Merge branch 'main' into regex_default_mods

.github/workflows/codeql-analysis.yml

@@ -10,15 +10,15 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3
+      uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3
       with:
         languages: go
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3
+      uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd # v3
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3
+      uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3

.github/workflows/fuzz.yml

@@ -11,8 +11,8 @@ jobs:
     name: Fuzz tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
-      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5
         with:
           go-version: ">=1.22.0"
       - run: go run mage.go fuzz

.github/workflows/lint.yml

@@ -18,9 +18,9 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Install Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5
         with:
           go-version: v1.22.x
           cache: true

.github/workflows/regression.yml

@@ -21,9 +21,9 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Install Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5
         with:
           go-version: ${{ matrix.go-version }}
           cache: true

.github/workflows/tinygo.yml

@@ -24,10 +24,10 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Install Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5
         with:
           go-version: ${{ matrix.go-version }}
           cache: true
@@ -38,7 +38,7 @@ jobs:
           tinygo-version: ${{ matrix.tinygo-version }}
 
       - name: Cache TinyGo build
-        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4
         with:
           path: |
             ~/.cache/tinygo

examples/http-server/go.mod

@@ -1,11 +1,11 @@
 module github.com/corazawaf/coraza/v3/examples/http-server
 
-go 1.22
+go 1.22.0
 
 require github.com/corazawaf/coraza/v3 v3.2.1
 
 require (
-	github.com/corazawaf/libinjection-go v0.2.1 // indirect
+	github.com/corazawaf/libinjection-go v0.2.2 // indirect
 	github.com/magefile/mage v1.15.0 // indirect
 	github.com/petar-dambovaliev/aho-corasick v0.0.0-20240411101913-e07a1f0e8eb4 // indirect
 	github.com/tidwall/gjson v1.18.0 // indirect

examples/http-server/go.sum

@@ -1,7 +1,7 @@
 github.com/corazawaf/coraza/v3 v3.2.1 h1:zBIji4ut9FtFe8lXdqFwXMAkUoDJZ7HsOlEUYWERLI8=
 github.com/corazawaf/coraza/v3 v3.2.1/go.mod h1:fVndCGdUHJWl9c26VZPcORQRzUYwMPnRkC6TyTkhbUg=
-github.com/corazawaf/libinjection-go v0.2.1 h1:vNJ7L6c4xkhRgYU6sIO0Tl54TmeCQv/yfxBma30Dy/Y=
-github.com/corazawaf/libinjection-go v0.2.1/go.mod h1:OP4TM7xdJ2skyXqNX1AN1wN5nNZEmJNuWbNPOItn7aw=
+github.com/corazawaf/libinjection-go v0.2.2 h1:Chzodvb6+NXh6wew5/yhD0Ggioif9ACrQGR4qjTCs1g=
+github.com/corazawaf/libinjection-go v0.2.2/go.mod h1:OP4TM7xdJ2skyXqNX1AN1wN5nNZEmJNuWbNPOItn7aw=
 github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI=
 github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk=
 github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg=

experimental/plugins/macro/macro.go

@@ -99,38 +99,38 @@ func (m *macro) compile(input string) error {
 		return fmt.Errorf("empty macro")
 	}
 
-	currentToken := strings.Builder{}
 	m.original = input
+	var currentToken strings.Builder
 	isMacro := false
+
 	for i := 0; i < l; i++ {
 		c := input[i]
-		if c == '%' && (i <= l && input[i+1] == '{') {
-			// we have a macro
+
+		if c == '%' && i+1 < l && input[i+1] == '{' {
 			if currentToken.Len() > 0 {
-				// we add the text token
 				m.tokens = append(m.tokens, macroToken{
 					text:     currentToken.String(),
 					variable: variables.Unknown,
 					key:      "",
 				})
+				currentToken.Reset()
 			}
-			currentToken.Reset()
 			isMacro = true
-			i++
+			i++ // Skip '{'
 			continue
 		}
 
