Merge branch 'main' into regex_default_mods

.github/workflows/close-issues.yml

@@ -10,7 +10,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: actions/stale@v3
+      - uses: actions/stale@v9
         with:
           days-before-issue-stale: 30
           days-before-issue-close: 14

.github/workflows/codeql-analysis.yml

@@ -10,15 +10,15 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: go
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3

.github/workflows/fuzz.yml

@@ -3,18 +3,18 @@ name: Fuzz tests
 on:
   schedule:
     # https://crontab.guru/#05_14_*_*_*
-    - cron: '05 14 * * *'
+    - cron: "05 14 * * *"
   workflow_dispatch:
 
 jobs:
   fuzz:
     name: Fuzz tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v1
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
-          go-version: '>=1.19.0'
+          go-version: ">=1.20.0"
       - run: go run mage.go fuzz
       - run: |
           gh issue create --title "$GITHUB_WORKFLOW #$GITHUB_RUN_NUMBER failed" \

.github/workflows/lint.yml

@@ -18,10 +18,10 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Install Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
         with:
-          go-version: v1.19.x
+          go-version: v1.20.x
           cache: true
       - run: go run mage.go lint

.github/workflows/regression.yml

@@ -16,46 +16,46 @@ jobs:
   test:
     strategy:
       matrix:
-        go-version: [1.19.x, 1.20.x, 1.21.x]
+        go-version: [1.20.x, 1.21.x, 1.22.x]
         os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Install Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go-version }}
           cache: true
       - name: Tests and coverage
         run: go run mage.go coverage
       - name: "Codecov: General"
-        uses: codecov/codecov-action@v3
-        if: ${{ matrix.go-version == '1.19.x' }}
+        uses: codecov/codecov-action@v4
+        if: ${{ matrix.go-version == '1.20.x' }}
         with:
           files: build/coverage.txt
           flags: default
       - name: "Codecov: Examples"
-        uses: codecov/codecov-action@v3
-        if: ${{ matrix.go-version == '1.19.x' }}
+        uses: codecov/codecov-action@v4
+        if: ${{ matrix.go-version == '1.20.x' }}
         with:
           files: build/coverage-examples.txt
           flags: examples
       - name: "Codecov: FTW"
-        uses: codecov/codecov-action@v3
-        if: ${{ matrix.go-version == '1.19.x' }}
+        uses: codecov/codecov-action@v4
+        if: ${{ matrix.go-version == '1.20.x' }}
         with:
           files: build/coverage-ftw.txt
           flags: ftw
       - name: "Codecov: FTW Multiphase tag"
-        uses: codecov/codecov-action@v3
-        if: ${{ matrix.go-version == '1.19.x' }}
+        uses: codecov/codecov-action@v4
+        if: ${{ matrix.go-version == '1.20.x' }}
         with:
           files: build/coverage-ftw-multiphase.txt
           flags: ftw-multiphase
       - name: "Codecov: Tinygo"
-        uses: codecov/codecov-action@v3
-        if: ${{ matrix.go-version == '1.19.x' }}
+        uses: codecov/codecov-action@v4
+        if: ${{ matrix.go-version == '1.20.x' }}
         with:
           files: build/coverage-tinygo.txt
           flags: tinygo

.github/workflows/tinygo.yml

@@ -18,23 +18,23 @@ jobs:
   test:
     strategy:
       matrix:
-        go-version: [1.19.x]
+        go-version: [1.20.x]
         os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Install Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go-version }}
           cache: true
 
       - name: setup tinygo
-        uses: acifani/setup-tinygo@v1
+        uses: acifani/setup-tinygo@v2
         with:
-          tinygo-version: 0.27.0
+          tinygo-version: '0.31.2'
 
       - name: Cache TinyGo build
         uses: actions/cache@v3

.gitignore

@@ -18,3 +18,5 @@ coraza-waf
 __debug_bin
 
 build/
+
+go.work.sum

README.md

@@ -47,7 +47,7 @@ The Coraza Project maintains implementations and plugins for the following serve
 
 ## Prerequisites
 
-* Go v1.19+ or tinygo compiler
+* Go v1.20+ or tinygo compiler
 * Linux distribution (Debian or Centos recommended), Windows or Mac.
 
 ## Coraza Core Usage
@@ -58,32 +58,34 @@ Coraza can be used as a library for your Go program to implement a security midd
 package main
 
 import (
- "fmt"
- "github.com/corazawaf/coraza/v3"
+	"fmt"
+
+	"github.com/corazawaf/coraza/v3"
 )
 
