Version 3.1.0

This is a new minor version release with emphasis in improving the overall logging experience, fixes for interoperability of the http middleware with other middlewares, better defaults, various fixes and a few new features like the uppercase transformation, the raw body processor (both thanks to @blotus) and a way to pass a context into a transaction to be later retrieved the error log callback.

What's Changed

• chore: improve GetField logic by @jptosso in #897
• chore: setvar minor fix, tests, added warning when missing variable, deprecates usage of tx.LogData by @M4tteoP in #892
• chore: fixes audit log. by @jcchavezs in #889
• fix http.Flusher and io.ReaderFrom implementation by @romainmenke in #923
• fix: stack overflow in ReadFrom by @romainmenke in #925
• fix: Disables implicit Cookies url decoding by @M4tteoP in #928
• feat: add uppercase transformation by @blotus in #935
• fix: parse multiple cookies with spaces by @fzipi in #943
• fix: more forgiving base64 transformation [custom implementation] by @M4tteoP in #944
• fix: filling variables struct to complete audit info by @CArellanoOrbik in #968
• feat: adds context to transaction. by @jcchavezs in #963
• feat: improves logging. by @jcchavezs in #971
• feat: add raw body processor by @blotus in #983
• chore: updates CRS tests to CRS 4.0.0-rc2 by @M4tteoP in #899
• fix(seclang): merge chained raw rules by @jptosso in #985
• fix: BodyLimit related documented default values, default RequestBodyLimitAction, adds some tests by @M4tteoP in #895
• chore: Go 1.20 as minimum supported version by @jcchavezs in #996
• chore: upgrades go-ftw to 0.6.4. by @jcchavezs in #998

New Contributors (thanks a lot!)

• @testwill made their first contribution in #894
• @renovate made their first contribution in #903
• @romainmenke made their first contribution in #923
• @blotus made their first contribution in #935
• @CArellanoOrbik made their first contribution in #968

Full Changelog: v3.0.4...v3.1.0

Version 3.0.4

What's Changed

• chore(deps): bump golang.org/x/sync from 0.1.0 to 0.3.0 by @dependabot in #862
• chore: upgrades coraza to latest aho-corasick. by @jcchavezs in #867
• fix: Logs print different messages for each the disruptive actions by @M4tteoP in #827
• chore(deps): bump github.com/tidwall/gjson from 1.14.4 to 1.17.0 by @dependabot in #878

Full Changelog: v3.0.3...v3.0.4

Version 3.0.3

What's Changed

• chore(readme): explicits CRS supported version by @M4tteoP in #834
• chore: adds go mod tidy and go work sync for all modules. by @jcchavezs in #835
• adds more verbosity on go mod tidy errors by @jcchavezs in #837
• add https audit log support by @jptosso in #826
• chore: fixes e2e pkg. by @jcchavezs in #841
• chore: updates e2e standalone command by @M4tteoP in #845
• Adds Log() to MatchedRule, fixes audit log without log by @M4tteoP in #848
• chore(e2e): check response body read error only if a body is expected by @M4tteoP in #852
• chore: drops benchmark CI. by @jcchavezs in #857
• implement https mime by @jptosso in #850
• chore: adds memoize implementation for regexes and ahocorasick by @jcchavezs in #836

Full Changelog: v3.0.2...v3.0.3

Version 3.0.2

What's Changed

• fix: blocks body buffer reader once the body buffer has been reset. by @jcchavezs in #825
• fix: benchmark and propagate the status to not to swallow the failure by @jcchavezs in #808

Full Changelog: v3.0.1...v3.0.2

v3.0.1

Important

This tag fixes a high-severity vulnerability. See GHSA-c2pj-v37r-2p6h

Full Changelog: v3.0.0...v3.0.1

v3.0.0

What's Changed

Coraza's latest v3.0.0 release brings a highly refactored engine that offers more flexibility and major improvements.

