CRS v4.5, albedo, etc. (#294)

.github/workflows/ci.yaml

@@ -16,11 +16,11 @@ env:
   TINYGO_VERSION: 0.33.0
   # Run e2e tests against latest two releases and latest dev
   ENVOY_IMAGES: >
+    envoyproxy/envoy:v1.31-latest
     envoyproxy/envoy:v1.30-latest
-    envoyproxy/envoy:v1.29-latest
     envoyproxy/envoy-dev:latest
-    istio/proxyv2:1.22.1
-    istio/proxyv2:1.21.3
+    istio/proxyv2:1.23.3
+    istio/proxyv2:1.22.6
 
 jobs:
   build:

e2e/docker-compose.yml

@@ -1,13 +1,13 @@
 services:
   httpbin:
-    image: mccutchen/go-httpbin:v2.9.0
+    image: mccutchen/go-httpbin:v2.15.0
     command: [ "/bin/go-httpbin", "-port", "8081" ]
     ports:
       - 8081:8081
   envoy:
     depends_on:
       - httpbin
-    image: ${ENVOY_IMAGE:-envoyproxy/envoy:v1.28-latest}
+    image: ${ENVOY_IMAGE:-envoyproxy/envoy:v1.31-latest}
     # Entryoint is explicited in order to make the ENVOY_IMAGE compatible also with istio/proxyv2 images
     # The latter has as default entrypoint pilot-agent instead of envoy
     # See https://github.com/tetratelabs/proxy-wasm-go-sdk/blob/main/.github/workflows/workflow.yaml#L104

example/envoy/docker-compose.yml

@@ -19,7 +19,7 @@ services:
     depends_on:
       - chown
       - httpbin
-    image: ${ENVOY_IMAGE:-envoyproxy/envoy:v1.28-latest}
+    image: ${ENVOY_IMAGE:-envoyproxy/envoy:v1.31-latest}
     command:
       - -c
       - /conf/envoy-config.yaml

ftw/Dockerfile

@@ -1,16 +1,15 @@
 # Copyright 2022 The OWASP Coraza contributors
 # SPDX-License-Identifier: Apache-2.0
 
-# Stick with go-ftw:0.6.4 until CRS tests new format is merged (https://github.com/coreruleset/coreruleset/pull/3369)
-FROM ghcr.io/coreruleset/go-ftw:0.6.4
+FROM ghcr.io/coreruleset/go-ftw:1.1.0
 
 RUN apk update && apk add curl
 
 WORKDIR /workspace
 
 # Keep this CRS version aligned with the one embedded in wasmplugin/rules
-ADD https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.3.0.tar.gz /workspace/coreruleset/
-RUN cd coreruleset && tar -xf v4.3.0.tar.gz --strip-components 1
+ADD https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.5.0.tar.gz /workspace/coreruleset/
+RUN cd coreruleset && tar -xf v4.5.0.tar.gz --strip-components 1
 
 COPY ftw.yml /workspace/ftw.yml
 COPY tests.sh /workspace/tests.sh

ftw/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
-  httpbin:
-    image: mccutchen/go-httpbin:v2.9.0
+  albedo:
+    image: ghcr.io/coreruleset/albedo:0.0.16
   chown:
     image: alpine:3.16
     command:
@@ -13,8 +13,8 @@ services:
   envoy:
     depends_on:
       - chown
-      - httpbin
-    image: ${ENVOY_IMAGE:-envoyproxy/envoy:v1.28-latest}
+      - albedo
+    image: ${ENVOY_IMAGE:-envoyproxy/envoy:v1.31-latest}
     command:
       - -c
       - ${ENVOY_CONFIG:-/conf/envoy-config.yaml}

ftw/envoy-config-nowasm.yaml

@@ -40,5 +40,5 @@ static_resources:
               - endpoint:
                   address:
                     socket_address:
-                      address: httpbin
+                      address: albedo
                       port_value: 8080

ftw/envoy-config.yaml

@@ -70,5 +70,5 @@ static_resources:
               - endpoint:
                   address:
                     socket_address:
-                      address: httpbin
+                      address: albedo
                       port_value: 8080

