Working Dokuwiki and Nextcloud rulesets.

[bagley]

I made these two rulesets for Dokuwiki and Nextcloud for my sites a while ago, and they have been working great. Feel free to modify if you want/need to, but just wanted to share so others can use them.

[dune73]

Hey @bagley. This is very cool. Thank you very much for this initial submission.

AFAICT, we do not have any DocuWiki and Nextcloud users in the project. So we would need to rely on you for the finalization, testing and possibly maintenance of this rule set.

We love contributions like this, but it also means that there is a bit more work for you. Are you willing to to that?

Right now, Travis (our continuous integration checker) complains a lot about trailing spaces in your code. We are currently working very hard on strict coding guidelines. That's a pain in the ass, but it also guarantees better readability and easier maintenance in the future.

[bagley]

Well, I got those trailing spaces. It took a few tries (I tried to squash the commits but I didn't know the right way to do it).

I'm good with testing and finalizing it. And maintenance as far as I can. I've been using it on my own sites, and I tried to make them work on all cases I use and could think of, excluding all of the plugins that can be used on them - I can't test every plugin, but I did test many of the most popular ones.

[dune73]

That sounds very good @bagley. Thank you very much.

Covering all the plugins is certainly beyond our standard coverage. It's the same with WP and Drupal. Probably even less than what you did.

At what Paranoia Level did you test this? Our general plan is to have exclusion rule packages cover up to PL2.

The rules are written in a clean style. That is already very nice. But given we are now super-strict, it would be nice if you could edit your file to follow these soon to be merged guidelines.

https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/879/files

I think, it is best we merge your code afterwards and then I will edit it a bit, namely comments, grouping of rules and other things that are hard and cumbersome to explain. You would then try this edited rule package again and when it still performs as expected we are done.

So these would be the steps:
1 Follow contribution guidelines to the details (@bagley)
2 Merge (@dune73 / project)
3 Regroup rules (@dune73)
4 Edit documentation (@dune73)
5 Re-Test rule base (@bagley)
6 2nd merge (@dune73)
7 done

Are you OK with this plan?

[bagley]

I actually just did Paranoia Level 1. However, I will increase it to level 2 and test that out, and modify it accordingly (I've seen other rulesets group PL2 rules by themselves, so I will do that if needed. There's already a section in both rulesets for that, as I copied one of the other rulesets for my template).

I'm good with that plan. I will take a look at those guidelines this next week, and format the code as needed. And I'll test it with v3.1/dev.

And then I'll push the results here for step 2 of the plan.

[dune73]

This sounds very good. Thanks a lot. Looking forward to this.

[dune73]

Any progress here @bagley?

[bagley]

Well, I got it tested against v3.1dev, on level 2. Sorry, it took longer than expected. But I finished the testing and it looks good. I just added some things for the builtin/common apps, so they will work. Go ahead and feel free to merge it and proceed with the plan.

One note: increasing it to Paranoia Level 2 made it start throwing messages about "PCRE limits exceeded" when viewing picture thumbnails in the file manager. Increasing the following settings fixed that. It just took somewhat longer for the page to come up.

SecPcreMatchLimit 150000 (was 1000 in PL1)
SecPcreMatchLimitRecursion 150000 (was 1000 in PL1)

The errors referred to the rules 932100, 932105, 932110, 932115, and 932150 (which only run in PL2+). I didn't add exceptions for those rules as increasing the above settings took care of the messages. Just letting you know in case that may be an issue or raise a concern.

[dune73]

Thank you. The PCRE problems are frequent with CRS / ModSecurity. Raising the limits to 150K is within reason. Surprised you actually did notice some lag, but 150K is about where the lag becomes noticeable.

I'm off for two days and will take a close look after my return.

[ghost]

Hello all,

As already discussed with @dune73 on the mailing list, I am trying to make ModSecurity v3/Nginx 1.12.1 working together with NextCloud 12.0.3 on a Debian Jessie. I am using the latest available code from the git repository for ModSecurity v3 and its nginx connector and the owasp 3.0.2 rules.