Notable changes include:

• Performance improvement: Performance has been improved by up to 100 times due to several key enhancements such as:
  • New debug logs system based on Zerolog for a fast and with low to zero allocations.
  • Cache transformation logic across the same transaction.
  • Optimized variable collection types.
• Refactored API: Coraza now relies on a more straightforward and user-friendly API.
• New Plugin Package: The new package simplifies the extension of Coraza's functionalities.
• Full CRS v4 Support: Coraza fully supports the CRS v4 branch, always making CRS compatibility of top priority. The CI now includes a CRS testing suite to guarantee a regression-free development.
• Cross-platform support: Both Go and TinyGo for WASM builds are now supported.
• New experimental Multiphase feature: Introducing a new way for early data evaluation and blocking.
• Dataset support: designed for in-config .data files emulation.

Contributors

Many thanks to all the contributors and users that made this release possible:

• @anuraaga
• @Bxlxx
• @codefromthecrypt
• @fzipi
• @Hayak3
• @jcchavezs
• @jptosso
• @M4tteoP
• @manojgop
• @nacx
• @ns-sundar
• @piyushroshan
• @ShiMing-Q
• @sts
• @y05h1k1ng
• @zc2638

v3.0.0-rc.3

What's Changed

• registers pmFromDataset, fixes Dataset propagation, adds tests by @M4tteoP in #777
• docs: update README and SECURITY by @fzipi in #780
• Validate audit log parts by @Hayak3 in #779
• Remove intermediate string allocation when writing match details log by @anuraaga in #781
• fix: aligns multimatch to modsec behavior by @M4tteoP in #778
• chore: increases rule.go test coverage by @M4tteoP in #786
• remove wrong loop in matchData by @Hayak3 in #785
• hotfix: fixes rule_test after merge by @M4tteoP in #788
• chore(deps): bump github.com/magefile/mage from 1.14.0 to 1.15.0 by @dependabot in #791
• chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 by @dependabot in #789
• feat(ci): stale only awaiting for feedback's issue by @M4tteoP in #793
• Multiphase: chains further support, ARGS split, CRS like tests by @M4tteoP in #719
• feat: adds auditlog plugins API by @jcchavezs in #787
• fix/feat: Macro expansions, error logs redundancy, support msg/logdata in inner rules by @M4tteoP in #792
• remove alpha disclosure from README by @jptosso in #796
• breaking: removes code parameter from ErrorLog and AuditLog by @M4tteoP in #800

New Contributors

• @Hayak3 made their first contribution in #779

Full Changelog: v3.0.0-rc.2...v3.0.0-rc.3

v3.0.0-rc.2

What's Changed

• Use bitset for inferred phases by @anuraaga in #727
• Document test failures due to regex matching arbitrary bytes by @anuraaga in #730
• Enable multiline mode for rx by @anuraaga in #732
• Use binaryregexp for rx operator by @anuraaga in #731
• Add rx test case confirming case-insensitive rules will work by @anuraaga in #733
• fix(ci): remove sonarcloud by @fzipi in #738
• fix(bodyprocessors): fix forcerequestbodyvariable overriding processor by @jptosso in #740
• fix(bodyprocessors): force response body overrides mime requirements by @jptosso in #741
• chore: create plugins package. by @jcchavezs in #734
• chore: drops unused methods in TransactionState by @jcchavezs in #739
• chore: describes currently excluded CRS excluded rules by @M4tteoP in #744
• fix: fixes fuzz target. by @jcchavezs in #745
• Update tool versions by @anuraaga in #710
• fix(action): Add many validations for setvar by @jptosso in #747
• fix: adds full support for ruleRemoveById. by @jcchavezs in #749
• Small simplification to macro readability by @anuraaga in #751
• Remove Single.Set from API for now by @anuraaga in #750
• chore: updates tests to latest CRS, updates go-ftw by @M4tteoP in #752
• transform expireVar to noop by @jptosso in #755
• Move remaining plugin-related logic to experimental by @anuraaga in #753
• Small simplification to cmd_line code by @anuraaga in #761
• Use standard library for base64 decode by @anuraaga in #758
• Small simpflication to css_decode by @anuraaga in #762
• Delegate to normalisePath from normalisePathWin by @anuraaga in #763
• Append into output buffer for removecommentschar by @anuraaga in #764
• chore(deps): bump golang.org/x/net from 0.8.0 to 0.9.0 by @dependabot in #766
• fix: synthesizes Transfer-Encoding header inside the transaction by @M4tteoP in #768
• Include key size in ARGS_COMBINED_SIZE by @anuraaga in #756

