fix: false positives with notify_push and server crawler (#108)

* fix: false positives with notify_push and server crawler * fix: ipv6 loopback * document server crawler fix * remove leftover * fix: double slash * fix: typos Co-authored-by: Max Leske <[email protected]> --------- Co-authored-by: Max Leske <[email protected]>
coreruleset · Jan 18, 2025 · 8b62209 · 8b62209
1 parent 969b3b5
commit 8b62209
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -26,6 +26,7 @@ Additional apps may be supported if there is enough demand from the community, b
 | Nextcloud Text Editor               |  Supported ✅     |
 | Nextcloud Recognize                 |  Supported ✅     |
 | Nextcloud Cookbook                  |  Supported ✅     |
+| Nextcloud Files HPB (Notify_Push)   |  Supported ✅     |
 | Nextcloud Talk                      |  Not supported ❌ |
 | Nextcloud Forms                     |  Not supported ❌ |
 | Nextcloud Polls                     |  Not supported ❌ |
@@ -49,14 +50,19 @@ For full and up to date instructions for the different available plugin installa
 
 For full and up to date instructions on how to conditionally enable/disable this plugin on a multisite environment, please refer to [Conditionally enable plugins for multi-application environments](https://coreruleset.org/docs/concepts/plugins/#conditionally-enable-plugins-for-multi-application-environments) in the official CRS documentation.
 
-## Increasing max upload size
+## Known Limitations
+
+Due to some engine limitations, there are a few issues that can't be handled out of the box with this plugin (such as issues relating to uploading large file sizes).
+Below you can find a list of known limitations along with workarounds for this issue.
+
+### Increasing max upload size
 
 Large uploads can be modified with SecRequestBodyLimit. Or they can be more controlled by using the following:
 
 Apache with ModSecurity2:
 ```
 SecRule REQUEST_FILENAME "@rx (?:/index\.php/apps/files/ajax/upload\.php|/remote\.php/dav/(?:bulk|files/|uploads/))" \
-    "id:9508610,\
+    "id:9508030,\
     phase:1,\
     t:none,\
     nolog,\
@@ -77,21 +83,21 @@ Apache libmodsecurity3 Example:
 </LocationMatch>
 ```
 
-## Relaxing file upload restrictions
+### Relaxing file upload restrictions
 
 To relax upload restrictions for only the php files that need it, you put something like this in crs-setup.conf:
 
 ```
 SecRule REQUEST_FILENAME "@rx /(?:remote\.php|index\.php)/" \
-    "id:9508600,\
+    "id:9508031,\
     phase:2,\
     t:none,\
     nolog,\
     pass,\
     setvar:'tx.restricted_extensions=.bak/ .config/ .conf/'"
 ```
 
-## Increasing max request body size
+### Increasing max request body size
 
 The Nextcloud desktop client occasionally sends large request bodies not containing any uploaded files.
 ModSecurity will block request bodies larger than 131KB, adjusting SecRequestBodyNoFilesLimit to 141KB works for all scenarios tested.
@@ -115,6 +121,29 @@ Apache libmodsecurity3 Example:
 </location>
 ```
 
+### Nextcloud Server Crawler
+
+The Nextcloud Server Crawler is used by Nextcloud for various functions of Nextcloud such as generating document previews with Collabora, and testing the functionality of Nextcloud (for example, when setting up the high performance backend for files).
+Copy this rule and replace `your-server-ip` with your Nextcloud Server's IP address.
+Your Nextcloud Server's IP address will either be your server's WAN IP, or if your server is behind a NAT firewall then it's either your server's private IP address or your default gateway's IP address (Depending on your NAT configuration).
+```
+# Allow Nextcloud Server Crawler to crawl Nextcloud
+# Generating document previews with Collabora
+# Sometimes the server crawler's user agent will be missing/empty or an accept header is missing
+SecRule REMOTE_ADDR "@ipMatch your-server-ip" \
+    "id:9508032,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveById=920300,\
+    ctl:ruleRemoveById=920320,\
+    ctl:ruleRemoveById=920330,\
+    ctl:ruleRemoveTargetById=920120;FILES_NAMES,\
+    ctl:ruleRemoveTargetById=920121;FILES_NAMES,\
+    ctl:ruleRemoveTargetById=922130;MULTIPART_PART_HEADERS"
+```
+
 ## Testing
 
 After the plugin is enabled, Nextcloud should work without problems caused by CRS (for example, false positives while blocking requests). If problems still occur then please file a new issue on [GitHub](https://github.com/coreruleset/nextcloud-rule-exclusions-plugin). (Note that high paranoia level deployments may require additional tuning beyond this plugin.)

diff --git a/plugins/nextcloud-rule-exclusions-before.conf b/plugins/nextcloud-rule-exclusions-before.conf
@@ -1120,6 +1120,17 @@ SecRule REQUEST_FILENAME "@endsWith /apps/firstrunwizard/wizard" \
     ver:'nextcloud-rule-exclusions-plugin/1.3.1',\
     setvar:'tx.allowed_methods=%{tx.allowed_methods} DELETE'"
 
+# Websocket connection to Files HBP (Notify_Push) don't have a user-agent.
+# Sometimes there will be a double slash after /push/
+SecRule REQUEST_FILENAME "@rx /push//?ws$" \
+    "id:9508513,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    ver:'nextcloud-rule-exclusions-plugin/1.3.1',\
+    ctl:ruleRemoveById=920320"
+
 #
 # [ Nextcloud Setup ]
 #