From c567be56ba123b56dff6f29014e87cdeade0f381 Mon Sep 17 00:00:00 2001 From: Daniel Demus Date: Wed, 25 Dec 2024 23:54:48 +0100 Subject: [PATCH] Disable PHP rules. Gitea is written in Go --- .../gitea-proxy-rule-exclusions-before.conf | 20 ++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/plugins/gitea-proxy-rule-exclusions-before.conf b/plugins/gitea-proxy-rule-exclusions-before.conf index feb19be..8d72b2a 100644 --- a/plugins/gitea-proxy-rule-exclusions-before.conf +++ b/plugins/gitea-proxy-rule-exclusions-before.conf @@ -20,7 +20,7 @@ SecRule TX:gitea-proxy-rule-exclusions-plugin_enabled "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'gitea-proxy-rule-exclusions-plugin/1.1.0',\ + ver:'gitea-proxy-rule-exclusions-plugin/1.2.0',\ ctl:ruleRemoveById=92002-92999" # @@ -36,7 +36,7 @@ SecRule &TX:allowed_request_content_type "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'gitea-proxy-rule-exclusions-plugin/1.1.0',\ + ver:'gitea-proxy-rule-exclusions-plugin/1.2.0',\ setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'" # Modify CRS rule 901164 @@ -45,7 +45,7 @@ SecRule &TX:restricted_extensions "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'gitea-proxy-rule-exclusions-plugin/1.1.0',\ + ver:'gitea-proxy-rule-exclusions-plugin/1.2.0',\ setvar:'tx.restricted_extensions=.backup/ .bak/ .cdx/ .cer/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .key/ .printer/ .rdb/ .swp/ .sys/'" # Modify CRS rule 901165. git-upload-pack has it's own content-type and uses the content-encoding header @@ -54,7 +54,7 @@ SecRule REQUEST_URI "@endsWith git-upload-pack" \ phase:1,\ pass,\ t:none,\ - ver:'gitea-proxy-rule-exclusions-plugin/1.1.0',\ + ver:'gitea-proxy-rule-exclusions-plugin/1.2.0',\ nolog,\ setvar:'tx.allowed_request_content_type=%{TX.allowed_request_content_type} |application/x-git-upload-pack-request|',\ setvar:'tx.restricted_headers_basic=/proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'" @@ -66,5 +66,15 @@ SecRule REQUEST_FILENAME "@pmFromFile gitea-proxy-whitelisted-files.data" \ pass,\ nolog,\ t:none,\ - ver:'gitea-proxy-rule-exclusions-plugin/1.1.0',\ + ver:'gitea-proxy-rule-exclusions-plugin/1.2.0',\ ctl:ruleRemoveById=930130" + +# Gitea is written in Go, so disable PHP-related rules, as a PHP git project would cause false positives +SecAction \ + "id:92040,\ + phase:1,\ + pass,\ + log,\ + t:none,\ + ver:'gitea-proxy-rule-exclusions-plugin/1.2.0',\ + ctl:ruleRemoveByTag=language-php"