From 5f2c71c6114f4741e2b6c06c91fcaeadefc63445 Mon Sep 17 00:00:00 2001
From: Daniel Demus <daniel-github@demus.dk>
Date: Sun, 11 Aug 2024 01:08:56 +0200
Subject: [PATCH] Add filenames to exclude from restricted-filenames.data
 blocking

---
 .../gitea-proxy-rule-exclusions-before.conf   | 28 +++++++++++++++----
 .../gitea-proxy-rule-exclusions-config.conf   |  5 ++--
 plugins/gitea-proxy-whitelisted-files.data    |  7 +++++
 3 files changed, 31 insertions(+), 9 deletions(-)
 create mode 100644 plugins/gitea-proxy-whitelisted-files.data

diff --git a/plugins/gitea-proxy-rule-exclusions-before.conf b/plugins/gitea-proxy-rule-exclusions-before.conf
index 8080ecf..feb19be 100644
--- a/plugins/gitea-proxy-rule-exclusions-before.conf
+++ b/plugins/gitea-proxy-rule-exclusions-before.conf
@@ -9,13 +9,19 @@
 # Plugin name: gitea-proxy-rule-exclusions
 # Plugin description: OWASP CRS 3rd party plugin for Gitea via proxy
 # Rule ID block base: 92,000 - 92,999
-# Plugin version: 1.0.0
+# Plugin version: 1.1.0
 
 # Documentation can be found here:
 # https://git.demus.dk/demus/gitea-proxy-rule-exclusions-plugin.git
 
 # Generic rule to disable plugin
-SecRule TX:gitea-proxy-rule-exclusions-plugin_enabled "@eq 0" "id:92001,phase:1,pass,nolog,ctl:ruleRemoveById=92002-92999"
+SecRule TX:gitea-proxy-rule-exclusions-plugin_enabled "@eq 0" \
+    "id:92001,\
+    phase:1,\
+    pass,\
+    nolog,\
+    ver:'gitea-proxy-rule-exclusions-plugin/1.1.0',\
+    ctl:ruleRemoveById=92002-92999"
 
 #
 # [ Local CRS initialization ]
@@ -30,7 +36,7 @@ SecRule &TX:allowed_request_content_type "@eq 0" \
     phase:1,\
     pass,\
     nolog,\
-    ver:'gitea-proxy-rule-exclusions-plugin/1.0.0',\
+    ver:'gitea-proxy-rule-exclusions-plugin/1.1.0',\
     setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
 
 # Modify CRS rule 901164
@@ -39,7 +45,7 @@ SecRule &TX:restricted_extensions "@eq 0" \
     phase:1,\
     pass,\
     nolog,\
-    ver:'gitea-proxy-rule-exclusions-plugin/1.0.0',\
+    ver:'gitea-proxy-rule-exclusions-plugin/1.1.0',\
     setvar:'tx.restricted_extensions=.backup/ .bak/ .cdx/ .cer/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .key/ .printer/ .rdb/ .swp/ .sys/'"
 
 # Modify CRS rule 901165. git-upload-pack has it's own content-type and uses the content-encoding header
@@ -48,7 +54,17 @@ SecRule REQUEST_URI "@endsWith git-upload-pack" \
     phase:1,\
     pass,\
     t:none,\
-    ver:'gitea-proxy-rule-exclusions-plugin/1.0.0',\
+    ver:'gitea-proxy-rule-exclusions-plugin/1.1.0',\
     nolog,\
-    setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |application/x-git-upload-pack-request|',\
+    setvar:'tx.allowed_request_content_type=%{TX.allowed_request_content_type} |application/x-git-upload-pack-request|',\
     setvar:'tx.restricted_headers_basic=/proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
+
+# Provide a way to whitelist filenames that are in restricted-files.data
+SecRule REQUEST_FILENAME "@pmFromFile gitea-proxy-whitelisted-files.data" \
+    "id:92020,\
+    phase:1,\
+    pass,\
+    nolog,\
+    t:none,\
+    ver:'gitea-proxy-rule-exclusions-plugin/1.1.0',\
+    ctl:ruleRemoveById=930130"
diff --git a/plugins/gitea-proxy-rule-exclusions-config.conf b/plugins/gitea-proxy-rule-exclusions-config.conf
index 591e33d..a26dda1 100644
--- a/plugins/gitea-proxy-rule-exclusions-config.conf
+++ b/plugins/gitea-proxy-rule-exclusions-config.conf
@@ -9,7 +9,7 @@
 # Plugin name: gitea-proxy-rule-exclusions
 # Plugin description: OWASP CRS 3rd party plugin for Gitea via proxy
 # Rule ID block base: 92,000 - 92,999
-# Plugin version: 1.0.0
+# Plugin version: 1.1.0
 
 # Documentation can be found here:
 # https://git.demus.dk/demus/gitea-proxy-rule-exclusions-plugin.git
@@ -38,6 +38,5 @@
 #     phase:1,\
 #     pass,\
 #     nolog,\
-#     ver:'gitea-proxy-rule-exclusions-plugin/1.0.0',\
+#     ver:'gitea-proxy-rule-exclusions-plugin/1.1.0',\
 #     setvar:'tx.gitea-proxy-rule-exclusions-plugin_enabled=0'"
-
diff --git a/plugins/gitea-proxy-whitelisted-files.data b/plugins/gitea-proxy-whitelisted-files.data
new file mode 100644
index 0000000..0f0334a
--- /dev/null
+++ b/plugins/gitea-proxy-whitelisted-files.data
@@ -0,0 +1,7 @@
+# Rule 930130 returns 403 Forbidden to requests for restricted filenames
+# See restricted-files.data for the list of restricted filenames
+# Add exceptions here
+
+# Git files are expected on a git server
+.gitignore
+.gitattributes