-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
directives.go
1032 lines (918 loc) · 31.8 KB
/
directives.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
// Copyright 2022 Juan Pablo Tosso and the OWASP Coraza contributors
// SPDX-License-Identifier: Apache-2.0
//go:generate go run generator/main.go
package seclang
import (
"errors"
"fmt"
"io/fs"
"regexp"
"strconv"
"strings"
"github.com/appsentinels/coraza/v3/debuglog"
"github.com/appsentinels/coraza/v3/internal/auditlog"
"github.com/appsentinels/coraza/v3/internal/corazawaf"
"github.com/appsentinels/coraza/v3/internal/memoize"
utils "github.com/appsentinels/coraza/v3/internal/strings"
"github.com/appsentinels/coraza/v3/types"
)
// DirectiveOptions contains the parsed options for a directive. It is mutable and propagated
// across multiple directives, to support collecting the options for audit logs for example.
// TODO(anuraaga): Propagation of config probably should be separated from a directive's options.
type DirectiveOptions struct {
WAF *corazawaf.WAF
Raw string
Opts string
Path []string
Datasets map[string][]string
// Parser is configuration of the parser, populated by multiple directives and consumed by
// directives that parse.
Parser ParserConfig
}
type directive = func(options *DirectiveOptions) error
// Description: Include and evaluate a file or file pattern.
// Syntax: Include [PATH_TO_CONF_FILES]
// ---
// Include loads a file or a list of files from the filesystem using golang Glob syntax.
//
// Example:
// ```apache
// Include /path/coreruleset/rules/*.conf
// ```
//
// Quoting [Glob documentation](https://pkg.go.dev/path/filepath#Glob):
// > The syntax of patterns is the same as in Match. The pattern may describe hierarchical
// > names such as /usr/*/bin/ed (assuming the Separator is ‘/’).
// > Glob ignores file system errors such as I/O errors reading directories. The only possible returned error is ErrBadPattern, when pattern is malformed.
func directiveInclude(_ *DirectiveOptions) error {
return errors.New("not implemented")
}
var _ directive = directiveInclude
var errEmptyOptions = errors.New("expected options")
func directiveSecComponentSignature(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
options.WAF.ComponentNames = append(options.WAF.ComponentNames, options.Opts)
return nil
}
// Description: Adds a fixed rule marker that can be used as a target in a `skipAfter` action.
// A `SecMarker` directive essentially creates a rule that does nothing and whose only purpose
// is to carry the given ID.
// Syntax: SecMarker [ID|TEXT]
// ---
// The value can be either a number or a text string. The SecMarker directive is available to
// allow you to choose the best way to implement a skip-over. Here is an example used from the
// Core Rule Set:
//
// ```apache
//
// SecMarker BEGIN_HOST_CHECK
//
// SecRule &REQUEST_HEADERS:Host "@eq 0" \
// "id:'960008',skipAfter:END_HOST_CHECK,phase:2,rev:'2.1.1',\
// t:none,block,msg:'Request Missing a Host Header',\
// tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',\
// tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',\
// severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
// setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},\
// setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
// SecRule REQUEST_HEADERS:Host "^$" \
// "id:'960008',phase:2,rev:'2.1.1',t:none,block,msg:'Request Missing a Host Header',\
// tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',\
// tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',\
// setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
// setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},\
// setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
//
// SecMarker END_HOST_CHECK
//
// ```
func directiveSecMarker(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
rule := corazawaf.NewRule()
rule.Raw_ = fmt.Sprintf("SecMarker %s", options.Opts)
rule.SecMark_ = options.Opts
rule.ID_ = 0
rule.Phase_ = 0
rule.Line_ = options.Parser.LastLine
rule.File_ = options.Parser.ConfigFile
if err := options.WAF.Rules.Add(rule); err != nil {
return err
}
options.WAF.Logger.Debug().Msg("Added secmark rule")
return nil
}
// Description: Unconditionally processes the action list it receives as the first and only parameter.
// Syntax: SecAction "action1,action2,action3,..."
// ----
// This directive is commonly used to set variables and initialize persistent collections using the
// `initcol` action. The syntax of the parameter is identical to that of the third parameter of `SecRule`.
