feat: add JSON Schema validation via validateSchema operator

[cognitivegears]

Thank you for contributing to Coraza WAF, your effort is greatly appreciated
Before submitting check if what you want to add to coraza list meets quality standards before sending pull request. Thanks!

Make sure that you've checked the boxes below before you submit PR:

• [ X ] My code includes positive and negative tests.
• [ X ] I have an appropriate description with correct grammar.
• [ X ] I have read Contribution guidelines, maintainers note and Quality standard.
• [ X ] My code is properly linted and passes pre-commit tests.

Thanks for your contribution ❤️

Fixes Issue #1279

This implements the validateSchema operator as per the existing modsecurity documentation, but currently only for JSON support. Since it didn't fit in the current structure of Coraza I didn't include it here, but I also have additional documentation and a test server for validation at: https://github.com/cognitivegears/coraza_validate_schema_extras

[codecov]

Codecov Report

❌ Patch coverage is 94.78261% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.51%. Comparing base (8e23393) to head (081efc6).
⚠️ Report is 41 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/operators/validate_schema.go	93.40%	4 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1343      +/-   ##
==========================================
+ Coverage   84.34%   84.51%   +0.16%     
==========================================
  Files         170      172       +2     
  Lines        9933    10046     +113     
==========================================
+ Hits         8378     8490     +112     
  Misses       1310     1310              
- Partials      245      246       +1     

Flag	Coverage Δ
coraza.rule.case_sensitive_args_keys	84.47% <94.78%> (+0.16%)	⬆️
coraza.rule.multiphase_evaluation	84.17% <94.78%> (+0.16%)	⬆️
coraza.rule.no_regex_multiline	84.45% <94.78%> (+0.16%)	⬆️
default	84.51% <94.78%> (+0.16%)	⬆️
examples+	16.15% <1.80%> (-0.18%)	⬇️
examples+coraza.rule.case_sensitive_args_keys	84.47% <94.78%> (+0.16%)	⬆️
examples+coraza.rule.multiphase_evaluation	84.01% <94.78%> (+0.17%)	⬆️
examples+coraza.rule.no_regex_multiline	84.37% <94.78%> (+0.16%)	⬆️
examples+memoize_builders	84.47% <94.59%> (+0.16%)	⬆️
examples+no_fs_access	81.88% <94.78%> (+0.19%)	⬆️
ftw	84.51% <94.78%> (+0.16%)	⬆️
memoize_builders	84.60% <94.59%> (+0.15%)	⬆️
no_fs_access	84.01% <94.78%> (+0.17%)	⬆️
tinygo	84.48% <94.78%> (+0.16%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[cognitivegears]

FYI I'll take a look at the code coverage change, looks like I need to add a few more tests.

I'm not sure what happened with the Tinygo test, I'll have to look into that one further.

In the meantime, would you mind taking a look at the overall approach and let me know if you have any questions or concerns / things you would like changed?

[jptosso]

Thank you for your contribution!!
I'm concerned about XXE for XML, will have to look into the lib

[cognitivegears]

Thank you for your contribution!! I'm concerned about XXE for XML, will have to look into the lib

Good callout. The way that libxml2 is initialized it does not look like it should resolve external entity references. However, I will try to add some tests to validate that specifically as well.

[cognitivegears]

Thank you for your contribution!! I'm concerned about XXE for XML, will have to look into the lib

Good callout. The way that libxml2 is initialized it does not look like it should resolve external entity references. However, I will try to add some tests to validate that specifically as well.

Note - added some specific XXE validation testing as well.

[cognitivegears]

Thanks so much for the feedback so far! I hope to have some more information later today or tomorrow.

[cognitivegears]

If possible, can I please get an update on anything else needed on this PR? Otherwise if all is good can this be merged?

[jcchavezs]

I will review it again this weekend.

…

On Sat, Apr 26, 2025 at 4:50 PM Nathan Byrd ***@***.***> wrote: *cognitivegears* left a comment (corazawaf/coraza#1343) <#1343 (comment)> If possible, can I please get an update on anything else needed on this PR? Otherwise if all is good can this be merged? — Reply to this email directly, view it on GitHub <#1343 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAXOYAXL5EW2HG7PFSVDAFT23OMMLAVCNFSM6AAAAAB2QCNA4SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQMZSGI4DOMZVGI> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[cognitivegears]

I apologize for reaching out again, but if possible can I get an update on reviewing this PR? I'm hoping to release a feature on one of my projects that need this functionality and am hoping to put a bow on a couple of long-lived branches (here and my project.) Any help would be greatly appreciated.

[fzipi]

ping @cognitivegears.

There are some small conflicts, that might be solved by rebasing.

[cognitivegears]

ping @cognitivegears.

There are some small conflicts, that might be solved by rebasing.

Sorry it took a bit, there were a few changes beyond the rebase but they are resolved now.

[cognitivegears]

All of the above code review comments should be completed now. If possible can I get a check?

[cognitivegears]

@fzipi thanks also for updating the title

[jcchavezs]

Did some rework in #1384

[cognitivegears]

Did some rework in #1384

This looks great, and still passes all functional tests. Looks good to me!

[fzipi]

Shall we close this one?