100% compatibility with OWASP CRS on Coraza v2 (99.96%)

[jptosso]

Coraza v1 has achieved 90%+ compatibility but a complete redesign on Coraza v2 broke most of the compatibility. In order to get 100% compatibility we must find the issues that are breaking CRS.

• Check which variables are failing to be created
• Find bugs in the Coraza testing package
• Find issues in algorithms like: rule phases, chains, rule flow (secmarks, skip, etc), ctl, tx variables, etc

Note: the coraza testsuite includes plugins for PCRE and libinjection, so please have them installed.

Create a CRS bundle:

1. Join the default coraza config file, the crs config file and the rules from coreruleset/rules/*.conf
2. Prepend the test configurations:

SecAction "id:900005,\
  phase:1,\
  nolog,\
  pass,\
  ctl:ruleEngine=DetectionOnly,\
  ctl:ruleRemoveById=910000,\
  setvar:tx.paranoia_level=4,\
  setvar:tx.crs_validate_utf8_encoding=1,\
  setvar:tx.arg_name_length=100,\
  setvar:tx.arg_length=400,\
  setvar:tx.combined_file_sizes=65535"

3. Copy the .data files from rules/ to your bundle's path

Clone the test suite

git clone https://github.com/jptosso/coraza-testsuite

Update the coraza version

go get github.com/jptosso/coraza-waf/v2@LAST_REVISION

Run the test suite

#Compile or run:
go run *.go run -d ../coreruleset/tests/regression -r ../coreruleset/rules/rules.conf

The current results are posted in the first comment.

Currently detected issues (with status):

• MATCHED_VARS weren't working as expected
• collection.AddUnique was not working, failing to create variables like REQUEST_COOKIES_NAMES, REQUEST_HEADERS_NAMES, RESPONSE_HEADERS_NAMES, ARGS_NAMES, etc
• The testing library doesn't support the no_magic flag which stops forcing the content-length based on the body size
• ForceRequestBodyVariable is working on tests but is not working on CRS for text/plain. Fix: Create a default empty variable for variables.ReqBodyProcessor
• ArgsNames was not being set for POST requests
• XML:/* and XML://@* were expected to return xml content and attribute values, both XPATH expressions were hardcoded
• ARGS_NAMES was being overwritten by request body processors, now it is concated
• Test 941330 not working because of unescaped unicode #115
• Rule variable exceptions are not supporting regex #114
• Most CRS rules using @validateByteRange are failing #113
• Issue with rule from CRS 942101 #112

The following rules are being ignored because of URL encoding issues

• 920181-1
• 942490-17
• 942260-17
• 942260-6
• 942150-6
• 920240-1
• 920240-5
• 920240-6
• 941130-11
• 941130-2
• 941130-4
• 941130-6
• 941130-9
• 941130-10
• 941130-12
• 941130-14
• 941130-16

[jptosso]

Failed: ["920450-3","930120-5","932140-3","941280-2","941330-1","942100-10","942100-13","942101-6"]
Passed 2454/2462 (99.68% passed)