I tried the rulesets from @bagley but still have exceptions from ModSecurity. I joined my config file and detailed log. In crs-setup-cloud2.conf I allowed all the HTTP methods and content-types. Here a short resume of the ModSecurity exceptions log :

None 949110 Inbound Anomaly Score Exceeded (Total Score: 5)
None 980130 Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=0,XSS=15,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): XSS Filter - Category 3: Attribute Vector
None 941130 XSS Filter - Category 3: Attribute Vector
None 949110 Inbound Anomaly Score Exceeded (Total Score: 15)
None 920420 Request content type is not allowed by policy
None 980130 Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Request content type is not allowed by policy

Compared to before using @bagley rulesets, it seems I don't have anymore 953120 PHP source code leakage or 941100 XSS Attack Detected via libinjection.

Thanks for your help, and let me know if you need to do some testing.

modsec-short.log
modsec.log

crs-setup-cloud2.conf.txt
modsec_cloud.conf.txt
modsec_core_cloud.conf.txt
REQUEST-903.9012-NEXTCLOUD-EXCLUSION-RULES.conf.txt

[ghost]

I am also joining a second log from exceptions due to file not uploaded from the nextcloud desktop client to the server.
modsec-file-upload.log.txt
Hope it will help to refine the rules.

[dune73]

Hey @Aurelien-,
thanks for contributing and good to hear that most of the false positives are gone for you too.

Feedback on the remaining alerts:

• 949110: Statistics: ignore
• 980130: Statistics: ignore
• 920420: Likely a problem with your tx.allowed_request_content_type variable. I see that you do not allow text/vcard which seems to exist.
  @bagley: Do you think we need to overwrite this setting?
• 941130: This seems to be a false positive. Here is the payload:

ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)[\s\S](?:x(?:link:href|html|mlns)|!ENTITY.*?SYSTEM|data:text\/html|pattern(?=.*?=)|formaction|\@import|base64)\b' against variable `ARGS:<?xml version' (Value: `"1.0"?><d:propfind xmlns:d="DAV:"><d:prop><d:resourcetype/></d:prop></d:propfind>' ) [file "/etc/nginx-proxy/modsec/mydomain.com/../owasp-modsecurity-crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "130"] [id "941130"] [rev "2"] [msg "XSS Filter - Category 3: Attribute Vector"] [data "Matched Data:  xmlns found within ARGS:<?xml version: "1.0"?><d:propfind xmlns:d="DAV:"><d:prop><d:resourcetype/></d:prop></d:propfind>"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [ref "o18,6v819,81t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]

I think this should be tuned away too. Or am I missing something?

[ghost]

Thanks @dune73 for your feedback.

Unfortunately I think I made some mistake on my configuration and the Nextcloud rules was probably not working. So I took a serious look at what @bagley did this weekend and edited the REQUEST-903.9012-NEXTCLOUD-EXCLUSION-RULES.conf file to cover the alerts I got by exploring the nextcloud website and doing some basic sync file stuff with the desktop client. I do not know much about writing correct rules and I mostly used the ctl:ruleRemoveByID and tx.allowed_method for specific urls. I put all what I done at the bottom of the file starting with rule id 9012225 (just after 9012220 dealing with password).

Here the rules :

## File manager. Allow the data type 'text/vcard'
SecRule REQUEST_FILENAME "@beginsWith /remote.php/dav/files/" \
   "id:9012225,\
   phase:2,\
   t:none,\
   nolog,\
   pass,\
   setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|text/vcard'"

#File access from client.
#Allows file extension without anay restriction (rules 900240 and 920440).
#Allows Path Traversal Attack (/../) (rules 930100 and 930110).
SecRule REQUEST_FILENAME "@beginsWith /remote.php/dav/files/" \
        "id:9012230,\
        phase:2,\
        t:none,\
        nolog,\
        pass,\
        ctl:ruleRemoveByID=900240,\
	ctl:ruleRemoveByID=920440,\
	ctl:ruleRemoveByID=930100,\
	ctl:ruleRemoveByID=930110"