//
// Example:
// ```apache
// SecAction "nolog,phase:1,initcol:RESOURCE=%{REQUEST_FILENAME}"
// ```
func directiveSecAction(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
rule, err := ParseRule(RuleOptions{
WithOperator: false,
WAF: options.WAF,
ParserConfig: options.Parser,
Raw: options.Raw,
Directive: "SecAction",
Data: options.Opts,
})
if err != nil {
return err
}
if err := options.WAF.Rules.Add(rule); err != nil {
return err
}
options.WAF.Logger.Debug().
Str("actions", options.Opts).
Msg("Added SecAction")
return nil
}
// Description: Creates a rule that will analyze the selected variables using
// the selected operator.
// Syntax: SecRule VARIABLES OPERATOR [ACTIONS]
// ---
// Every rule must provide one or more variables along with the operator that should
// be used to inspect them. If no actions are provided, the default list will be used.
// (There is always a default list, even if one was not explicitly set with `SecDefaultAction`.)
// If there are actions specified in a rule, they will be merged with the default list
// to form the final actions that will be used. (The actions in the rule will overwrite
// those in the default list.) Refer to `SecDefaultAction` for more information.
//
// Example:
// ```apache
// SecRule ARGS "@rx attack" "phase:1,log,deny,id:1"
// ```
func directiveSecRule(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
ignoreErrors := options.Parser.IgnoreRuleCompilationErrors
rule, err := ParseRule(RuleOptions{
WithOperator: true,
WAF: options.WAF,
ParserConfig: options.Parser,
Raw: options.Raw,
Directive: "SecRule",
Data: options.Opts,
Datasets: options.Datasets,
})
if err != nil && !ignoreErrors {
return err
} else if err != nil && ignoreErrors {
options.WAF.Logger.Debug().
Str("rule_id", options.Opts).
Err(err).
Msg("Ignoring rule compilation error")
return nil
}
err = options.WAF.Rules.Add(rule)
if err != nil && !ignoreErrors {
return err
} else if err != nil && ignoreErrors {
options.WAF.Logger.Debug().
Str("rule_id", options.Opts).
Err(err).
Msg("Ignoring rule compilation error")
return nil
}
return nil
}
// Description: Configures whether response bodies are to be buffered.
// Syntax: SecResponseBodyAccess On|Off
// Default: Off
// ---
// This directive is required if you plan to inspect HTML responses and implement
// response blocking. Possible values are:
// - On: buffer response bodies (but only if the response MIME type matches the list
// configured with `SecResponseBodyMimeType`).
// - Off: do not buffer response bodies.
func directiveSecResponseBodyAccess(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
b, err := parseBoolean(strings.ToLower(options.Opts))
if err != nil {
return err
}
options.WAF.ResponseBodyAccess = b
return nil
}
// Description: Configures the maximum request body size Coraza will accept for buffering.
// Default: 134217728 (131072 KB)
// Syntax: SecRequestBodyLimit [LIMIT_IN_BYTES]
// ---
// Anything over the limit will be rejected with status code 413 (Request Entity Too Large).
// There is a hard limit of 1 GB.
func directiveSecRequestBodyLimit(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
limit, err := strconv.ParseInt(options.Opts, 10, 64)
if err != nil {
return err
}
options.WAF.RequestBodyLimit = limit
return nil
}
// Description: Configures whether request bodies will be buffered and processed by Coraza.
// Syntax: SecRequestBodyAccess On|Off
// Default: Off
// ---
// This directive is required if you want to inspect the data transported request bodies
// (e.g., POST parameters). Request buffering is also required in order to make reliable
// blocking possible. The possible values are:
// - On: buffer request bodies
// - Off: do not buffer request bodies
func directiveSecRequestBodyAccess(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
b, err := parseBoolean(strings.ToLower(options.Opts))
if err != nil {
return err
}
options.WAF.RequestBodyAccess = b
return nil
}
// Description: Configures the rules engine.
