Skip to content

Commit

Permalink
fix: fp when editing template-parts in gutenberg editor (#49)
Browse files Browse the repository at this point in the history 
* fix: fp when editing template-parts in gutenberg editor

* chore: remove leftover comment

* fix: data line too long

* chore: clean up tests

* fix: remove skip rules

* perf: specify method in uri

Co-authored-by: azurit <[email protected]>

* test: specify http version

Co-authored-by: azurit <[email protected]>

* fix: false positive without removing skip rule

---------

Co-authored-by: azurit <[email protected]>
  • Loading branch information
@EsadCetiner @azurit
EsadCetiner and azurit committed Jun 28, 2024
1 parent 2cb0726 commit ab0ee24
Show file tree
Hide file tree
Showing 11 changed files with 200 additions and 161 deletions.
103 changes: 51 additions & 52 deletions plugins/wordpress-rule-exclusions-before.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
#

# Gutenberg
SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:posts|pages|templates|navigation)" \
SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:navigation|pages|posts|template-parts|templates)" \
"id:9507140,\
phase:1,\
pass,\
Expand Down Expand Up @@ -230,8 +230,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
ctl:ruleRemoveTargetById=942100;ARGS"

# Cannot update page|post in WordPress due to `x-http-method-override` header.
# This rule is a copy of rule 900250 and must be synchronised with that rule.
SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:posts|pages|users|templates|navigation)" \
SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:navigation|pages|posts|template-parts|templates|users)" \
"id:9507146,\
phase:1,\
pass,\
Expand Down Expand Up @@ -383,6 +382,54 @@ SecRule REQUEST_COOKIES:_wp_session "@rx ^[0-9a-f]+\|\|\d+\|\|\d+$" \
"t:none,\
ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:_wp_session"

#
# [ General exclusions ]
#

# Operator @unconditionalMatch is used instead of a SecAction because of a bug
# in ModSecurity v3 which prevents SecActions to be removed using ctl action.
# _wp_http_referer and wp_http_referer are passed on a lot of wp-admin pages
SecRule REQUEST_FILENAME "@unconditionalMatch" \
"id:9507350,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=932236;ARGS:nonce,\
ctl:ruleRemoveTargetById=942450;ARGS:nonce,\
ctl:ruleRemoveTargetById=932236;ARGS:ver,\
ctl:ruleRemoveTargetById=942450;ARGS:ver,\
ctl:ruleRemoveTargetById=920230;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=920273;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=931130;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=932150;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=932200;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=932236;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=941100;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942130;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942200;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942230;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942260;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942430;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942431;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942432;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942440;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=920230;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=931130;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=932150;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=932200;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=932236;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=932370;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=941100;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942130;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942200;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942230;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942260;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942431;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=932236;ARGS:_wpnonce,\
ctl:ruleRemoveTargetById=942450;ARGS:_wpnonce,\
ver:'wordpress-rule-exclusions-plugin/1.0.1'"


#
# -=[ WordPress Administration Back-End (wp-admin) ]=-
Expand Down Expand Up @@ -514,55 +561,6 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"


#
# [ General exclusions ]
#

# Operator @unconditionalMatch is used instead of a SecAction because of a bug
# in ModSecurity v3 which prevents SecActions to be removed using ctl action.
# _wp_http_referer and wp_http_referer are passed on a lot of wp-admin pages
SecRule REQUEST_FILENAME "@unconditionalMatch" \
"id:9507600,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetById=932236;ARGS:nonce,\
ctl:ruleRemoveTargetById=942450;ARGS:nonce,\
ctl:ruleRemoveTargetById=932236;ARGS:ver,\
ctl:ruleRemoveTargetById=942450;ARGS:ver,\
ctl:ruleRemoveTargetById=920230;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=920273;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=931130;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=932150;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=932200;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=932236;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=941100;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942130;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942200;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942230;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942260;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942430;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942431;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942432;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=942440;ARGS:_wp_http_referer,\
ctl:ruleRemoveTargetById=920230;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=931130;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=932150;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=932200;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=932236;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=932370;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=941100;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942130;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942200;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942230;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942260;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942431;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=932236;ARGS:_wpnonce,\
ctl:ruleRemoveTargetById=942450;ARGS:_wpnonce,\
ver:'wordpress-rule-exclusions-plugin/1.0.1'"

