
24 changes: 24 additions & 0 deletions .github/workflows/configure-rules-for-test.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#!/usr/bin/env bash

# The purpose of this script is to test that `configure-rules.sh` will run
# successfully for all variables that we configure.

set -e

conf_file="${1}"
env_file="${2}"

if [ -f "${env_file}" ]; then
rm "${env_file}"
fi

while read -r line; do
if [ -z "${line}" ] || echo "${line}" | grep -Eq "^#"; then
continue
fi

var_name="$(cut -d'|' -f2 <<< "${line}")"
test_value="$(cut -d'|' -f5 <<< "${line}")"
echo "Setting ${var_name}=${test_value}"
echo "${var_name}=${test_value}" >> "${env_file}"
done < "${conf_file}"
10 changes: 9 additions & 1 deletion .github/workflows/verifyimage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -62,8 +62,16 @@ jobs:

- name: Run ${{ matrix.target }}
run: |
. .github/workflows/configure-rules-for-test.sh \
src/opt/modsecurity/configure-rules.conf \
"$(pwd)/${{ matrix.target }}.env"
echo "Starting container ${{ matrix.target }}"
docker run --pull "never" -d --name ${{ matrix.target }}-test "${REPO}:${{ matrix.target }}"
docker run \
--pull "never" \
-d \
--name ${{ matrix.target }}-test \
--env-file "${{ matrix.target }}.env" \
"${REPO}:${{ matrix.target }}"
sleep 30
docker logs ${{ matrix.target }}-test
Expand Down
49 changes: 25 additions & 24 deletions src/opt/modsecurity/configure-rules.conf
Original file line number Diff line number Diff line change
@@ -1,28 +1,29 @@
# Format: <legacy (0|1)>|<env var>|<rule ID>|<tx var name>
# Format: <legacy (0|1)>|<env var>|<rule ID>|<tx var name>|<test value>
# The octothorpe (#) designates a comment, comments are ignored
# See `.github/workflows/configure-rules-for-test.sh` for how the test value is used.

# Superceded by BLOCKING_PARANOIA
true|PARANOIA|900000|blocking_paranoia_level
true|PARANOIA|900001|detection_paranoia_level
false|BLOCKING_PARANOIA|900000|blocking_paranoia_level
true|PARANOIA|900000|blocking_paranoia_level|4
true|PARANOIA|900001|detection_paranoia_level|4
false|BLOCKING_PARANOIA|900000|blocking_paranoia_level|4
# Superceded by DETECTION_PARANOIA
true|EXECUTING_PARANOIA|900001|executing_paranoia_level
false|DETECTION_PARANOIA|900001|detection_paranoia_level
false|ENFORCE_BODYPROC_URLENCODED|900010|enforce_bodyproc_urlencoded
false|INBOUND_ANOMALY|900110|inbound_anomaly_score_threshold
false|OUTBOUND_ANOMALY|900110|outbound_anomaly_score_threshold
false|ALLOWED_METHODS|900200|allowed_methods
false|ALLOWED_REQUEST_CONTENT_TYPE|900220|allowed_request_content_type
false|ALLOWED_REQUEST_CONTENT_TYPE_CHARSET|900280|allowed_request_content_type_charset
false|ALLOWED_HTTP_VERSIONS|900230|allowed_http_versions
false|RESTRICTED_EXTENSIONS|900240|restricted_extensions
false|RESTRICTED_HEADERS_BASIC|900250|restricted_headers_basic
false|RESTRICTED_HEADERS_EXTENDED|900255|restricted_headers_extended
false|MAX_NUM_ARGS|900300|max_num_args
false|ARG_NAME_LENGTH|900310|arg_name_length
false|ARG_LENGTH|900230|arg_length
false|TOTAL_ARG_LENGTH|900330|total_arg_length
false|MAX_FILE_SIZE|900340|max_file_size
false|COMBINED_FILE_SIZES|900350|combined_file_sizes
false|VALIDATE_UTF8_ENCODING|900950|crs_validate_utf8_encoding
false|REPORTING_LEVEL|900115|reporting_level
true|EXECUTING_PARANOIA|900001|executing_paranoia_level|4
false|DETECTION_PARANOIA|900001|detection_paranoia_level|4
false|ENFORCE_BODYPROC_URLENCODED|900010|enforce_bodyproc_urlencoded|0
false|INBOUND_ANOMALY|900110|inbound_anomaly_score_threshold|6
false|OUTBOUND_ANOMALY|900110|outbound_anomaly_score_threshold|6
false|ALLOWED_METHODS|900200|allowed_methods|GET OPTIONS
false|ALLOWED_REQUEST_CONTENT_TYPE|900220|allowed_request_content_type|application/json
false|ALLOWED_REQUEST_CONTENT_TYPE_CHARSET|900280|allowed_request_content_type_charset|utf-8
false|ALLOWED_HTTP_VERSIONS|900230|allowed_http_versions|1.1
false|RESTRICTED_EXTENSIONS|900240|restricted_extensions|.exe/
false|RESTRICTED_HEADERS_BASIC|900250|restricted_headers_basic|/if/
false|RESTRICTED_HEADERS_EXTENDED|900255|restricted_headers_extended|/x-some-header/
false|MAX_NUM_ARGS|900300|max_num_args|100
false|ARG_NAME_LENGTH|900310|arg_name_length|200
false|ARG_LENGTH|900230|arg_length|300
false|TOTAL_ARG_LENGTH|900330|total_arg_length|400
false|MAX_FILE_SIZE|900340|max_file_size|500
false|COMBINED_FILE_SIZES|900350|combined_file_sizes|600
false|VALIDATE_UTF8_ENCODING|900950|crs_validate_utf8_encoding|0
false|REPORTING_LEVEL|900115|reporting_level|5
14 changes: 9 additions & 5 deletions src/opt/modsecurity/configure-rules.sh
Original file line number Diff line number Diff line change
Expand Up @@ -31,20 +31,24 @@ set_value() {
# then a second pass to set the variable. We do two separate passes since the rule might
# already be uncommented (by default in the file or due to having been uncommented in a previous step).
if grep -Eq "#.*id:${rule}" "${setup_conf_path}"; then
# commented, uncomment now
# Commented, uncomment now
ed -s "${setup_conf_path}" <<EOF 2 > /dev/null
/id:${rule}/
-
.,/^$/ s/#//
.,/^#\?$/ s/#//
wq
EOF
fi

# uncommented, set var
# Uncommented, set var
# Some rules set multiple vars, so the variable name will be terminated
# by either `,`, `'`, or `"`, depending on whether it's the last line of the rule
# and whether the expression is enclosed in single quotes.
# Use `#` as pattern delimiter, as `/` is part of some variable values.
ed -s "${setup_conf_path}" <<EOF 2 > /dev/null
/id:${rule}/
/setvar:'\?tx\.${tx_var_name}=/
s/=.*"/=${var_value}"/
s#=[^,'"]\+#=${var_value}#
wq
EOF
}
Expand Down Expand Up @@ -101,7 +105,7 @@ while read -r line; do
if should_set "${var_value}" "${tx_var_name}"; then
if ! can_set "${rule}" "${tx_var_name}"; then
if [ "${legacy}" = "true" ]; then
echo "Legacy variable set but nothing found to substitute. Skipping"
echo "Legacy variable ${var_name} (${rule}) set but nothing found to substitute. Skipping"
continue
fi
echo "Failed to find rule ${rule} to set ${tx_var_name}=${var_value} for ${var_name} in ${setup_conf_path}. Aborting"
Expand Down

0 comments on commit 9f08de4

Please sign in to comment.