Variable names are always lowercased in collections

[blotus]

When coraza parses incoming requests to build the various collections, it automatically lowercases every variable name. While it is desirable in many situations, it poses limitations in scenarios where exact, case-sensitive matching is necessary (and according to the HTTP RFC, parameter names are case-sensitive, and most applications will process them as such).

Use case

We are adding WAF capabilities in crowdsec, and we are currently focusing on the virtual patching aspect (as it's something that's, in theory, less prone to false positives, in contrast to using the CRS on any moderately complex website, at the cost of having more rules to maintain).

When writing a rule for CVE-2023-50164 (you can check this Trend Micro blog post for more information, we realized that's it's not possible to write a rule that matches exactly on the case of a variable:

• in this case, to make the rule as precise as possible and avoid false positive, we want to match on any variable that ends with FileName and contains ../, but because the variables are always lowercased in the collections, it's not possible to write something like ARGS:/.+FileName$/

For reference, the rules we use are:

SecRule REQUEST_METHOD "@streq POST" "id:1432913253,phase:2,deny,log,msg:'crowdsecurity/test-rule',tag:'crowdsec-crowdsecurity/test-rule',chain"
SecRule ARGS_POST:/.+FileName$/|ARGS_GET:/.+FileName$/ "@contains ../" "id:3576701872,phase:2,deny,log,msg:'crowdsecurity/test-rule',tag:'crowdsec-crowdsecurity/test-rule'"

(It's autogenerated from our own DSL, so ignore the weird ids)

[M4tteoP]

Related issue #1041 and PR #1059.

[M4tteoP]

Implemented in #1059, and tracked in #945 to make it the default behavior in the next major version. Right now is under coraza.rule.case_sensitive_args_keys build tag. Please, feel free to raise any concerns or feedback if you give it a shot :)