Full Changelog: v3.0.0-rc.1...v3.0.0-rc.2

Release 3.0.0 RC1

What's Changed

• fix: default actions for phase 2 are now hardcoded #191 by @jptosso in #198
• change the URL protocol(git -> https) by @y05h1k1ng in #214
• fix(actions): Remove branch patterns from action scope by @jptosso in #217
• fix(tx): Force Request Body now works by @jptosso in #219
• fix(@rx): add @rx captured data into Tx variable by @Bxlxx in #215
• Rule matches optimization: Fix for #183 by @piyushroshan in #220
• fix: remove unused code by @Bxlxx in #228
• fix(rx): support non utf-8 format data matching by @Bxlxx in #231
• feat(directive): Implement include directive by @jptosso in #232
• simplified iota definition by @zc2638 in #236
• Fix Include Directive by @piyushroshan in #240
• Enhance github actions for sonarcloud and regression by @jptosso in #248
• update pre-commit, dependencies and fix linters by @jptosso in #250
• fix issue #241 (replaces #242) by @jptosso in #249
• fix: sonar checks on forks. by @jcchavezs in #256
• chore: move all linters to golangci-lint by @jcchavezs in #258
• Updating README & CONTRIBUTING guidelines and adding an initial CHANGELOG by @sts in #255
• Update README.md by @sts in #259
• Fix 209: Case sensitive evaluation by @piyushroshan in #260
• fix(multipart processor): capture original file name without using reflection by @jcchavezs in #229
• fix: fixes RBL leaks. by @jcchavezs in #243
• Remove wasm example file by @jptosso in #261
• Allow passthrough of variable Negations if not present by @piyushroshan in #265
• new variables engine for v3 by @jptosso in #277
• feat(operator): New RESTPATH operator support by @jptosso in #282
• chore: turns http server into an own module. by @jcchavezs in #281
• Turn utils into internal by @jcchavezs in #285
• V3/dev fixes by @jptosso in #288
• Adding support for the redirect action. closes #144 by @sts in #290
• chore: drops Transaction.ProcessRequest into an own package. by @jcchavezs in #296
• V3/dev fixes by @jptosso in #292
• remove tests by @jptosso in #300
• Migrate engine test profiles from yaml to go by @anuraaga in #306
• Move resetCaptures defer out of loop by @anuraaga in #304
• Use struct instead of slice for byte range validation by @anuraaga in #305
• Make sure temp files in tests are removed by using t.TempDir by @anuraaga in #310
• Reduce include recursion limit by @anuraaga in #307
• Fix flaky TestCollectionProxy by @anuraaga in #312
• Don't copy to bytes when validating byte range by @anuraaga in #309
• upgrade go version by @jptosso in #323
• Small optimizations to urlencode by @anuraaga in #320
• Small optimizations to base64decode by @anuraaga in #319
• Use go run instead of install for go-ftw by @anuraaga in #316
• Add more benchmarks by @jptosso in #301
• Separate out bodyprocessor implementations for TinyGo by @anuraaga in #311
• V3/url processor by @jptosso in #326
• V3/core fixes by @jptosso in #327
• feat: adds tinygo support. by @jcchavezs in #254
• Add benchmarks using ModSecurity for comparison by @anuraaga in #329
• Add magefile for running development commands by @anuraaga in #315
• Separate out bodybuffer implementation for tinygo that doesn't access… by @anuraaga in #332
• Run addlicense when formatting by @anuraaga in #333
• Add an interface for DebugLogger to be able to replace the logging me… by @anuraaga in #337
• Change license formatting to mention contributors and use SPDX by @anuraaga in #334
• Add command for installing precommit hook by @anuraaga in #339
• [v3] Bump required go version to 1.18 by @anuraaga in #343
• Remove usages of deprecated ioutil by @anuraaga in #342
• Case sensitive evaluation Fix for v3 by @piyushroshan in #346
• Remove usage of system /tmp from tests. by @anuraaga in #353
• [v3] Optimization for validate_nid operator by @Bxlxx in #348
• Reduce some data copies in modsecurity bridge by @anuraaga in #359
• Run lint before formatting by @anuraaga in #358
• [v3] Use mage commands in CI instead of pre-commit by @anuraaga in #356
• add dataset support by @jptosso in #361
• Implements ipMatchFromDataset, parsing for ipMatchFromFile by @M4tteoP in #363
• chore: reallocate testdata. by @jcchavezs in #364
• chore: loads file inside operator when using FromFile. by @jcchavezs in #366
• chore: improves errors on tinygo. by @jcchavezs in #369
• Remove err return from NewParser by @anuraaga in #375
• chore: improves tx.Clean by @jcchavezs in #370
• chore: improves from file tests. by @jcchavezs in #367
• Use io.Discard instead of /dev/null for discarding output by @anuraaga in #354
• chore: removes unneeded code in operators. by @jcchavezs in #376
• v3: Remove unused mutex in RuleGroup by @nacx in #384
• add pre-alpha notice by @jptosso in #383
• Remove legacy pre-commit config by @anuraaga in #365
• codecov tests by @jptosso in #386
• chore(deps): bump github.com/tidwall/gjson from 1.14.2 to 1.14.3 by @dependabot in #382
• fix coverage by @jptosso in #387
• Rename Waf to WAF by @anuraaga in #390
• clean up unnecessary error judgments by @zc2638 in #389
• [v3] Display contributors in README by @anuraaga in #392
• tests: improves coverage. by @jcchavezs in #385
• chore: organize imports in 3 blocks: stdlib, 3rd party, coraza by @nacx in #394
• Optimize random string generation by @anuraaga in #403
• Document that RandomString is pseudorandom by @anuraaga in #405
• Allow setting a root fs.FS in a parser. by @anuraaga in #393
• fix: improves mage lint user experience. by @jcchavezs in #413
• tests: uses testing.TB interface for helper to avoid nil check. by @jcchavezs in #418
• chore: avoids too many open files error when running CRS. by @jcchavezs in #414
• chore: fixes example by not reusing the transaction. by @jcchavezs in #420
• chore: improves loggers by adding closer. by @jcchavezs in #415
• Update libinjection-go by @anuraaga in #421
• Register native auditlogformatter in TinyGo by @anuraaga in #402
• V3/improves parser performance by @jcchavezs in #412
• Don't write files during multipart processing in TinyGo by @anuraaga in #399
• fix audit filesizes audit bug by @jptosso in https://github.com/coraz...