# The ID variable is used all over wordpress
SecRule REQUEST_FILENAME "@rx /wp-admin/(?:admin|admin-ajax|edit|users)\.php$" \
"id:9507601,\
Expand Down Expand Up @@ -1064,6 +1062,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
SecMarker "END-WORDPRESS-ADMIN"



#
# [ Plugins ]
#
Expand Down
65 changes: 12 additions & 53 deletions tests/regression/wordpress-rule-exclusions-plugin/9507100.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,77 +6,36 @@ meta:
name: 9507100.yaml
tests:
- test_title: 9507100-1
desc: Disable OWASP CRS for password
desc: Disable OWASP CRS for password and 932236 for ARGS_NAMES:pwd
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP CRS
User-Agent: OWASP CRS test agent
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
port: 80
method: POST
uri: /wp-login.php?pwd=<script>
version: "HTTP/1.1"
uri: /post/wp-login.php?pwd=<script>
output:
no_log_contains: id "941110"
no_log_contains: |
id "932236" | id "941110"
- test_title: 9507100-2
desc: Disable 942430 for ARGS:redirect_to
desc: ARGS:redirect_to tends to contain multiple special characters since it'll include the redirect URL
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP CRS
User-Agent: OWASP CRS test agent
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
port: 80
method: POST
uri: /wp-login.php?redirect_to=;;;;;;;;;;;;
version: "HTTP/1.1"
uri: /post/wp-login.php?redirect_to=;;;;;;;;;;;;
output:
no_log_contains: id "942430"
- test_title: 9507100-3
desc: Disable 942431 for ARGS:redirect_to
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP CRS
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
port: 80
method: POST
uri: /wp-login.php?redirect_to=;;;;;;;;;;;;
output:
no_log_contains: id "942431"
- test_title: 9507100-4
desc: Disable 942432 for ARGS:redirect_to
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP CRS
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
port: 80
method: POST
uri: /wp-login.php?redirect_to=;;;;;;;;;;;;
output:
no_log_contains: id "942432"
- test_title: 9507100-5
desc: Disable 932236 for ARGS_NAMES:pwd
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP CRS
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
port: 80
method: POST
uri: /wp-login.php?pwd=foo
output:
no_log_contains: id "932236"
no_log_contains: |
id "942430" | id "942431" | id "942432"
30 changes: 30 additions & 0 deletions tests/regression/wordpress-rule-exclusions-plugin/9507140.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
---
meta:
author: "Esad Cetiner"
description: "Wordpress Rule Exclusions Plugin"
enabled: true
name: 9507140.yaml
tests:
- test_title: 9507140-1
desc: Editing template part of a website i.e header or footer
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP CRS test agent
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Content-Type: application/json
x-http-method-override: PUT
port: 80
method: POST
version: "HTTP/1.1"
# URI is actually sent with double slashes
uri: /post/wp-json/wp/v2/template-parts/twentytwentyfour//header?_locale=user
# Data is sent with some special characters escaped
data: |
{"id":"twentytwentyfour//header","content":"<!-- wp:group{\"align\":\"wide\",\"style\":{\"spacing\":{\"padding\":{\"top\":\"20px\",\"bottom\":\"20px\"}}},\"backgroundColor\":\"base\",\"layout\":{\"type\":\"constrained\"}} -->\n<div class=\"wp-block-groupalignwide has-base-background-color has-background\" style=\"padding-top:20px;padding-bottom:20px\"><!-- wp:group{\"align\":\"wide\",\"layout\":{\"type\":\"flex\",\"justifyContent\":\"space-between\",\"flexWrap\":\"wrap\"}} -->\n<div class=\"wp-block-group alignwide\"><!-- wp:group{\"style\":{\"spacing\":{\"blockGap\":\"var:preset|spacing|20\"},\"layout\":{\"selfStretch\":\"fit\",\"flexSize\":null}},\"layout\":{\"type\":\"flex\"}} -->\n<div class=\"wp-block-group\">