 		if isMacro {
 			if c == '}' {
-				// we close a macro
 				isMacro = false
-				// TODO(jcchavezs): key should only be empty in single collections
+				if input[i-1] == '.' {
+					return fmt.Errorf("empty variable name")
+				}
 				varName, key, _ := strings.Cut(currentToken.String(), ".")
 				v, err := variables.Parse(varName)
 				if err != nil {
 					return fmt.Errorf("unknown variable %q", varName)
 				}
-				// we add the variable token
 				m.tokens = append(m.tokens, macroToken{
 					text:     currentToken.String(),
 					variable: v,
@@ -140,8 +140,7 @@ func (m *macro) compile(input string) error {
 				continue
 			}
 
-			if !(c == '.' || c == '_' || c == '-' || (c >= '0' && c <= '9') || (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z')) {
-				currentToken.WriteByte(c)
+			if !isValidMacroChar(c) {
 				return fmt.Errorf("malformed variable starting with %q", "%{"+currentToken.String())
 			}
 
@@ -152,10 +151,10 @@ func (m *macro) compile(input string) error {
 			}
 			continue
 		}
-		// we have a normal character
+
 		currentToken.WriteByte(c)
 	}
-	// if there is something left
+
 	if currentToken.Len() > 0 {
 		m.tokens = append(m.tokens, macroToken{
 			text:     currentToken.String(),
@@ -166,6 +165,10 @@ func (m *macro) compile(input string) error {
 	return nil
 }
 
+func isValidMacroChar(c byte) bool {
+	return c == '.' || c == '_' || c == '-' || (c >= '0' && c <= '9') || (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z')
+}
+
 // String returns the original string
 func (m *macro) String() string {
 	return m.original

experimental/plugins/macro/macro_test.go

@@ -36,7 +36,39 @@ func TestCompile(t *testing.T) {
 		}
 	})
 
-	t.Run("malformed macro", func(t *testing.T) {
+	t.Run("single percent sign", func(t *testing.T) {
+		m := &macro{}
+		err := m.compile("%")
+		if err != nil {
+			t.Errorf("single percent sign should not error")
+		}
+	})
+
+	t.Run("empty braces", func(t *testing.T) {
+		m := &macro{}
+		err := m.compile("%{}")
+		if err == nil {
+			t.Errorf("expected error for empty braces")
+		}
+	})
+
+	t.Run("missing key", func(t *testing.T) {
+		m := &macro{}
+		err := m.compile("%{tx.}")
+		if err == nil {
+			t.Errorf("expected error for missing key")
+		}
+	})
+
+	t.Run("missing collection", func(t *testing.T) {
+		m := &macro{}
+		err := m.compile("%{.key}")
+		if err == nil {
+			t.Errorf("expected error for missing collection")
+		}
+	})
+
+	t.Run("malformed macros", func(t *testing.T) {
 		for _, test := range []string{"%{tx.count", "%{{tx.count}", "%{{tx.{count}", "something %{tx.count"} {
 			t.Run(test, func(t *testing.T) {
 				m := &macro{}

go.sum

@@ -1,7 +1,5 @@
 github.com/anuraaga/go-modsecurity v0.0.0-20220824035035-b9a4099778df h1:YWiVl53v0R8Knj/k+4slO0SXPL67Y4dXWiOIWNzrkew=
 github.com/anuraaga/go-modsecurity v0.0.0-20220824035035-b9a4099778df/go.mod h1:7jguE759ADzy2EkxGRXigiC0ER1Yq2IFk2qNtwgzc7U=
-github.com/corazawaf/libinjection-go v0.2.1 h1:vNJ7L6c4xkhRgYU6sIO0Tl54TmeCQv/yfxBma30Dy/Y=
-github.com/corazawaf/libinjection-go v0.2.1/go.mod h1:OP4TM7xdJ2skyXqNX1AN1wN5nNZEmJNuWbNPOItn7aw=
 github.com/corazawaf/libinjection-go v0.2.2 h1:Chzodvb6+NXh6wew5/yhD0Ggioif9ACrQGR4qjTCs1g=
 github.com/corazawaf/libinjection-go v0.2.2/go.mod h1:OP4TM7xdJ2skyXqNX1AN1wN5nNZEmJNuWbNPOItn7aw=
 github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI=

http/middleware.go

@@ -86,27 +86,10 @@ func processRequest(tx types.Transaction, req *http.Request) (*types.Interruptio
 
