Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(ci): add lint and integration/regression test #6

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

feat(ci): add lint and integration/regression test #6

wants to merge 8 commits into from

Conversation

theMiddleBlue
Copy link
Contributor

@theMiddleBlue theMiddleBlue commented Oct 8, 2022
edited
Loading

This PR it's a draft for a lint/regression test template for CRS plugins.
It should be a simple version of what we already have on coreruleset.

Feature list

  • linelint test
  • lint test using secrules-parser
  • integration test on Apache + ModSecurity v2 and on Nginx + ModSecurity v3
  • regression test using go-ftw on both Apache and Nginx

tests/integration/

contains a docker-compose file that brings up all the required containers for the test. It also contains the modsec-setup.conf file that includes all plugin files in the right order.

tests/logs/

contains just two directories for Apache and Nginx to bind on containers in order to make go-ftw works

tests/regression/tests/

contains all the regression tests for go-ftw

Regression tests

my idea is to test, for each rule, the matching and the exclusion of the same payload. For example, for testing the exclusion of ARGS:pwd from all rules, we can test first a matching payload like not-pwd=<payload> and then the exclusion with pwd=<payload>. What do you think about it?

I think we can identify a PL1 rule and then write a test like:

  # test payload "exec(/bin/bash);" that should match 932160 at PL1 against a random ARG
  - test_title: 9507100-1
    desc: Check FPs on pwd ARGS
    stages:
      - stage:
          input:
            dest_addr: 127.0.0.1
            headers:
              Host: localhost
              User-Agent: OWASP ModSecurity Core Rule Set
              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
            port: 80
            method: POST
            uri: /wp-login.php
            data: log=admin&notpwd=exec(/bin/bash);
          output:
            log_contains: id "932160"

  # test payload "exec(/bin/bash);" that should match 932160 at PL1 against `ARGS:pwd`
  # this time, we should not have 932160 on logs
  - test_title: 9507100-2
    desc: Check FPs on pwd ARGS
    stages:
      - stage:
          input:
            dest_addr: 127.0.0.1
            headers:
              Host: localhost
              User-Agent: OWASP ModSecurity Core Rule Set
              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
            port: 80
            method: POST
            uri: /wp-login.php
            data: log=admin&pwd=exec(/bin/bash);
          output:
            no_log_contains: id "932160"

for other exclusion rules that doesn't remove by OWASP_CRS tag, we can do the same test referring to the specific excluded rule ids. For example, testing the following exclusion rule:

# Post comment
SecRule REQUEST_FILENAME "@endsWith /wp-comments-post.php" \
    "id:9507130,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=931130;ARGS:url,\
    ver:'wordpress-rule-exclusions-plugin/1.0.0'"

we can write a test like:

...
  # specific payload blocked by 931130
  - test_title: 9507130-1
    desc: Check FPs on comment
    stages:
      - stage:
          input:
            dest_addr: 127.0.0.1
            headers:
              Host: localhost
              User-Agent: OWASP ModSecurity Core Rule Set
              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
            port: 80
            method: GET
            uri: /?url=ftp://foo.bar
          output:
            log_contains: id "931130"
  
  # test exclusion rule with the same payload, this time 931130 should not match
  - test_title: 9507130-2
    desc: Check FPs on comment
    stages:
      - stage:
          input:
            dest_addr: 127.0.0.1
            headers:
              Host: localhost
              User-Agent: OWASP ModSecurity Core Rule Set
              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
            port: 80
            method: GET
            uri: /wp-comments-post.php?url=ftp://foo.bar
          output:
            no_log_contains: id "931130"

Any review is very welcome,
thanks!

@theseion theseion mentioned this pull request Feb 3, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@theMiddleBlue