Allow the PUT method globally in the deck app.

False positive are triggered when reordering cards, unassigning users and setting a due date. Fix lint
coreruleset · Feb 17, 2024 · 1e46c4a · 1e46c4a
1 parent 0685122
commit 1e46c4a
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 2 deletions.
diff --git a/plugins/nextcloud-rule-exclusions-before.conf b/plugins/nextcloud-rule-exclusions-before.conf
@@ -1341,8 +1341,8 @@ SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]+\.php/apps/user_status/api/v[0-9]+/use
 # [ Nextcloud Deck ]
 #
 
-# Moving a card in Deck app
-SecRule REQUEST_FILENAME "@rx /apps/deck/cards/[0-9]+/reorder$" \
+# When updating a card
+SecRule REQUEST_FILENAME "@rx /apps/deck/cards/[0-9]+" \
     "id:9508810,\
     phase:1,\
     pass,\

diff --git a/tests/regression/nextcloud-rule-exclusions-plugin/9508810.yaml b/tests/regression/nextcloud-rule-exclusions-plugin/9508810.yaml
@@ -27,3 +27,41 @@ tests:
           output:
             no_log_contains: |
               id "911100"|id "932200"|id "933210"|id "942200"|id "942260"|id "942370"|id "942430"|id "942440"
+  - test_title: 9508810-2
+    desc: |
+      Unassigning a user from a card.
+      Target: description
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: PUT
+            uri: /apps/deck/cards/1/unassign
+          output:
+            no_log_contains: |
+              id "911100"|id "932200"|id "933210"|id "942200"|id "942260"|id "942370"|id "942430"|id "942440"
+  - test_title: 9508810-2
+    desc: |
+      Setting a due date to a card.
+      Target: description
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: PUT
+            uri: /apps/deck/cards/1
+            data: |
+              json.data={"id":16,"title":"Title","description":"","stackId":11,"type":"plain","lastModified":1708032296,"lastEditor":null,"createdAt":1708013998,"labels":[{"id":9,"title":"Terminé","color":"31CC7C","boardId":3,"cardId":null,"lastModified":0,"ETag":"cfcd208495d565ef66e7dff9f98764da"}],"owner":{"primaryKey":"mivek","uid":"mivek","displayname":"mivek","type":0},"order":2,"duedate":"2024-02-15T23:00:00.000Z","deletedAt":0,"boardId":3}
+          output:
+            no_log_contains: |
+              id "911100"|id "932200"|id "933210"|id "942200"|id "942260"|id "942370"|id "942430"|id "942440"