Compare commits
6 Commits
Author | SHA1 | Date | |
---|---|---|---|
98b9134fcd | |||
c0a9f061c4 | |||
a458e07f5c | |||
a99f118c3a | |||
c567be56ba | |||
|
5f2c71c611 |
@ -9,13 +9,19 @@
|
||||
# Plugin name: gitea-proxy-rule-exclusions
|
||||
# Plugin description: OWASP CRS 3rd party plugin for Gitea via proxy
|
||||
# Rule ID block base: 92,000 - 92,999
|
||||
# Plugin version: 1.0.0
|
||||
# Plugin version: 1.5.0
|
||||
|
||||
# Documentation can be found here:
|
||||
# https://git.demus.dk/demus/gitea-proxy-rule-exclusions-plugin.git
|
||||
|
||||
# Generic rule to disable plugin
|
||||
SecRule TX:gitea-proxy-rule-exclusions-plugin_enabled "@eq 0" "id:92001,phase:1,pass,nolog,ctl:ruleRemoveById=92002-92999"
|
||||
SecRule TX:gitea-proxy-rule-exclusions-plugin_enabled "@eq 0" \
|
||||
"id:92001,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'gitea-proxy-rule-exclusions-plugin/1.5.0',\
|
||||
ctl:ruleRemoveById=92002-92999"
|
||||
|
||||
#
|
||||
# [ Local CRS initialization ]
|
||||
@ -30,8 +36,8 @@ SecRule &TX:allowed_request_content_type "@eq 0" \
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'gitea-proxy-rule-exclusions-plugin/1.0.0',\
|
||||
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
|
||||
ver:'gitea-proxy-rule-exclusions-plugin/1.5.0',\
|
||||
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/proto|'"
|
||||
|
||||
# Modify CRS rule 901164
|
||||
SecRule &TX:restricted_extensions "@eq 0" \
|
||||
@ -39,16 +45,71 @@ SecRule &TX:restricted_extensions "@eq 0" \
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'gitea-proxy-rule-exclusions-plugin/1.0.0',\
|
||||
ver:'gitea-proxy-rule-exclusions-plugin/1.5.0',\
|
||||
setvar:'tx.restricted_extensions=.backup/ .bak/ .cdx/ .cer/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .key/ .printer/ .rdb/ .swp/ .sys/'"
|
||||
|
||||
# Modify CRS rule 901165. git-upload-pack has it's own content-type and uses the content-encoding header
|
||||
# Copy of CRS rule 901160.
|
||||
SecRule &TX:allowed_methods "@eq 0" \
|
||||
"id:92904,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'gitea-proxy-rule-exclusions-plugin/1.5.0',\
|
||||
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
|
||||
|
||||
# Modify CRS rule 901165 and 920420. git-upload-pack has it's own content-type and uses the content-encoding header
|
||||
SecRule REQUEST_URI "@endsWith git-upload-pack" \
|
||||
"id:92010,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
ver:'gitea-proxy-rule-exclusions-plugin/1.0.0',\
|
||||
ver:'gitea-proxy-rule-exclusions-plugin/1.5.0',\
|
||||
nolog,\
|
||||
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |application/x-git-upload-pack-request|',\
|
||||
setvar:'tx.allowed_request_content_type=%{TX.allowed_request_content_type} |application/x-git-upload-pack-request|',\
|
||||
setvar:'tx.restricted_headers_basic=/proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
|
||||
|
||||
# Modify CRS rule 911100 and 920420. docker push uploads blobs
|
||||
SecRule REQUEST_URI "@beginsWith /v2" \
|
||||
"id:92011,\
|
||||
phase:1,\
|
||||
chain,\
|
||||
pass,\
|
||||
t:none,\
|
||||
ver:'gitea-proxy-rule-exclusions-plugin/1.5.0',\
|
||||
nolog,\
|
||||
setvar:'tx.allowed_request_content_type=%{TX.allowed_request_content_type} |application/octet-stream| |application/vnd.docker.distribution.manifest.v2+json|',\
|
||||
setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT PATCH',\
|
||||
ctl:requestBodyLimit=1073741824"
|
||||
SecRule REQUEST_URI "@strmatch /blobs/uploads/" "t:none"
|
||||
|
||||
# Modify CRS rule 911100 and 920420. CURL package uploads
|
||||
SecRule REQUEST_URI "@beginsWith /api/packages" \
|
||||
"id:92012,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
ver:'gitea-proxy-rule-exclusions-plugin/1.3.0',\
|
||||
nolog,\
|
||||
setvar:'tx.allowed_request_content_type=%{TX.allowed_request_content_type} |application/octet-stream|',\
|
||||
setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE',\
|
||||
ctl:requestBodyLimit=1073741824"
|
||||
|
||||
# Provide a way to whitelist filenames that are in restricted-files.data
|
||||
SecRule REQUEST_FILENAME "@pmFromFile gitea-proxy-whitelisted-files.data" \
|
||||
"id:92020,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
t:none,\
|
||||
ver:'gitea-proxy-rule-exclusions-plugin/1.5.0',\
|
||||
ctl:ruleRemoveById=930130"
|
||||
|
||||
# Gitea is written in Go, so disable PHP-related rules, as a PHP git project would cause false positives
|
||||
SecAction \
|
||||
"id:92040,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
t:none,\
|
||||
ver:'gitea-proxy-rule-exclusions-plugin/1.5.0',\
|
||||
ctl:ruleRemoveByTag=language-php"
|
||||
|
@ -9,7 +9,7 @@
|
||||
# Plugin name: gitea-proxy-rule-exclusions
|
||||
# Plugin description: OWASP CRS 3rd party plugin for Gitea via proxy
|
||||
# Rule ID block base: 92,000 - 92,999
|
||||
# Plugin version: 1.0.0
|
||||
# Plugin version: 1.1.0
|
||||
|
||||
# Documentation can be found here:
|
||||
# https://git.demus.dk/demus/gitea-proxy-rule-exclusions-plugin.git
|
||||
@ -38,6 +38,5 @@
|
||||
# phase:1,\
|
||||
# pass,\
|
||||
# nolog,\
|
||||
# ver:'gitea-proxy-rule-exclusions-plugin/1.0.0',\
|
||||
# ver:'gitea-proxy-rule-exclusions-plugin/1.4.0',\
|
||||
# setvar:'tx.gitea-proxy-rule-exclusions-plugin_enabled=0'"
|
||||
|
||||
|
10
plugins/gitea-proxy-whitelisted-files.data
Normal file
10
plugins/gitea-proxy-whitelisted-files.data
Normal file
@ -0,0 +1,10 @@
|
||||
# Rule 930130 returns 403 Forbidden to requests for restricted filenames
|
||||
# See restricted-files.data for the list of restricted filenames
|
||||
# Add exceptions here
|
||||
|
||||
# Git files are expected on a git server
|
||||
.gitignore
|
||||
.gitattributes
|
||||
|
||||
# Exclude IDE config folders
|
||||
.idea
|
Loading…
Reference in New Issue
Block a user