ftw/ftw.yml

@@ -58,3 +58,8 @@ testoverride:
     '934120-39': 'Rule 934120 partially detected. With HTTP/1.1 Envoy return 400. With HTTP/2 Enclosed alphanumerics not detected. Coraza Side'
     '932200-13': 'Unfortunate match inside logs against a different rule log. wip'
     '930110-7': 'Coraza/CRS side: See https://github.com/corazawaf/coraza/pull/1081'
+
+    '920274-1': 'Host validation. Apache expects status 400, investigate Coraza-proxy-wasm behavior'
+    '920430-5': 'To be investigated Coraza side'
+    '932300-10': 'To be investigated Coraza side, failing only with multiphase evaluation'
+    '933120-2': 'To be investigated Coraza side, failing only with multiphase evaluation'

ftw/tests.sh

@@ -26,10 +26,16 @@ while [[ "$status_code" -eq "000" ]]; do
     exit 1
   fi
 done
+if [[ "$status_code" -ne "200" ]]; then
+  echo -e "\n[Fail] Unexpected status code $status_code, expected 200. Exiting."
+  exit 1
+fi
 echo -e "\n[Ok] Got status code $status_code, expected 200. Ready to start."
 
+
 FTW_CLOUDMODE=${FTW_CLOUDMODE:-false}
 
 FTW_INCLUDE=$([ "${FTW_INCLUDE}" == "" ] && echo "" || echo "-i ${FTW_INCLUDE}")
 
 /ftw run -d coreruleset/tests/regression/tests --config ftw.yml --read-timeout=10s --cloud=$FTW_CLOUDMODE $FTW_INCLUDE || exit 1
+

wasmplugin/rules/crs-setup.conf.example

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.3.0
+# OWASP CRS ver.4.5.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
 # Copyright (c) 2021-2024 CRS project. All rights reserved.
 #
@@ -181,7 +181,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.blocking_paranoia_level=1"
 
 
@@ -209,7 +209,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.detection_paranoia_level=1"
 
 
@@ -235,7 +235,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.enforce_bodyproc_urlencoded=1"
 
 
@@ -270,7 +270,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.critical_anomaly_score=5,\
 #    setvar:tx.error_anomaly_score=4,\
 #    setvar:tx.warning_anomaly_score=3,\
@@ -324,7 +324,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.inbound_anomaly_score_threshold=5,\
 #    setvar:tx.outbound_anomaly_score_threshold=4"
 
@@ -385,7 +385,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.reporting_level=4"
 
 
@@ -417,7 +417,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
      t:none,\
      nolog,\
      tag:'OWASP_CRS',\
-     ver:'OWASP_CRS/4.3.0',\
+     ver:'OWASP_CRS/4.5.0',\
      setvar:tx.early_blocking=1"
 
 
@@ -438,7 +438,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.enable_default_collections=1"
 
 
@@ -466,7 +466,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
 
 # Content-Types that a client is allowed to send in a request.
@@ -496,7 +496,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    nolog,\
 #    tag:'OWASP_CRS',\
 #    ctl:ruleRemoveById=920420,\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    chain"
 #    SecRule REQUEST_URI "@rx ^/foo/bar" \
 #        "t:none"
@@ -510,7 +510,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
 
 # Allowed HTTP versions.
@@ -526,7 +526,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
 
 # Forbidden file extensions.
@@ -550,7 +550,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
 
 # Restricted request headers.
@@ -595,7 +595,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
 #
 # [ Extended ]
@@ -621,7 +621,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:'tx.restricted_headers_extended=/accept-charset/'"
 
 # Content-Types charsets that a client is allowed to send in a request.
@@ -635,7 +635,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
 
 #
@@ -661,7 +661,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.max_num_args=255"
 
 # Block request if the length of any argument name is too high
@@ -675,7 +675,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.arg_name_length=100"
 
 # Block request if the length of any argument value is too high
@@ -689,7 +689,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.arg_length=400"
 
 # Block request if the total length of all combined arguments is too high
@@ -703,7 +703,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.total_arg_length=64000"
 
 # Block request if the file size of any individual uploaded file is too high
@@ -717,7 +717,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.max_file_size=1048576"
 
 # Block request if the total size of all combined uploaded files is too high
@@ -731,7 +731,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.combined_file_sizes=1048576"
 
 
@@ -771,7 +771,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    pass,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.sampling_percentage=100"
 
 
@@ -792,7 +792,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.3.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.crs_validate_utf8_encoding=1"
 
 
@@ -814,5 +814,5 @@ SecAction \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.3.0',\
-    setvar:tx.crs_setup_version=430"
+    ver:'OWASP_CRS/4.5.0',\
+    setvar:tx.crs_setup_version=450"