#Comments from web interface.
#Disables request body check because of a JSON parsing error with char \x0a
SecRule REQUEST_FILENAME "@beginsWith /remote.php/dav/comments/files/" \
        "id:9012240,\
        phase:1,\
        t:none,\
        nolog,\
        pass,\
        ctl:ruleRemoveByID=200002,\
	ctl:ruleRemoveByID=920130"

#Video chat app from web interface.
#Allows DELETE and PUT operations.
SecRule REQUEST_FILENAME "@beginsWith /apps/spreed/api/leave" \
   "id:9012250,\
   phase:2,\
   t:none,\
   nolog,\
   pass,\
   setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'"

#Calendar app from web interface.
#Disable PHP code leakage check.
SecRule REQUEST_FILENAME "@beginsWith /apps/calendar/" \
   "id:9012260,\
   phase:2,\
   t:none,\
   nolog,\
   pass,\
   ctl:ruleRemoveByID=953120"

#Contact app from web interface.
#Disable request body check. Operator `Eq' with parameter `0' against variable `REQBODY_ERROR' (Value: `1' ). Failed to parse request body."] [data "XML parsing error: XML: Failed parsing document].
SecRule REQUEST_FILENAME "@beginsWith /remote.php/dav/addressbooks" \
   "id:9012270,\
   phase:1,\
   t:none,\
   nolog,\
   pass,\
   ctl:ruleRemoveByID=200002,\
   ctl:ruleRemoveByID=920130"

#Admin security page from web interface.
#Disable PHP code leakage check.
SecRule REQUEST_FILENAME "@beginsWith /settings/admin/security" \
   "id:9012280,\
   phase:2,\
   t:none,\
   nolog,\
   pass,\
   ctl:ruleRemoveByID=953120"

#Admin external storage page from web interface.
#Disable request body check. Operator `Eq' with parameter `0' against variable `REQBODY_ERROR' (Value: `1' ) [msg "Failed to parse request body."] [data "JSON parsing error: parse error: premature EOF\x0a"]
SecRule REQUEST_FILENAME "@beginsWith /apps/files_external/globalstorages" \
   "id:9012290,\
   phase:1,\
   t:none,\
   nolog,\
   pass,\
   ctl:ruleRemoveByID=200002,\
   ctl:ruleRemoveByID=920130"

#Admin encryption page from web interface.
#Disable PHP code leakage check.
SecRule REQUEST_FILENAME "@beginsWith /settings/admin/encryption" \
   "id:9012300,\
   phase:2,\
   t:none,\
   nolog,\
   pass,\
   ctl:ruleRemoveByID=953120"

#Admin additional settings page from web interface.
#Disable PHP code leakage check.
SecRule REQUEST_FILENAME "@beginsWith /settings/admin/additional" \
   "id:9012310,\
   phase:2,\
   t:none,\
   nolog,\
   pass,\
   ctl:ruleRemoveByID=953120"

#Personnal user global storage page from web interface.
#Disable request body check. Operator `Eq' with parameter `0' against variable `REQBODY_ERROR' (Value: `1' ) [msg "Failed to parse request body."] [data "JSON parsing error: parse error: premature EOF\x0a"]
SecRule REQUEST_FILENAME "@beginsWith /apps/files_external/globalstorages" \
   "id:9012320,\
   phase:1,\
   t:none,\
   nolog,\
   pass,\
   ctl:ruleRemoveByID=200002,\
   ctl:ruleRemoveByID=920130"

#Personnal user storage page from web interface.
#Disable request body check. Operator `Eq' with parameter `0' against variable `REQBODY_ERROR' (Value: `1' ) [msg "Failed to parse$
SecRule REQUEST_FILENAME "@beginsWith /apps/files_external/userstorages" \
   "id:9012330,\
   phase:1,\
   t:none,\
   nolog,\
   pass,\
   ctl:ruleRemoveByID=200002,\
   ctl:ruleRemoveByID=920130"