// Syntax: SecRuleEngine On|Off|DetectionOnly
// Default: Off
// ---
// The possible values are:
// - On: process rules
// - Off: do not process rules
// - DetectionOnly: process rules but never executes any disruptive actions
// (block, deny, drop, allow, proxy and redirect)
func directiveSecRuleEngine(options *DirectiveOptions) error {
engine, err := types.ParseRuleEngineStatus(options.Opts)
options.WAF.RuleEngine = engine
return err
}
func directiveUnsupported(options *DirectiveOptions) error {
return nil
}
func directiveSecWebAppID(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
options.WAF.WebAppID = options.Opts
return nil
}
func directiveSecServerSignature(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
options.WAF.ServerSignature = utils.MaybeRemoveQuotes(options.Opts)
return nil
}
func directiveSecRuleRemoveByTag(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
options.WAF.Rules.DeleteByTag(options.Opts)
return nil
}
func directiveSecRuleRemoveByMsg(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
options.WAF.Rules.DeleteByMsg(options.Opts)
return nil
}
// Description: Removes the matching rules from the current configuration context.
// Syntax: SecRuleRemoveById ...[ID OR RANGE]
func directiveSecRuleRemoveByID(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
idsOrRanges := strings.Fields(options.Opts)
for _, idOrRange := range idsOrRanges {
if idx := strings.Index(idOrRange, "-"); idx == -1 {
id, err := strconv.Atoi(idOrRange)
if err != nil {
return err
}
options.WAF.Rules.DeleteByID(id)
} else {
start, err := strconv.Atoi(idOrRange[:idx])
if err != nil {
return err
}
end, err := strconv.Atoi(idOrRange[idx+1:])
if err != nil {
return err
}
if start > end {
return fmt.Errorf("invalid range: %s", idOrRange)
}
options.WAF.Rules.DeleteByRange(start, end)
}
}
return nil
}
func directiveSecResponseBodyMimeTypesClear(options *DirectiveOptions) error {
if len(options.Opts) > 0 {
return errors.New("unexpected options")
}
options.WAF.ResponseBodyMimeTypes = nil
return nil
}
func directiveSecResponseBodyMimeType(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
options.WAF.ResponseBodyMimeTypes = strings.Split(options.Opts, " ")
return nil
}
// Description: Controls what happens once a response body limit, configured with
// `SecResponseBodyLimit`, is encountered.
// Syntax: SecResponseBodyLimitAction Reject|ProcessPartial
// ---
// By default, Coraza will reject a response body that is longer than specified.
// Some web sites, however, will produce very long responses, making it difficult
// to come up with a reasonable limit. Such sites would have to raise the limit
// significantly to function properly, defying the purpose of having the limit in
// the first place (to control memory consumption). With the ability to choose what
// happens once a limit is reached, site administrators can choose to inspect only
// the first part of the response, the part that can fit into the desired limit, and
// let the rest through. Some could argue that allowing parts of responses to go
// uninspected is a weakness. This is true in theory, but applies only to cases in
// which the attacker controls the output (e.g., can make it arbitrary long). In such
// cases, however, it is not possible to prevent leakage anyway. The attacker could
// compress, obfuscate, or even encrypt data before it is sent back, and therefore
// bypass any monitoring device.
func directiveSecResponseBodyLimitAction(options *DirectiveOptions) error {
switch strings.ToLower(options.Opts) {
case "reject":
options.WAF.ResponseBodyLimitAction = types.BodyLimitActionReject
case "processpartial":
options.WAF.ResponseBodyLimitAction = types.BodyLimitActionProcessPartial
default:
return errors.New("syntax error: SecResponseBodyLimitAction [Reject/ProcessPartial]")
}
return nil
}
// Description: Configures the maximum response body size that will be accepted for buffering.
// Syntax: SecResponseBodyLimit [LIMIT_IN_BYTES]
// Default: 524288 (512 KB)
// ---
// Anything over this limit will be rejected with status code 500 (Internal Server Error).
