Compare commits

...

2 Commits
1.0.0 ... main

Author SHA1 Message Date
c567be56ba Disable PHP rules. Gitea is written in Go 2024-12-26 00:13:39 +01:00
Daniel Demus
5f2c71c611 Add filenames to exclude from restricted-filenames.data blocking 2024-08-11 19:24:55 +02:00
3 changed files with 41 additions and 9 deletions

View File

@ -9,13 +9,19 @@
# Plugin name: gitea-proxy-rule-exclusions # Plugin name: gitea-proxy-rule-exclusions
# Plugin description: OWASP CRS 3rd party plugin for Gitea via proxy # Plugin description: OWASP CRS 3rd party plugin for Gitea via proxy
# Rule ID block base: 92,000 - 92,999 # Rule ID block base: 92,000 - 92,999
# Plugin version: 1.0.0 # Plugin version: 1.1.0
# Documentation can be found here: # Documentation can be found here:
# https://git.demus.dk/demus/gitea-proxy-rule-exclusions-plugin.git # https://git.demus.dk/demus/gitea-proxy-rule-exclusions-plugin.git
# Generic rule to disable plugin # Generic rule to disable plugin
SecRule TX:gitea-proxy-rule-exclusions-plugin_enabled "@eq 0" "id:92001,phase:1,pass,nolog,ctl:ruleRemoveById=92002-92999" SecRule TX:gitea-proxy-rule-exclusions-plugin_enabled "@eq 0" \
"id:92001,\
phase:1,\
pass,\
nolog,\
ver:'gitea-proxy-rule-exclusions-plugin/1.2.0',\
ctl:ruleRemoveById=92002-92999"
# #
# [ Local CRS initialization ] # [ Local CRS initialization ]
@ -30,7 +36,7 @@ SecRule &TX:allowed_request_content_type "@eq 0" \
phase:1,\ phase:1,\
pass,\ pass,\
nolog,\ nolog,\
ver:'gitea-proxy-rule-exclusions-plugin/1.0.0',\ ver:'gitea-proxy-rule-exclusions-plugin/1.2.0',\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'" setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
# Modify CRS rule 901164 # Modify CRS rule 901164
@ -39,7 +45,7 @@ SecRule &TX:restricted_extensions "@eq 0" \
phase:1,\ phase:1,\
pass,\ pass,\
nolog,\ nolog,\
ver:'gitea-proxy-rule-exclusions-plugin/1.0.0',\ ver:'gitea-proxy-rule-exclusions-plugin/1.2.0',\
setvar:'tx.restricted_extensions=.backup/ .bak/ .cdx/ .cer/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .key/ .printer/ .rdb/ .swp/ .sys/'" setvar:'tx.restricted_extensions=.backup/ .bak/ .cdx/ .cer/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .key/ .printer/ .rdb/ .swp/ .sys/'"
# Modify CRS rule 901165. git-upload-pack has it's own content-type and uses the content-encoding header # Modify CRS rule 901165. git-upload-pack has it's own content-type and uses the content-encoding header
@ -48,7 +54,27 @@ SecRule REQUEST_URI "@endsWith git-upload-pack" \
phase:1,\ phase:1,\
pass,\ pass,\
t:none,\ t:none,\
ver:'gitea-proxy-rule-exclusions-plugin/1.0.0',\ ver:'gitea-proxy-rule-exclusions-plugin/1.2.0',\
nolog,\ nolog,\
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |application/x-git-upload-pack-request|',\ setvar:'tx.allowed_request_content_type=%{TX.allowed_request_content_type} |application/x-git-upload-pack-request|',\
setvar:'tx.restricted_headers_basic=/proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'" setvar:'tx.restricted_headers_basic=/proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
# Provide a way to whitelist filenames that are in restricted-files.data
SecRule REQUEST_FILENAME "@pmFromFile gitea-proxy-whitelisted-files.data" \
"id:92020,\
phase:1,\
pass,\
nolog,\
t:none,\
ver:'gitea-proxy-rule-exclusions-plugin/1.2.0',\
ctl:ruleRemoveById=930130"
# Gitea is written in Go, so disable PHP-related rules, as a PHP git project would cause false positives
SecAction \
"id:92040,\
phase:1,\
pass,\
log,\
t:none,\
ver:'gitea-proxy-rule-exclusions-plugin/1.2.0',\
ctl:ruleRemoveByTag=language-php"

View File

@ -9,7 +9,7 @@
# Plugin name: gitea-proxy-rule-exclusions # Plugin name: gitea-proxy-rule-exclusions
# Plugin description: OWASP CRS 3rd party plugin for Gitea via proxy # Plugin description: OWASP CRS 3rd party plugin for Gitea via proxy
# Rule ID block base: 92,000 - 92,999 # Rule ID block base: 92,000 - 92,999
# Plugin version: 1.0.0 # Plugin version: 1.1.0
# Documentation can be found here: # Documentation can be found here:
# https://git.demus.dk/demus/gitea-proxy-rule-exclusions-plugin.git # https://git.demus.dk/demus/gitea-proxy-rule-exclusions-plugin.git
@ -38,6 +38,5 @@
# phase:1,\ # phase:1,\
# pass,\ # pass,\
# nolog,\ # nolog,\
# ver:'gitea-proxy-rule-exclusions-plugin/1.0.0',\ # ver:'gitea-proxy-rule-exclusions-plugin/1.1.0',\
# setvar:'tx.gitea-proxy-rule-exclusions-plugin_enabled=0'" # setvar:'tx.gitea-proxy-rule-exclusions-plugin_enabled=0'"

View File

@ -0,0 +1,7 @@
# Rule 930130 returns 403 Forbidden to requests for restricted filenames
# See restricted-files.data for the list of restricted filenames
# Add exceptions here
# Git files are expected on a git server
.gitignore
.gitattributes