v2.0.1

Huge performance improvements and a lot of bug fixes.

What's Changed

• fix: default actions for phase 2 are now hardcoded #191 by @jptosso in #198
• change the URL protocol(git -> https) by @y05h1k1ng in #214
• fix(actions): Remove branch patterns from action scope by @jptosso in #217
• fix(tx): Force Request Body now works by @jptosso in #219
• fix(@rx): add @rx captured data into Tx variable by @Bxlxx in #215
• Rule matches optimization: Fix for #183 by @piyushroshan in #220
• fix: remove unused code by @Bxlxx in #228
• fix(rx): support non utf-8 format data matching by @Bxlxx in #231
• feat(directive): Implement include directive by @jptosso in #232
• simplified iota definition by @zc2638 in #236
• Fix Include Directive by @piyushroshan in #240
• Update README.md by @jptosso in #238
• Enhance github actions for sonarcloud and regression by @jptosso in #248
• update pre-commit, dependencies and fix linters by @jptosso in #250
• fix issue #241 (replaces #242) by @jptosso in #249
• fix: sonar checks on forks. by @jcchavezs in #256
• chore: move all linters to golangci-lint by @jcchavezs in #258
• Updating README & CONTRIBUTING guidelines and adding an initial CHANGELOG by @sts in #255
• Update README.md by @sts in #259
• Fix 209: Case sensitive evaluation by @piyushroshan in #260
• fix(multipart processor): capture original file name without using reflection by @jcchavezs in #229
• fix: fixes RBL leaks. by @jcchavezs in #243
• Remove wasm example file by @jptosso in #261
• Allow passthrough of variable Negations if not present by @piyushroshan in #265
• fix(rbl): close the channel in the sub goroutine by @Bxlxx in #280
• chore: improves error handling on rule parsing. by @jcchavezs in #278
• Improve performance by @Bxlxx in #293
• replace aho corasick by @jptosso in #302

New Contributors

• @y05h1k1ng made their first contribution in #214
• @piyushroshan made their first contribution in #220
• @zc2638 made their first contribution in #236

Full Changelog: v2.0.0...v2.0.1