// This setting will not affect the responses with MIME types that are not selected for
// buffering. There is a hard limit of 1 GB.
func directiveSecResponseBodyLimit(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
limit, err := strconv.ParseInt(options.Opts, 10, 64)
if err != nil {
return err
}
options.WAF.ResponseBodyLimit = limit
return nil
}
// Description: Controls what happens once a request body limit, configured with
// SecRequestBodyLimit, is encountered
// Syntax: SecRequestBodyLimitAction Reject|ProcessPartial
// Default: Reject
// ---
// By default, Coraza will reject a request body that is longer than specified to
// avoid OOM issues while buffering the request body prior the inspection.
func directiveSecRequestBodyLimitAction(options *DirectiveOptions) error {
switch strings.ToLower(options.Opts) {
case "reject":
options.WAF.RequestBodyLimitAction = types.BodyLimitActionReject
case "processpartial":
options.WAF.RequestBodyLimitAction = types.BodyLimitActionProcessPartial
default:
return errors.New("syntax error: SecRequestBodyLimitAction [Reject/ProcessPartial]")
}
return nil
}
// Description: Configures the maximum request body size that Coraza will store in memory.
// Default: 131072 (128 KB)
// Syntax: SecRequestBodyInMemoryLimit [LIMIT_IN_BYTES]
// ---
// When a `multipart/form-data` request is being processed, once the in-memory limit is reached,
// the request body will start to be streamed into a temporary file on disk.
func directiveSecRequestBodyInMemoryLimit(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
limit, err := strconv.ParseInt(options.Opts, 10, 64)
if err != nil {
return err
}
options.WAF.SetRequestBodyInMemoryLimit(limit)
return nil
}
func directiveSecRemoteRulesFailAction(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
switch strings.ToLower(options.Opts) {
case "abort":
options.WAF.AbortOnRemoteRulesFail = true
case "warn":
options.WAF.AbortOnRemoteRulesFail = false
default:
return errors.New("unknown option")
}
return nil
}
func directiveSecRemoteRules(options *DirectiveOptions) error {
return fmt.Errorf("not implemented")
}
func directiveSecConnWriteStateLimit(options *DirectiveOptions) error {
return nil
}
func directiveSecSensorID(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
options.WAF.SensorID = options.Opts
return nil
}
func directiveSecConnReadStateLimit(options *DirectiveOptions) error {
return nil
}
func directiveSecPcreMatchLimitRecursion(options *DirectiveOptions) error {
return nil
}
func directiveSecPcreMatchLimit(options *DirectiveOptions) error {
return nil
}
func directiveSecHTTPBlKey(options *DirectiveOptions) error {
return nil
}
func directiveSecGsbLookupDb(options *DirectiveOptions) error {
return nil
}
func directiveSecHashMethodPm(options *DirectiveOptions) error {
return nil
}
func directiveSecHashMethodRx(options *DirectiveOptions) error {
return nil
}
func directiveSecHashParam(options *DirectiveOptions) error {
return nil
}
func directiveSecHashKey(options *DirectiveOptions) error {
return nil
}
func directiveSecHashEngine(options *DirectiveOptions) error {
return nil
}
// Description: Defines the default list of actions, which will be inherited
// by the rules in the same configuration context.
// Default: phase:2,log,auditlog,pass
// Syntax: SecDefaultAction "phase:2,log,auditlog,deny,status:403,tag:'SLA 24/7'"
// ---
// Every rule following a previous `SecDefaultAction` directive in the same configuration
// context will inherit its settings unless more specific actions are used.
//
// Rulesets like OWASP Core Ruleset uses this to define operation modes:
//
// - You can set the default disruptive action to block for phases 1 and 2 and you can force
// a phase 3 rule to be disrupted if the thread score is high.
// - You can set the default disruptive action to deny and each risky rule will interrupt
// the connection.
//
// Important: Every `SecDefaultAction` directive must specify a disruptive action and a processing
// phase and cannot contain metadata actions.
func directiveSecDefaultAction(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
options.Parser.RuleDefaultActions = append(options.Parser.RuleDefaultActions, options.Opts)
options.Parser.HasRuleDefaultActions = true
return nil
}
func directiveSecConnEngine(options *DirectiveOptions) error {
/*
switch opts{
case "On":
w.ConnEngine = engine.CONN_ENGINE_ON
break
case "Off":
w.ConnEngine = engine.CONN_ENGINE_OFF
break
case "DetectOnly":
w.ConnEngine = engine.CONN_ENGINE_DETECTONLY
break
}
break
*/
return nil
}
func directiveSecCollectionTimeout(options *DirectiveOptions) error {
// w.CollectionTimeout, _ = strconv.Atoi(opts)
return nil
}
// Description: Defines the path to the main audit log file (serial logging format)
// or the concurrent logging index file (concurrent logging format).