 			// Adds all remaining bytes beyond the coraza limit to its buffer
 			// It happens when the partial body has been processed and it did not trigger an interruption
-			body := io.MultiReader(rbr, req.Body)
+			bodyReader := io.MultiReader(rbr, req.Body)
 			// req.Body is transparently reinizialied with a new io.ReadCloser.
 			// The http handler will be able to read it.
-			// Prior to Go 1.19 NopCloser does not implement WriterTo if the reader implements it.
-			// - https://github.com/golang/go/issues/51566
-			// - https://tip.golang.org/doc/go1.19#minor_library_changes
-			// This avoid errors like "failed to process request: malformed chunked encoding" when
-			// using io.Copy.
-			// In Go 1.19 we just do `req.Body = io.NopCloser(reader)`
-			if rwt, ok := body.(io.WriterTo); ok {
-				req.Body = struct {
-					io.Reader
-					io.WriterTo
-					io.Closer
-				}{body, rwt, req.Body}
-			} else {
-				req.Body = struct {
-					io.Reader
-					io.Closer
-				}{body, req.Body}
-			}
+			req.Body = io.NopCloser(bodyReader)
 		}
 	}
 

internal/actions/redirect.go

@@ -12,9 +12,9 @@ import (
 //
 // Description:
 // Intercepts transaction by issuing an external (client-visible) redirection to the given location.
-// If the status action is presented on the same rule,
-// and its value can be used for a redirection (i.e., one of the following: 301, 302, 303, or 307),
-// the value will be used for the redirection status code. Otherwise, status code 302 will be used.
+// If the status action is presented on the same rule,  and its value can be used for a redirection
+// (supported redirection codes: 301, 302, 303, 307) the value will be used for the redirection status code.
+// Otherwise, status code 302 will be used.
 //
 // Example:
 // ```
@@ -34,12 +34,17 @@ func (a *redirectFn) Init(_ plugintypes.RuleMetadata, data string) error {
 }
 
 func (a *redirectFn) Evaluate(r plugintypes.RuleMetadata, tx plugintypes.TransactionState) {
+	status := 302 // default status code for redirection
 	rid := r.ID()
 	if rid == noID {
 		rid = r.ParentID()
 	}
+	rstatus := r.Status()
+	if rstatus == 301 || rstatus == 302 || rstatus == 303 || rstatus == 307 {
+		status = rstatus
+	}
 	tx.Interrupt(&types.Interruption{
-		Status: r.Status(),
+		Status: status,
 		RuleID: rid,
 		Action: "redirect",
 		Data:   a.target,

internal/auditlog/formats_ocsf_test.go

@@ -9,12 +9,13 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/valllabh/ocsf-schema-golang/ocsf/v1_2_0/events/application"
+	"github.com/valllabh/ocsf-schema-golang/ocsf/v1_2_0/events/application/enums"
+
 	"github.com/corazawaf/coraza/v3/experimental/plugins/plugintypes"
 	"github.com/corazawaf/coraza/v3/internal/collections"
 	"github.com/corazawaf/coraza/v3/types"
 	"github.com/corazawaf/coraza/v3/types/variables"
-	"github.com/valllabh/ocsf-schema-golang/ocsf/v1_2_0/events/application"
-	"github.com/valllabh/ocsf-schema-golang/ocsf/v1_2_0/events/application/enums"
 )
 
 func TestOCSFFormatter(t *testing.T) {