#Login page from web interface.
#Disable PHP code leakage check.
SecRule REQUEST_FILENAME "@beginsWith /login" \
   "id:9012340,\
   phase:1,\
   t:none,\
   nolog,\
   pass,\
   ctl:ruleRemoveByID=953120"

SecRule REQUEST_FILENAME "@rx /public.php/webdav/" \
   "id:9012350,\
   phase:1,\
   t:none,\
   nolog,\
   pass,\
   setvar:'tx.allowed_methods=%{tx.allowed_methods} PROPFIND'"

I will provide the log files for each case so maybe someone can refine the rules and use something else than ruleRemoveByID when possible. One question, should we not use the more strict @beginswith instead of @contains for url prefix ?

REQUEST-903.9012-NEXTCLOUD-EXCLUSION-RULES.conf.txt

[ghost]

Here the log about the text/vcard and forbidden file extension.

Forbidden file extension happened when I tried to synchronize file with .log extension with the Nextcloud desktop client. So I disabled the rule checking extensions for /remote.php/dav/files/.

The rules from REQUEST-903.9012-NEXTCLOUD-EXCLUSION-RULES.conf :

## File manager. Allow the data type 'text/vcard'
SecRule REQUEST_FILENAME "@beginsWith /remote.php/dav/files/" \
   "id:9012225,\
   phase:2,\
   t:none,\
   nolog,\
   pass,\
   setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|text/vcard'"

#File access from client.
#Allows file extension without anay restriction (rules 900240 and 920440).
#Allows Path Traversal Attack (/../) (rules 930100 and 930110).
SecRule REQUEST_FILENAME "@beginsWith /remote.php/dav/files/" \
        "id:9012230,\
        phase:2,\
        t:none,\
        nolog,\
        pass,\
        ctl:ruleRemoveByID=900240,\
	ctl:ruleRemoveByID=920440,\
	ctl:ruleRemoveByID=930100,\
	ctl:ruleRemoveByID=930110"

modsec-extension-log1.txt
modsec-extension-log2.txt
modsec-extension-log3.txt
modsec-extension-log4.txt

[ghost]

Then when trying to insert some comments on file/folder/pictures from the Nextcloud web interface I got some JSON parsing error with char \x0a. So I disabled request body check for comments but also other url from admin/user storage pages. I think it can be refine for taking care only about the char \x0a.

This error happen when accessing url from :

/remote.php/dav/comments/files/
/apps/files_external/globalstorages
/apps/files_external/userstorages

The rules from REQUEST-903.9012-NEXTCLOUD-EXCLUSION-RULES.conf :

#Comments from web interface.
#Disables request body check because of a JSON parsing error with char \x0a
SecRule REQUEST_FILENAME "@beginsWith /remote.php/dav/comments/files/" \
        "id:9012240,\
        phase:1,\
        t:none,\
        nolog,\
        pass,\
        ctl:ruleRemoveByID=200002,\
	ctl:ruleRemoveByID=920130"

#Admin external storage page and Personnal user global storage page from web interface.
#Disable request body check. Operator `Eq' with parameter `0' against variable `REQBODY_ERROR' (Value: `1' ) [msg "Failed to parse request body."] [data "JSON parsing error: parse error: premature EOF\x0a"]
SecRule REQUEST_FILENAME "@beginsWith /apps/files_external/globalstorages" \
   "id:9012290,\
   phase:1,\
   t:none,\
   nolog,\
   pass,\
   ctl:ruleRemoveByID=200002,\
   ctl:ruleRemoveByID=920130"

#Personnal user storage page from web interface.
#Disable request body check. Operator `Eq' with parameter `0' against variable `REQBODY_ERROR' (Value: `1' ) [msg "Failed to parse$
SecRule REQUEST_FILENAME "@beginsWith /apps/files_external/userstorages" \
   "id:9012330,\
   phase:1,\
   t:none,\
   nolog,\
   pass,\
   ctl:ruleRemoveByID=200002,\
   ctl:ruleRemoveByID=920130"

modsec-comments.txt
modsec-globalstorage.txt
modsec-personnal.txt

[ghost]

There are some PHP code leakage warnings so I disabled the rule for the concerned urls. But this should be investigated, maybe some wrong way of doing some stuff from the Nextcloud php code ?