// Syntax: SecAuditLog [ABSOLUTE_PATH_TO_LOG_FILE]
// ---
// When used in combination with mlogc (only possible with concurrent logging), this
// directive defines the mlogc location and command line.
//
// Example:
// ```apache
// SecAuditLog "/path/to/audit.log"
// ```
//
// Note: This audit log file is opened on startup when the server typically still runs
// as root. You should not allow non-root users to have write privileges for this file
// or for the directory.
func directiveSecAuditLog(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
options.WAF.AuditLogWriterConfig.Target = options.Opts
return nil
}
func directiveSecAuditLogType(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
writer, err := auditlog.GetWriter(options.Opts)
if err != nil {
return err
}
options.WAF.SetAuditLogWriter(writer)
return nil
}
// Description: Select the output format of the AuditLogs. The format can be either
// the native AuditLogs format or JSON.
// Syntax: SecAuditLogFormat JSON|Native
// Default: Native
func directiveSecAuditLogFormat(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
formatter, err := auditlog.GetFormatter(options.Opts)
if err != nil {
return err
}
options.WAF.AuditLogWriterConfig.Formatter = formatter
return nil
}
func directiveSecAuditLogDir(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
options.WAF.AuditLogWriterConfig.Dir = options.Opts
return nil
}
// Description: Configures the mode (permissions) of any directories created for the
// concurrent audit logs, using an octal mode value as parameter (as used in chmod).
// Syntax: SecAuditLogDirMode octal_mode|"default"
// Default: 0600
// ---
// The default mode for new audit log directories (0600) only grants read/write access
// to the owner.
//
// Example:
// ```apache
// SecAuditLogDirMode 02750
// ```
func directiveSecAuditLogDirMode(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
auditLogDirMode, err := strconv.ParseInt(options.Opts, 8, 32)
if err != nil {
return err
}
options.WAF.AuditLogWriterConfig.DirMode = fs.FileMode(auditLogDirMode)
return nil
}
// Description: Configures the mode (permissions) of any files created for concurrent
// audit logs using an octal mode (as used in `chmod`). See `SecAuditLogDirMode` for
// controlling the mode of created audit log directories.
// Syntax: SecAuditLogFileMode octal_mode|"default"
// Default: 0600
// ---
// Example:
// ```apache
// SecAuditLogFileMode 00640
// ```
func directiveSecAuditLogFileMode(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
auditLogFileMode, err := strconv.ParseInt(options.Opts, 8, 32)
if err != nil {
return err
}
options.WAF.AuditLogWriterConfig.FileMode = fs.FileMode(auditLogFileMode)
return nil
}
// Description: Configures which response status code is to be considered relevant
// for the purpose of audit logging.
// Syntax: SecAuditLogRelevantStatus [REGEX]
// ---
// The main purpose of this directive is to allow you to configure audit logging for
// only the transactions that have the status code that matches the supplied regular
// expression.
//
// Example:
// ```
// SecAuditLogRelevantStatus "^(?:5|40[1235])"
// ```
// This example would log all 5xx and 4xx level status codes,
// except for 404s. Although you could achieve the same effect with a rule in phase 5,
// `SecAuditLogRelevantStatus` is sometimes better, because it continues to work even when
// `SecRuleEngine` is disabled.