<!-- wp:site-logo{\"width\":60,\"shouldSyncIcon\":false} /-->\n\n<!-- wp:group {\"style\":{\"spacing\":{\"blockGap\":\"0px\"}}} -->\n<div class=\"wp-block-group\"><!-- wp:site-title {\"level\":0} /--></div>\n<!-- /wp:group--></div>\n<!-- /wp:group -->\n\n<!-- wp:navigation{\"ref\":2180,\"icon\":\"menu\",\"layout\":{\"type\":\"flex\",\"justifyContent\":\"right\",\"orientation\":\"horizontal\",\"flexWrap\":\"wrap\"},\"style\":{\"spacing\":{\"margin\":{\"top\":\"0\"},\"blockGap\":\"va>/--></div>\n<!-- /wp:group -->\n\n<!-- wp:paragraph -->\n<p></p>\n<!-- /wp:paragraph --></div>\n<!-- /wp:group -->"}
no_log_contains: |
id "932240" | id "932236" | id "941100" | id "941150" | id "941160" | id "941180" | id "941181" | id "941320" | id "942210" | id "942330" | id "942340" | id "942370" | id "942430" | id "942431" | id "942432" | id "942440" | id "942520"
5 changes: 3 additions & 2 deletions tests/regression/wordpress-rule-exclusions-plugin/9507145.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,13 @@ tests:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP CRS
User-Agent: OWASP CRS test agent
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Content-Type: application/json
port: 80
method: POST
uri: /index.php?rest_route=%2Fwp%2Fv2%2Fglobal-styles%2F50&_locale=user
version: "HTTP/1.1"
uri: /post/index.php?rest_route=%2Fwp%2Fv2%2Fglobal-styles%2F50&_locale=user
# stripped down version of the full payload
data: |
{"id":50,"styles":{"blocks":{"core/comment-author-name":{"elements":{"link":{":active":{"color":{"text":"var(--wp--preset--color--tertiary)"}}}}}},"color":{"gradient":"var(--wp--preset--gradient--dots)"},"elements":{"button":{":active":{"color":{"background":"var(--wp--preset--color--secondary)","gradient":"none"}},":focus":{"color":{"gradient":"var(--wp--preset--gradient--secondary-primary)"}},":hover":{"color":{"gradient":"var(--wp--preset--gradient--secondary-primary)"}},":visited":{"color":{"text":"var(--wp--preset--color--base)"}},"border":{"radius":"5px"},"color":{"gradient":"var(--wp--preset--gradient--primary-secondary)","text":"var(--wp--preset--color--base)"}}}},"settings":{"color":{"duotone":{"theme":[{"colors":["#222828","#9EF9FD"],"slug":"default-filter","name":"Default filter"}]}}}}
Expand Down
29 changes: 29 additions & 0 deletions tests/regression/wordpress-rule-exclusions-plugin/9507146.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
---
meta:
author: "Esad Cetiner"
description: "Wordpress Rule Exclusions Plugin"
enabled: true
name: 9507146.yaml
tests:
- test_title: 9507146-1
desc: Editing template part of a website i.e header or footer
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP CRS test agent
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Content-Type: application/json
x-http-method-override: PUT
port: 80
method: POST
version: "HTTP/1.1"
# URI is actually sent with double slashes
uri: /post/wp-json/wp/v2/template-parts/twentytwentyfour//header?_locale=user
# Data is sent with some special characters escaped
data: |