#Calendar app from web interface.
#Disable PHP code leakage check.
SecRule REQUEST_FILENAME "@beginsWith /apps/calendar/" \
   "id:9012260,\
   phase:2,\
   t:none,\
   nolog,\
   pass,\
   ctl:ruleRemoveByID=953120"

#Admin security page from web interface.
#Disable PHP code leakage check.
SecRule REQUEST_FILENAME "@beginsWith /settings/admin/security" \
   "id:9012280,\
   phase:2,\
   t:none,\
   nolog,\
   pass,\
   ctl:ruleRemoveByID=953120"

#Admin additional settings page from web interface.
#Disable PHP code leakage check.
SecRule REQUEST_FILENAME "@beginsWith /settings/admin/additional" \
   "id:9012310,\
   phase:2,\
   t:none,\
   nolog,\
   pass,\
   ctl:ruleRemoveByID=953120"


#Login page from web interface.
#Disable PHP code leakage check.
SecRule REQUEST_FILENAME "@beginsWith /login" \
   "id:9012340,\
   phase:1,\
   t:none,\
   nolog,\
   pass,\
   ctl:ruleRemoveByID=953120"

modsec-calendar.txt
modsec-security.txt
modsec-additional.txt
modsec-login.txt

[ghost]

There is also a XML parsing error on body request check during access to the address book page from web interface.

#Contact app from web interface.
#Disable request body check. Operator `Eq' with parameter `0' against variable `REQBODY_ERROR' (Value: `1' ). Failed to parse request body."] [data "XML parsing error: XML: Failed parsing document].
SecRule REQUEST_FILENAME "@beginsWith /remote.php/dav/addressbooks" \
   "id:9012270,\
   phase:1,\
   t:none,\
   nolog,\
   pass,\
   ctl:ruleRemoveByID=200002,\
   ctl:ruleRemoveByID=920130"

modsec-addressbook.txt

[ghost]

Finally I also modified rule 9012010 about the File Manager at the beginning of the conf file with ruleRemoveByID for 941100 and 941130 because of the false positive you already noticed "xmlns found within ARGS:<?xml version: "1.0"?>".

Here the rule :

# File Manager
# Adding rules 941100 and 941130 besause of "xmlns found within ARGS:<?xml version: "1.0"?>"
SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \
   "id:9012010,\
   phase:2,\
   t:none,\
   nolog,\
   pass,\
   ctl:ruleRemoveByID=933100-933200,\
   ctl:ruleRemoveByID=941000-942999,\
   ctl:ruleRemoveByID=941100,\
   ctl:ruleRemoveByID=941130"

And addition of PUT DELETE for the video chat app and PROPFIND for /public.php/webdav/

#Video chat app from web interface.
#Allows DELETE and PUT operations.
SecRule REQUEST_FILENAME "@beginsWith /apps/spreed/api/leave" \
   "id:9012250,\
   phase:2,\
   t:none,\
   nolog,\
   pass,\
   setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'"

SecRule REQUEST_FILENAME "@rx /public.php/webdav/" \
   "id:9012350,\
   phase:1,\
   t:none,\
   nolog,\
   pass,\
   setvar:'tx.allowed_methods=%{tx.allowed_methods} PROPFIND'"

[ghost]

It should also be better to combine the urls with same rules to process all together like for PHP code leakage or Json parsing error.

Best.

Aurélien

[bagley]

Thanks for including those. I'm out away from a system where I can test those. But I'll be back where I can test those out and help out more next week.

[dune73]

Whenever you find the time.