//
// Note: Must have `SecAuditEngine` set to `RelevantOnly`. Additionally, the auditlog action
// is present by default in rules, this will make the engine bypass the `SecAuditLogRelevantStatus`
// and send rule matches to the audit log regardless of status. You must specify noauditlog in the
// rules manually or set it in `SecDefaultAction`.
func directiveSecAuditLogRelevantStatus(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
re, err := memoize.Do(options.Opts, func() (interface{}, error) { return regexp.Compile(options.Opts) })
if err != nil {
return err
}
options.WAF.AuditLogRelevantStatus = re.(*regexp.Regexp)
return nil
}
// Description: Defines which parts of each transaction are going to be recorded
// in the audit log. Each part is assigned a single letter; when a letter appears
// in the list then the equivalent part will be recorded. See below for the list of
// all parts.
// Syntax: SecAuditLogParts [PARTLETTERS]
// Default: ABCFHZ
// ---
// The format of the audit log format is documented in detail in the Audit Log Data
// Format Documentation.
//
// Example:
// ```apache
// SecAuditLogParts ABCFHZ
// ```
//
// Available audit log parts:
//
// - A: Audit log header (mandatory).
// - B: Request headers.
// - C: Request body (present only if the request body exists and Coraza is configured
// to intercept it. This would require `SecRequestBodyAccess` to be set to on).
// - D: Reserved for intermediary response headers; not implemented yet.
// - E: Intermediary response body (present only if Coraza is configured to intercept
// response bodies, and if the audit log engine is configured to record it. Intercepting
// response bodies requires `SecResponseBodyAccess` to be enabled). Intermediary response
// body is the same as the actual response body unless Coraza intercepts the intermediary
// response body, in which case the actual response body will contain the error message.
// - F: Final response headers.
// - G: Reserved for the actual response body; not implemented yet.
// - H: Audit log trailer.
// - I: This part is a replacement for part C. It will log the same data as C in all cases except when
// `multipart/form-data` encoding in used. In this case, it will log a fake `application/x-www-form-urlencoded`
// body that contains the information about parameters but not about the files. This is handy if
// you don’t want to have (often large) files stored in your audit logs.
// - J: This part contains information about the files uploaded using `multipart/form-data` encoding.
// - K: This part contains a full list of every rule that matched (one per line) in the order they were
// matched. The rules are fully qualified and will thus show inherited actions and default operators.
// - Z: Final boundary, signifies the end of the entry (mandatory).
func directiveSecAuditLogParts(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
var err error
options.WAF.AuditLogParts, err = types.ParseAuditLogParts(options.Opts)
return err
}
// Description: Configures the audit logging engine.
// Syntax: SecAuditEngine RelevantOnly
// Default: Off
// ---
// The `SecAuditEngine` directive is used to configure the audit engine, which logs complete
// transactions.
//
// The possible values for the audit log engine are as follows:
// - On: log all transactions
// - Off: do not log any transactions
// - RelevantOnly: only the log transactions that have triggered a warning or an error, or have
// a status code that is considered to be relevant (as determined by the `SecAuditLogRelevantStatus`
// directive)
//
// Note: If you need to change the audit log engine configuration on a per-transaction basis (e.g.,
// in response to some transaction data), use the `ctl` action.
//
// The following example demonstrates how `SecAuditEngine` is used:
// ```apache
// SecAuditEngine RelevantOnly
// SecAuditLog logs/audit/audit.log
// SecAuditLogParts ABCFHZ
// SecAuditLogType concurrent
// SecAuditLogStorageDir logs/audit
// SecAuditLogRelevantStatus ^(?:5|4(?!04))
// ```
func directiveSecAuditEngine(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
au, err := types.ParseAuditEngineStatus(options.Opts)
options.WAF.AuditEngine = au
return err
}
func directiveSecDataDir(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
options.WAF.DataDir = options.Opts
return nil
}
func directiveSecUploadKeepFiles(options *DirectiveOptions) error {
b, err := parseBoolean(options.Opts)
if err != nil {
return err
}
options.WAF.UploadKeepFiles = b
return nil
}
func directiveSecUploadFileMode(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
fm, err := strconv.ParseInt(options.Opts, 8, 32)
if err != nil {
return err
}
options.WAF.UploadFileMode = fs.FileMode(fm)
return nil
}
func directiveSecUploadFileLimit(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
var err error
options.WAF.UploadFileLimit, err = strconv.Atoi(options.Opts)
return err
}
func directiveSecUploadDir(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
// TODO validations
options.WAF.UploadDir = options.Opts
return nil
}
// Description: Configures the maximum request body size Coraza will accept for
// buffering, excluding the size of any files being transported in the request.
