Rules for NextCloud installs (and possibly OwnCloud). #982
Conversation
Signed-off-by: Matt Bagley <firstlife22@gmail.com>
|
@bagley I think this is a very good first approach. Anyone care to comment? |
|
I will. But I am a bit short on time these days. |
Until SpiderLabs/owasp-modsecurity-crs#982 is merged.
|
Hi, I finally took the time to take a closer look at this. This is very good. Clean and systematic. There are a few minor questions and requests, you might be
Thank's once again for this PR. If you have a response to this, |
|
Yes, I can go ahead and fix these. That "Testing for upload fix" was just there to see if anyone could get that variable based fix to work. But I'm going to put it up to the top with just the 4 lines of code that are actually needed. Give me a few and I'll upload the fixes. |
Signed-off-by: Matt Bagley <firstlife22@gmail.com>
Signed-off-by: Matt Bagley <firstlife22@gmail.com>
Signed-off-by: Matt Bagley <firstlife22@gmail.com>
|
Wonderful. Thank you very much. |
Signed-off-by: Matt Bagley <firstlife22@gmail.com>
|
Ya, no problem. As for the block choosing 9012 rather than 9003, at first I wanted to jump a few blocks in case someone else was using those. And I picked 9012 because 12 devs made nextcloud. Kind of random, but that's why. If you'd like it moved it to 9003, I can do that. I can do the same with dokuwiki, and make it 9004. Oh, and feel free to reword the comments as needed. |
There was a problem hiding this comment.
We are nearly there. The ordering of actions in the rules does not adhere to the contributing standard. Most of the rules need to be modified, mainly the disruptive action needs to be moved upwards, after the phase declaration. Also, SecMarker tags must be quoted using double quotes.
I think it can be merged after that. Very good job!
| phase:2,\ | ||
| t:none,\ | ||
| nolog,\ | ||
| pass,\ | ||
| ctl:ruleRemoveByID=933100-933200,\ | ||
| ctl:ruleRemoveByTAG=attack-injection-php,\ |
There was a problem hiding this comment.
The ctl action is ruleRemoveByTag, not by TAG.
There was a problem hiding this comment.
Fixing this as of this writing. Found another two small bugs.
|
We really need to write a rule checker script to put the actions in order and use our time wisely :) |
|
Thanks for merging this. @fzipi, after seeing @dune73 's edits, I'm getting a much better idea of what you meant on the rule reordering. I agree with you about a tool that could be used for checking (and possibly fixing) rules. It wouldn't be very hard to do in perl or something like that. I may even write up something, unless you have already started writing such a tool. (I wrote a quick tool to check for trailing white spaces before git commits, as the failed builds were annoying me). |
|
Also, @dune73, I'm not sure if Nextcloud changed the password changing setup, or maybe I missed something. But rule 9003500 needs a change so it won't block passwords. And another rule was needed for user password changes. Here's the changes on line 266 and on: @@ -264,8 +264,11 @@
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
# Change Password and Setting up a new user/password
+# /index.php/settings/users
+# /index.php/settings/users/users
+# /index.php/settings/users/changepassword
-SecRule REQUEST_FILENAME "@endsWith /index.php/settings/users" \
+SecRule REQUEST_FILENAME "@rx /index.php/settings/users(|/users|/changepassword)$" \
"id:9003500,\
phase:2,\
pass,\
@@ -274,6 +277,16 @@
ctl:ruleRemoveTargetByTag=CRS;ARGS:newuserpassword,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:password"
+SecRule REQUEST_FILENAME "@endsWith /index.php/settings/personal/changepassword" \
+ "id:9003510,\
+ phase:2,\
+ pass,\
+ t:none,\
+ nolog,\
+ ctl:ruleRemoveTargetByTag=CRS;ARGS:password,\
+ ctl:ruleRemoveTargetByTag=CRS;ARGS:oldpassword,\
+ ctl:ruleRemoveTargetByTag=CRS;ARGS:newpassword,\
+ ctl:ruleRemoveTargetByTag=CRS;ARGS:newpassword-clone"
SecMarker END-NEXTCLOUD-ADMIN |
|
I will love to have a python checking script that implements all the things from CONTRIBUTING.md and fix everything automatically, no only blank tailing spaces (I use sed for that 's,\s+$,,'). |
|
I made a parser for the CRS that has now full syntax sanity checks (thanks to @fgsch). I was hoping to get full python objects from that to rewrite as needed but haven't had time for keeping the development. |
|
Thank you for the update @bagley, I'll incorporate that in the other PR. As for the script: @fzipi's work together with @fgsch's contribution is what you should base yourself on. It would help the project and other contributors a big deal. Please don't revert to perl, if you can do it in python. And yes, contributing this would be awesome (on top of two very nice rule exclusion packages you contributed). |
Here are the rules to allow NextCloud (and likely OwnCloud) to be able to work. They are from #899.
As I was making this PR, I noticed that many of the rules are just turning off other rules. I would like for them to specifically target the variables being used, and try to make them more exact. But they are still fairly decent. (I'm just putting this here to remind myself of this).
I added some notes to each rule, to show more of what it is doing. And fixed the formatting. They should be up to par with the Contributing.md.