 func main() {
- // First we initialize our waf and our seclang parser
- waf, err := coraza.NewWAF(coraza.NewWAFConfig().
-  WithDirectives(`SecRule REMOTE_ADDR "@rx .*" "id:1,phase:1,deny,status:403"`))
- // Now we parse our rules
- if err != nil {
-  fmt.Println(err)
- }
-
- // Then we create a transaction and assign some variables
-    tx := waf.NewTransaction()
- defer func() {
-  tx.ProcessLogging()
-  tx.Close()
- }()
- tx.ProcessConnection("127.0.0.1", 8080, "127.0.0.1", 12345)
-
- // Finally we process the request headers phase, which may return an interruption
- if it := tx.ProcessRequestHeaders(); it != nil {
-  fmt.Printf("Transaction was interrupted with status %d\n", it.Status)
- }
+	// First we initialize our waf and our seclang parser
+	waf, err := coraza.NewWAF(coraza.NewWAFConfig().
+		WithDirectives(`SecRule REMOTE_ADDR "@rx .*" "id:1,phase:1,deny,status:403"`))
+	// Now we parse our rules
+	if err != nil {
+		fmt.Println(err)
+	}
+
+	// Then we create a transaction and assign some variables
+	tx := waf.NewTransaction()
+	defer func() {
+		tx.ProcessLogging()
+		tx.Close()
+	}()
+	tx.ProcessConnection("127.0.0.1", 8080, "127.0.0.1", 12345)
+
+	// Finally we process the request headers phase, which may return an interruption
+	if it := tx.ProcessRequestHeaders(); it != nil {
+		fmt.Printf("Transaction was interrupted with status %d\n", it.Status)
+	}
 }
+
 ```
 
 [Examples/http-server](./examples/http-server/) provides an example to practice with Coraza.
@@ -101,6 +103,7 @@ only the phase the rule is defined for.
 dictionaries to reduce memory consumption in deployments that launch several coraza
 instances. For more context check [this issue](https://github.com/corazawaf/coraza-caddy/issues/76)
 * `no_fs_access` - indicates that the target environment has no access to FS in order to not leverage OS' filesystem related functionality e.g. file body buffers.
+* `coraza.rule.case_sensitive_args_keys` - enables case-sensitive matching for ARGS keys, aligning Coraza behavior with RFC 3986 specification. It will be enabled by default in the next major version.
 
 ## E2E Testing
 
@@ -132,8 +135,8 @@ Coraza only requires Go for development. You can run `mage.go` to issue developm
 
 See the list of commands
 
-```shell
-go run mage.go -l
+```
+$ go run mage.go -l
 Targets:
   check        runs lint and tests.
   coverage     runs tests with coverage and race detector enabled.
@@ -163,8 +166,8 @@ Our vulnerability management team will respond within 3 working days of your rep
 
 ## Thanks
 
-* Modsecurity team for creating ModSecurity
 * OWASP Coreruleset team for the CRS and their help
+* Ivan Ristić for creating ModSecurity
 
 ### Coraza on Twitter
 

coraza.conf-recommended

@@ -45,7 +45,8 @@ SecRequestBodyLimit 13107200
 
 SecRequestBodyInMemoryLimit 131072
 
-SecRequestBodyNoFilesLimit 131072
+# SecRequestBodyNoFilesLimit is currently not supported by Coraza
+# SecRequestBodyNoFilesLimit 131072
 
 # What to do if the request body size is above our configured limit.
 # Keep in mind that this setting will automatically be set to ProcessPartial

examples/http-server/go.mod

@@ -1,12 +1,12 @@
 module github.com/corazawaf/coraza/v3/examples/http-server
 
-go 1.18
+go 1.20
 
 require github.com/corazawaf/coraza/v3 v3.0.0-20220914101451-05d352c89b24
 
 require (
 	github.com/magefile/mage v1.15.0 // indirect
-	github.com/tidwall/gjson v1.17.0 // indirect
+	github.com/tidwall/gjson v1.17.1 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 )

examples/http-server/go.sum

@@ -2,8 +2,8 @@ github.com/corazawaf/coraza/v3 v3.0.0-20220914101451-05d352c89b24 h1:dy3992o5ue4
 github.com/corazawaf/coraza/v3 v3.0.0-20220914101451-05d352c89b24/go.mod h1:xhc7feR6FUfYgmBmRw3UObvLiyzT3XPQtlJD+huy+Mc=
 github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg=
 github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
-github.com/tidwall/gjson v1.17.0 h1:/Jocvlh98kcTfpN2+JzGQWQcqrPQwDrVEMApx/M5ZwM=
-github.com/tidwall/gjson v1.17.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/gjson v1.17.1 h1:wlYEnwqAHgzmhNUFfw7Xalt2JzQvsMx2Se4PcoFCT/U=
+github.com/tidwall/gjson v1.17.1/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
 github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
 github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=

examples/http-server/main_test.go

@@ -113,3 +113,45 @@ func TestHttpServer(t *testing.T) {
 		})
 	}
 }
+
+// TestHttpServerConcurrent is meant to be run with the "-race" flag.
+// Multiple requests are sent concurrently to the server and race conditions are checked.
+// It is especially useful to ensure that rules and their metadata are not edited in an unsafe way
+// after parsing time.
+func TestHttpServerConcurrent(t *testing.T) {
+	tests := []struct {
+		name      string
+		path      string
+		expStatus int
+		body      []byte // if body is populated, POST request is sent
+	}{
+		{"negative", "/", 200, nil},
+		{"positive for query parameter 1", "/?id=0", 403, nil},
+		{"positive for request body", "/", 403, []byte("password")},
+	}
+	// Spin up the test server with default.conf configuration
+	testServer := setupTestServer(t)
+	defer testServer.Close()
+	// a t.Run wraps all the concurrent tests and permits to close the server only once test is done
+	// See https://github.com/golang/go/issues/17791
+	t.Run("concurrent test", func(t *testing.T) {
+		for _, tc := range tests {
+			tt := tc
+			for i := 0; i < 10; i++ {
+				// Each test case is added 10 times and then run concurrently
+				t.Run(tt.name, func(t *testing.T) {
+					t.Parallel()
+					var statusCode int
+					if tt.body == nil {
+						statusCode = doGetRequest(t, testServer.URL+tt.path)
+					} else {
+						statusCode = doPostRequest(t, testServer.URL+tt.path, tt.body)
+					}
+					if want, have := tt.expStatus, statusCode; want != have {
+						t.Errorf("Unexpected status code, want: %d, have: %d", want, have)
+					}
+				})
+			}
+		}
+	})
+}