// This directive is useful to reduce susceptibility to DoS attacks when someone is
// sending request bodies of very large sizes. Web applications that require file uploads
// must configure `SecRequestBodyLimit` to a high value, but because large files are streamed
// to disk, file uploads will not increase memory consumption. However, it’s still possible
// for someone to take advantage of a large request body limit and send non-upload requests
// with large body sizes. This directive eliminates that loophole.
// Default: 1048576 (1 MB)
// Syntax: SecRequestBodyNoFilesLimit 131072
// ---
// Generally speaking, the default value is not small enough. For most applications, you
// should be able to reduce it down to 128 KB or lower. Anything over the limit will be
// rejected with status code 413 (Request Entity Too Large). There is a hard limit of 1 GB.
func directiveSecRequestBodyNoFilesLimit(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
var err error
options.WAF.RequestBodyNoFilesLimit, err = strconv.ParseInt(options.Opts, 10, 64)
return err
}
// Description: Path to the Coraza debug log file.
// Syntax: SecDebugLog [ABSOLUTE_PATH_TO_DEBUG_LOG]
// ---
// Logs will be written to this file. Make sure the process user has write access to the
// directory.
func directiveSecDebugLog(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
return options.WAF.SetDebugLogPath(options.Opts)
}
// Description: Configures the verboseness of the debug log data.
// Default: 3
// Syntax: SecDebugLogLevel [LOG_LEVEL]
// ---
// Depending on the implementation, errors ranging from 1 to 2 might be directly
// logged to the connector error log. For example, level 1 (error) logs will be
// written to caddy server error logs.
// The possible values for the debug log level are:
//
// - 0: No logging (least verbose)
// - 1: Error
// - 2: Warn
// - 3: Info
// - 4-8: Debug
// - 9: Trace (most verbose)
//
// Levels outside the 0-9 range will default to level 3 (Info)
func directiveSecDebugLogLevel(options *DirectiveOptions) error {
lvl, err := strconv.ParseInt(options.Opts, 10, 8)
if err != nil {
return err
}
return options.WAF.SetDebugLogLevel(debuglog.Level(lvl))
}
func directiveSecRuleUpdateTargetByID(options *DirectiveOptions) error {
idStr, v, ok := strings.Cut(options.Opts, " ")
if !ok {
return errors.New("syntax error: SecRuleUpdateTargetById id \"VARIABLES\"")
}
id, err := strconv.Atoi(idStr)
if err != nil {
return err
}
rule := options.WAF.Rules.FindByID(id)
rp := RuleParser{
rule: rule,
options: RuleOptions{},
defaultActions: map[types.RulePhase][]ruleAction{},
}
return rp.ParseVariables(strings.Trim(v, "\""))
}
func directiveSecIgnoreRuleCompilationErrors(options *DirectiveOptions) error {
b, err := parseBoolean(options.Opts)
if err != nil {
return err
}
if b {
options.WAF.Logger.Warn().
Msg(`Running in Compatibility Mode (SecIgnoreRuleCompilationErrors On),
which may cause unexpected behavior on faulty rules.`)
}
options.Parser.IgnoreRuleCompilationErrors = b
return nil
}
func directiveSecDataset(options *DirectiveOptions) error {
if len(options.Opts) == 0 {
return errEmptyOptions
}
name, d, ok := strings.Cut(options.Opts, " ")
if !ok {
return errors.New("syntax error: SecDataset name `\n...\n`")
}
if _, ok := options.Datasets[name]; ok {
options.WAF.Logger.Warn().
Str("dataset_name", name).
Msg("Dataset already exists, overwriting")
}
var arr []string
data := strings.Trim(d, "`")
for _, s := range strings.Split(data, "\n") {
s = strings.TrimSpace(s)
if s == "" || s[0] == '#' {
continue
}
arr = append(arr, s)
}
options.Datasets[name] = arr
return nil
}
// Description: Configures the maximum number of ARGS that will be accepted for processing.