{"id":"twentytwentyfour//header","content":"<!-- wp:group{\"align\":\"wide\",\"style\":{\"spacing\":{\"padding\":{\"top\":\"20px\",\"bottom\":\"20px\"}}},\"backgroundColor\":\"base\",\"layout\":{\"type\":\"constrained\"}} -->\n<div class=\"wp-block-groupalignwide has-base-background-color has-background\" style=\"padding-top:20px;padding-bottom:20px\"><!-- wp:group{\"align\":\"wide\",\"layout\":{\"type\":\"flex\",\"justifyContent\":\"space-between\",\"flexWrap\":\"wrap\"}} -->\n<div class=\"wp-block-group alignwide\"><!-- wp:group{\"style\":{\"spacing\":{\"blockGap\":\"var:preset|spacing|20\"},\"layout\":{\"selfStretch\":\"fit\",\"flexSize\":null}},\"layout\":{\"type\":\"flex\"}} -->\n<div class=\"wp-block-group\">
<!-- wp:site-logo{\"width\":60,\"shouldSyncIcon\":false} /-->\n\n<!-- wp:group {\"style\":{\"spacing\":{\"blockGap\":\"0px\"}}} -->\n<div class=\"wp-block-group\"><!-- wp:site-title {\"level\":0} /--></div>\n<!-- /wp:group--></div>\n<!-- /wp:group -->\n\n<!-- wp:navigation{\"ref\":2180,\"icon\":\"menu\",\"layout\":{\"type\":\"flex\",\"justifyContent\":\"right\",\"orientation\":\"horizontal\",\"flexWrap\":\"wrap\"},\"style\":{\"spacing\":{\"margin\":{\"top\":\"0\"},\"blockGap\":\"va>/--></div>\n<!-- /wp:group -->\n\n<!-- wp:paragraph -->\n<p></p>\n<!-- /wp:paragraph --></div>\n<!-- /wp:group -->"}
no_log_contains: id "920450"
15 changes: 9 additions & 6 deletions tests/regression/wordpress-rule-exclusions-plugin/9507147.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,12 @@ tests:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP CRS
User-Agent: OWASP CRS test agent
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
port: 80
method: GET
uri: /index.php?_fields=id
version: "HTTP/1.1"
uri: /get/index.php?_fields=id
output:
no_log_contains: id "932236"
- test_title: 9507147-2
Expand All @@ -28,11 +29,12 @@ tests:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP CRS
User-Agent: OWASP CRS test agent
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
port: 80
method: GET
uri: /index.php?_fields=id,name
version: "HTTP/1.1"
uri: /get/index.php?_fields=id,name
output:
no_log_contains: id "932236"
- test_title: 9507147-3
Expand All @@ -43,10 +45,11 @@ tests:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP CRS
User-Agent: OWASP CRS test agent
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
port: 80
method: GET
uri: /index.php?_fields=id,name,description,slug
version: "HTTP/1.1"
uri: /get/index.php?_fields=id,name,description,slug
output:
no_log_contains: id "932236"
5 changes: 3 additions & 2 deletions tests/regression/wordpress-rule-exclusions-plugin/9507148.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,11 @@ tests:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP CRS
User-Agent: OWASP CRS test agent
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
port: 80
method: GET
uri: /index.php?orderby=id
version: "HTTP/1.1"
uri: /get/index.php?orderby=id
output:
no_log_contains: id "932236"
5 changes: 3 additions & 2 deletions tests/regression/wordpress-rule-exclusions-plugin/9507149.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,11 @@ tests:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP CRS
User-Agent: OWASP CRS test agent
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
port: 80
method: GET
uri: /index.php?rest_route=%2Fwp-block-editor%2Fv1%2Furl-details&url=https%3A%2F%2Fexample.com%
version: "HTTP/1.1"
uri: /get/index.php?rest_route=%2Fwp-block-editor%2Fv1%2Furl-details&url=https%3A%2F%2Fexample.com%
output:
no_log_contains: id "931130"
Loading

0 comments on commit ab0ee24

Please sign in to comment.