[macgeneral]

I wonder if it wouldn't be smarter to leave out the index.php in the @contains sections (or make it an optional group); own/nextcloud do offer to use mod_rewrite to hide the index.php from the url.

[dune73]

@macgeneral : Would that mean to do @contains /core/preview.png for rule 9012050 instead? (And then the other ones too?

[macgeneral]

@emphazer: is your only concern that another CMS running on the same host (with the same config) could „bypass“ mod_security through similar named files/urls? And how would the index.php prevent that?

[emphazer]

@dune73 ok, thats right. I think it should be turned off by default then.

@macgeneral yes, there are not that many cms with this url path. But a lot with word like thumbnail and core etc...

[fzipi]

We do something similar to #899 (comment), but we use 'SecWebAppId' instead.

<VirtualHost "cms.example.com:443">
  SecWebAppId "cms.example.com"
 .. other vhost stanza...
</VirtualHost>

and in our local ruleset pre_cms.example.com.conf, we check for the webappid initially

SecRule WEBAPPID "! @streq cms.example.com" "id:XXXXX,skipAfter:END-CMS-EXAMPLE-COM"
...
<specific rules for this app/host>
...
SecMarker "END-CMS-EXAMPLE-COM"

We use Drupal and Owncloud, so this had help us to set the correct context for our rules.

In fact, this enables migrating your testing ruleset to production without changing names. We used to do a lot of SERVERNAME dependant before, but from staging/testing to production it was a pain to rename rules.

I wish SecWebAppId lands in ModSec v3 🙂

[fzipi]

@bagley Haven't you got any problems with SecRequestBodyLimit (https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#secrequestbodylimit)? I had to go to max size in my owncloud install. Maybe add something like this would help in this case:

SecAction \
    "id:900132,\
    phase:1,\
    nolog,\
    pass,\
    t:none,\
    setvar:tx.crs_nextcloud_max_upload=1073741824,\
    setvar:tx.crs_exclusions_nextcloud=1"

# Request Body configued limit of 32768000 by default
SecRule REQUEST_URI "@beginsWith /apps/files/ajax/upload.php" \
    "id:90122XX,\
    phase:1,\
    t:none,\
    nolog,\
    ctl:requestBodyLimit=%{tx.crs_nextcloud_max_upload}"

To use the web uploader without size glitches.

[fzipi]

Well...I didn't have to wait until christmas to see my wish coming true! owasp-modsecurity/ModSecurity@23cf656 Thanks @zimmerle for adding 'SecWebAppId' support!

[dune73]

That directive / variable is greatly underappreciated. Useful for all sorts of funny things.

[dune73]

Any news here @bagley?

[lifeforms]

I think this should probably be @streq

[lifeforms]

would @endsWith be more appropriate?

[lifeforms]

Should be @streq

[bagley]

@lifeforms Thanks for telling us about those. I have made the changes and pushed them.

@aurelien Sorry about the delay. I added the rules about the file manager. I'm not sure why you were getting a "PHP code leakage check". That sounds like there's some other issue. I wasn't able to reproduce it. Are you still getting it if you remove those rules? Have you checked that the webpages aren't leaking code out, such as a php error?

I'm not able to reproduce the issues with the rules referencing the storage pages on the the web interface. I can take a deeper look with those, but is it when you are submitting the forms, or just loading the page?

As for using "beginsWith", the issue with using that is those installs that are using a subdirectory won't be able to use the rules. Using "endsWith" will be better, or "contains" when that doesn't work.

@fzipi With the uploading issue, I wasn't uploading anything too large, so I didn't see that issue. I tried to implement your suggestion, but I couldn't get it to work. It appears that requestBodyLimit doesn't like being told to use a variable. It's commented out at the bottom of the file if anyone wants to take a look at it.

With the index.php question, my thoughts are to leave it in. It's a simple search and replace in the rules to remove it, if anyone has the mod_rewrite setup. But if anyone sends me donuts, I may reconsider :)

[bagley]

I tried to rebase it to 3.1/dev, but it listed lots of conflicts and issues. So I put it back to 3.0/dev. (I'm still testing with 3.1/dev).

[fzipi]

I see. You should rebase to v3.1/dev tough, I can work with you on that.

You'll have problems with many things also:

• file names: people can name files in weird names. Specially not attackers.
• file combined size: if you have implemented quota, you'll need to take precautions with return code 507, or it will fill your logs!

SecRule RESPONSE_STATUS "507" \
    "id:XXXX,
    phase:4,\
    pass,\
    nolog,\
    chain,\
    ctl:ruleRemoveById=950100"
    SecRule REQUEST_URI "@beginsWith /owncloud"

I always hesitate to do it, because when you need it you will not have it, but it is possible to add ctl:auditLogParts=-C to the rules that may fill up your disk. The desktop application tends to have problems and makes hard efforts retrying to write even when you reply with 403. And it will fill up lots of GB in a small period of time, provided you are logging C part.

• file size in request body: when users begin to upload DVDs, you know you are having problems.

For the bodylimit size, you could use something like this (I'm using this one in my internal owncloud):

# /owncloud/index.php/apps/files/ajax/upload.php
# Message: Request body (Content-Length) is larger than the configured limit (32768000)
# Upgrade to 1GB == Hard Limit!
# See: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#secrequestbodylimit
SecRule REQUEST_URI "@beginsWith /owncloud/index.php/apps/files/ajax/upload.php" \
    "id:XXXX,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ctl:ruleRemoveTargetById=920120;FILES:files[],\
    ctl:ruleRemoveById=920140,\
    ctl:ruleRemoveById=200002,\
    ctl:ruleRemoveById=200003,\
    ctl:requestBodyLimit=1073741824"

[bagley]

That's good to know about the 507 error. Good ol log fill ups. I don't think I'll include it as people probably need to see those errors, but we can definitely add it to the documentation.

DVDs, lol. For that upload limit, I'm just wondering if we really need this. Seems like it would go under something more "custom" like file extensions, than something global. And as AFAIK the limit can be set higher inside of just a single app/VirtualHost container using SecRequestBodyLimit. We can include an example that can be added their app's config (VirtualHost):

SecRule REQUEST_URI "@endsWith /index.php/apps/files/ajax/upload.php" \
    "id:XXXX,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ctl:requestBodyLimit=1073741824"

Another option is including a variable to enable the higher limit, such as "setvar:tx.crs_nextcloud_max_upload=1073741824" or "setvar:tx.crs_nextcloud_allow_max_upload=1" It just has to be something that they enable, and that was where I was having issues with the variables. Because otherwise people could be DOSed on upload.php, and not know why/how their SecRequestBodyLimit=1000 is still accepting large uploads.
If you can get it to work with variables, and be turned off and on via the config, that would be awesome.

[fzipi]

@bagley Well, let's do this: as there are no additions/changes to the base rules, just the addition of the REQUEST-903.9011-DOKUWIKI-EXCLUSION-RULES.conf and REQUEST-903.9012-NEXTCLOUD-EXCLUSION-RULES.conffiles, please close this PR and checkout branch v3.1/dev and copy your files there.

git checkout -b v3.1/dev-nextcloud v3.1/dev
git add rules/REQUEST-903.9012-NEXTCLOUD-EXCLUSION-RULES.conf # (copy your files from the other branch)
<reorder as per CONTRIBUTING.md>
git commit
git push

Then create a PR against v3.1/dev, and add as reference this closed PR. Similar for dokuwiki (so there will be two independet PRs).

This will simplify a lot the process for us. Are you ok with that?

[dune73]

I second @fzipi's proposal and I am pleased to see that you are back in the game @bagley. I'm still open to take things from your PR to a polished version worthy of a release.

[bagley]

Sounds good. I've gone ahead and done that:

PR for NextCloud rules: #982

PR for Dokuwiki rules: #983

I updated their notes and formatting, so they should be following Contributing.md.

[dune73]

This is very good. Thank you.