fix: allow the PUT method in the Deck app (#58)

`PUT` is required in the Deck app to - Move a card on a board - Set a due date - Unassign a user
coreruleset · Feb 18, 2024 · 0b87863 · 0b87863
1 parent fd1677d
commit 0b87863
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 2 deletions.
diff --git a/plugins/nextcloud-rule-exclusions-before.conf b/plugins/nextcloud-rule-exclusions-before.conf
@@ -1531,8 +1531,11 @@ SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]+\.php/apps/user_status/api/v[0-9]+/use
 # [ Nextcloud Deck ]
 #
 
-# Moving a card in Deck app
-SecRule REQUEST_FILENAME "@rx /apps/deck/cards/[0-9]+/reorder$" \
+# When updating a card
+# Moving a card in deck
+# Unassigning a user from a card
+# Setting a due date on a card
+SecRule REQUEST_FILENAME "@rx /apps/deck/cards/[0-9]+(?:/reorder|/unassign)?$" \
     "id:9508810,\
     phase:1,\
     pass,\

diff --git a/tests/regression/nextcloud-rule-exclusions-plugin/9508810.yaml b/tests/regression/nextcloud-rule-exclusions-plugin/9508810.yaml
@@ -27,3 +27,39 @@ tests:
           output:
             no_log_contains: |
               id "911100"|id "932200"|id "933210"|id "942200"|id "942260"|id "942370"|id "942430"|id "942440"
+  - test_title: 9508810-2
+    desc: Unassigning a user from a card.
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: PUT
+            uri: /apps/deck/cards/1/unassign
+          output:
+            no_log_contains: |
+              id "911100"|id "932200"|id "933210"|id "942200"|id "942260"|id "942370"|id "942430"|id "942440"
+  - test_title: 9508810-3
+    desc: |
+      Setting a due date on a card.
+      Target: json.data
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: PUT
+            uri: /apps/deck/cards/1
+            data: |
+              json.data={"id":16,"title":"Title","description":"","stackId":11,"type":"plain","lastModified":1708032296,"lastEditor":null,"createdAt":1708013998,"labels":[{"id":9,"title":"Terminé","color":"31CC7C","boardId":3,"cardId":null,"lastModified":0,"ETag":"cfcd208495d565ef66e7dff9f98764da"}],"owner":{"primaryKey":"mivek","uid":"mivek","displayname":"mivek","type":0},"order":2,"duedate":"2024-02-15T23:00:00.000Z","deletedAt":0,"boardId":3}
+          output:
+            no_log_contains: |
+              id "911100"|id "932200"|id "933210"|id "942200"|id "942260"|id "942370"|id "942430"|id "942440"