fix: false positives when editing global styles in gutenberg

coreruleset · Jul 3, 2024 · a3e97d7 · a3e97d7
1 parent ab0ee24
commit a3e97d7
Show file tree

Hide file tree

Showing 6 changed files with 65 additions and 7 deletions.
diff --git a/plugins/wordpress-rule-exclusions-before.conf b/plugins/wordpress-rule-exclusions-before.conf
@@ -130,6 +130,20 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
 # Used when a user (auto)saves a post/page with Gutenberg.
 #
 
+# Editing global styles for a theme (colors, fonts, etc)
+SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]/global-styles/[0-9]+$" \
+    "id:9507139,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetById=942100;ARGS,\
+    ctl:ruleRemoveTargetById=942430;ARGS,\
+    ctl:ruleRemoveTargetById=942431;ARGS,\
+    ctl:ruleRemoveTargetById=942432;ARGS,\
+    ctl:ruleRemoveTargetById=942440;ARGS,\
+    ver:'wordpress-rule-exclusions-plugin/1.0.1'"
+
 # Gutenberg
 SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:navigation|pages|posts|template-parts|templates)" \
     "id:9507140,\
@@ -230,7 +244,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
             ctl:ruleRemoveTargetById=942100;ARGS"
 
 # Cannot update page|post in WordPress due to `x-http-method-override` header.
-SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:navigation|pages|posts|template-parts|templates|users)" \
+SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:global-styles|navigation|pages|posts|template-parts|templates|users)" \
     "id:9507146,\
     phase:1,\
     pass,\
@@ -348,8 +362,6 @@ SecRule ARGS:wp_customize "@streq on" \
             ctl:ruleRemoveTargetById=942431;ARGS:partials,\
             ctl:ruleRemoveTargetById=942460;ARGS:partials"
 
-
-
 # Self calls to wp-cron.php?doing_wp_cron=[timestamp]
 # These requests may be missing Accept, Content-Length headers.
 # This rule must run in phase:1.

diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507100.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507100.yaml
@@ -21,7 +21,7 @@ tests:
             uri: /post/wp-login.php?pwd=<script>
           output:
             no_log_contains: |
-              id "932236" | id "941110"
+              id "932236"|id "941110"
   - test_title: 9507100-2
     desc: ARGS:redirect_to tends to contain multiple special characters since it'll include the redirect URL
     stages:
@@ -38,4 +38,4 @@ tests:
             uri: /post/wp-login.php?redirect_to=;;;;;;;;;;;;
           output:
             no_log_contains: |
-              id "942430" | id "942431" | id "942432"
+              id "942430"|id "942431"|id "942432"
diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507139.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507139.yaml
@@ -0,0 +1,27 @@
+---
+meta:
+  author: "Esad Cetiner"
+  description: "Wordpress Rule Exclusions Plugin"
+  enabled: true
+  name: 9507139.yaml
+tests:
+  - test_title: 9507139-1
+    desc: Editing global styles for a theme
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS test agent
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Content-Type: application/json
+              x-http-method-override: PUT
+            port: 80
+            method: POST
+            version: "HTTP/1.1"
+            uri: /post/wp-json/wp/v2/global-styles/1?wp_theme_preview=twentytwentyfour&_locale=user
+            data: |
+              {"id":2934,"styles":{"blocks":{"core/site-title":{"typography":{"fontWeight":"400"}},"core/pullquote":{"typography":{"fontSize":"var(--wp--preset--font-size--large)","fontStyle":"normal","fontWeight":"normal","lineHeight":"1.2"}},"core/quote":{"variations":{"plain":{"typography":{"fontStyle":"normal","fontWeight":"400"}}},"typography":{"fontFamily":"var(--wp--preset--font-family--heading)","fontSize":"var(--wp--preset--font-size--large)","fontStyle":"normal"}},"core/navigation":{"typography":{"fontWeight":"400"}}},"elements":{"button":{"typography":{"fontFamily":"var(--wp--preset--font-family--heading)","fontSize":"var(--wp--preset--font-size--small)","fontStyle":"normal"}},"heading":{"color":{"background":"#ab5a5a"}}},"css":""}}
+            no_log_contains: |
+              id "942100|id "942440"
diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507140.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507140.yaml
@@ -27,4 +27,4 @@ tests:
               {"id":"twentytwentyfour//header","content":"<!-- wp:group{\"align\":\"wide\",\"style\":{\"spacing\":{\"padding\":{\"top\":\"20px\",\"bottom\":\"20px\"}}},\"backgroundColor\":\"base\",\"layout\":{\"type\":\"constrained\"}} -->\n<div class=\"wp-block-groupalignwide has-base-background-color has-background\" style=\"padding-top:20px;padding-bottom:20px\"><!-- wp:group{\"align\":\"wide\",\"layout\":{\"type\":\"flex\",\"justifyContent\":\"space-between\",\"flexWrap\":\"wrap\"}} -->\n<div class=\"wp-block-group alignwide\"><!-- wp:group{\"style\":{\"spacing\":{\"blockGap\":\"var:preset|spacing|20\"},\"layout\":{\"selfStretch\":\"fit\",\"flexSize\":null}},\"layout\":{\"type\":\"flex\"}} -->\n<div class=\"wp-block-group\">
               <!-- wp:site-logo{\"width\":60,\"shouldSyncIcon\":false} /-->\n\n<!-- wp:group {\"style\":{\"spacing\":{\"blockGap\":\"0px\"}}} -->\n<div class=\"wp-block-group\"><!-- wp:site-title {\"level\":0} /--></div>\n<!-- /wp:group--></div>\n<!-- /wp:group -->\n\n<!-- wp:navigation{\"ref\":2180,\"icon\":\"menu\",\"layout\":{\"type\":\"flex\",\"justifyContent\":\"right\",\"orientation\":\"horizontal\",\"flexWrap\":\"wrap\"},\"style\":{\"spacing\":{\"margin\":{\"top\":\"0\"},\"blockGap\":\"va>/--></div>\n<!-- /wp:group -->\n\n<!-- wp:paragraph -->\n<p></p>\n<!-- /wp:paragraph --></div>\n<!-- /wp:group -->"}
             no_log_contains: |
-              id "932240" | id "932236" | id "941100" | id "941150" | id "941160" | id "941180" | id "941181" | id "941320" | id "942210" | id "942330" | id "942340" | id "942370" | id "942430" | id "942431" | id "942432" | id "942440" | id "942520"
+              id "932240"|id "932236"|id "941100"|id "941150"|id "941160"|id "941180"|id "941181"|id "941320"|id "942210"|id "942330"|id "942340"|id "942370"|id "942430"|id "942431"|id "942432"|id "942440"|id "942520"
diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507146.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507146.yaml
@@ -27,3 +27,22 @@ tests:
               {"id":"twentytwentyfour//header","content":"<!-- wp:group{\"align\":\"wide\",\"style\":{\"spacing\":{\"padding\":{\"top\":\"20px\",\"bottom\":\"20px\"}}},\"backgroundColor\":\"base\",\"layout\":{\"type\":\"constrained\"}} -->\n<div class=\"wp-block-groupalignwide has-base-background-color has-background\" style=\"padding-top:20px;padding-bottom:20px\"><!-- wp:group{\"align\":\"wide\",\"layout\":{\"type\":\"flex\",\"justifyContent\":\"space-between\",\"flexWrap\":\"wrap\"}} -->\n<div class=\"wp-block-group alignwide\"><!-- wp:group{\"style\":{\"spacing\":{\"blockGap\":\"var:preset|spacing|20\"},\"layout\":{\"selfStretch\":\"fit\",\"flexSize\":null}},\"layout\":{\"type\":\"flex\"}} -->\n<div class=\"wp-block-group\">
               <!-- wp:site-logo{\"width\":60,\"shouldSyncIcon\":false} /-->\n\n<!-- wp:group {\"style\":{\"spacing\":{\"blockGap\":\"0px\"}}} -->\n<div class=\"wp-block-group\"><!-- wp:site-title {\"level\":0} /--></div>\n<!-- /wp:group--></div>\n<!-- /wp:group -->\n\n<!-- wp:navigation{\"ref\":2180,\"icon\":\"menu\",\"layout\":{\"type\":\"flex\",\"justifyContent\":\"right\",\"orientation\":\"horizontal\",\"flexWrap\":\"wrap\"},\"style\":{\"spacing\":{\"margin\":{\"top\":\"0\"},\"blockGap\":\"va>/--></div>\n<!-- /wp:group -->\n\n<!-- wp:paragraph -->\n<p></p>\n<!-- /wp:paragraph --></div>\n<!-- /wp:group -->"}
             no_log_contains: id "920450"
+  - test_title: 9507146-2
+    desc: Editing global styles for a theme
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS test agent
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Content-Type: application/json
+              x-http-method-override: PUT
+            port: 80
+            method: POST
+            version: "HTTP/1.1"
+            uri: /post/wp-json/wp/v2/global-styles/1?wp_theme_preview=twentytwentyfour&_locale=user
+            data: |
+              {"id":2934,"styles":{"blocks":{"core/site-title":{"typography":{"fontWeight":"400"}},"core/pullquote":{"typography":{"fontSize":"var(--wp--preset--font-size--large)","fontStyle":"normal","fontWeight":"normal","lineHeight":"1.2"}},"core/quote":{"variations":{"plain":{"typography":{"fontStyle":"normal","fontWeight":"400"}}},"typography":{"fontFamily":"var(--wp--preset--font-family--heading)","fontSize":"var(--wp--preset--font-size--large)","fontStyle":"normal"}},"core/navigation":{"typography":{"fontWeight":"400"}}},"elements":{"button":{"typography":{"fontFamily":"var(--wp--preset--font-family--heading)","fontSize":"var(--wp--preset--font-size--small)","fontStyle":"normal"}},"heading":{"color":{"background":"#ab5a5a"}}},"css":""}}
+            no_log_contains: id "920450"
diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507350.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507350.yaml
@@ -38,7 +38,7 @@ tests:
             uri: /post/wp-admin/users.php?s=&_wpnonce=random&_wp_http_referer=%2Fwp-admin%2Fusers.php&action=delete&new_role=&paged=1&users%5B0%5D=9&action2=delete&new_role2=
           output:
             no_log_contains: |
-              id "920230" | id "942430" | id "942431" | id "942432"
+              id "920230"|id "942430"|id "942431"|id "942432"
   - test_title: 9507350-3
     desc: Disable 932236 for randomly generated nonce
     stages: