81 lines
3.0 KiB
Plaintext
81 lines
3.0 KiB
Plaintext
# ------------------------------------------------------------------------
|
|
# Gitea proxy rule exclusions plugin
|
|
# Copyright (c) 2024 Daniel Demus
|
|
#
|
|
# This plugin is distributed under Apache Software License (ASL) version 2
|
|
# Please see the enclosed LICENSE file for full details.
|
|
# ------------------------------------------------------------------------
|
|
|
|
# Plugin name: gitea-proxy-rule-exclusions
|
|
# Plugin description: OWASP CRS 3rd party plugin for Gitea via proxy
|
|
# Rule ID block base: 92,000 - 92,999
|
|
# Plugin version: 1.1.0
|
|
|
|
# Documentation can be found here:
|
|
# https://git.demus.dk/demus/gitea-proxy-rule-exclusions-plugin.git
|
|
|
|
# Generic rule to disable plugin
|
|
SecRule TX:gitea-proxy-rule-exclusions-plugin_enabled "@eq 0" \
|
|
"id:92001,\
|
|
phase:1,\
|
|
pass,\
|
|
nolog,\
|
|
ver:'gitea-proxy-rule-exclusions-plugin/1.2.0',\
|
|
ctl:ruleRemoveById=92002-92999"
|
|
|
|
#
|
|
# [ Local CRS initialization ]
|
|
#
|
|
# We need to initialize some of the CRS variables also here because plugin setup runs before
|
|
# CRS initialization (this is a known limitation of the current plugin architecture). Must be
|
|
# kept in sync with CRS default setting.
|
|
|
|
# Copy of CRS rule 901162.
|
|
SecRule &TX:allowed_request_content_type "@eq 0" \
|
|
"id:92902,\
|
|
phase:1,\
|
|
pass,\
|
|
nolog,\
|
|
ver:'gitea-proxy-rule-exclusions-plugin/1.2.0',\
|
|
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
|
|
|
|
# Modify CRS rule 901164
|
|
SecRule &TX:restricted_extensions "@eq 0" \
|
|
"id:92903,\
|
|
phase:1,\
|
|
pass,\
|
|
nolog,\
|
|
ver:'gitea-proxy-rule-exclusions-plugin/1.2.0',\
|
|
setvar:'tx.restricted_extensions=.backup/ .bak/ .cdx/ .cer/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .key/ .printer/ .rdb/ .swp/ .sys/'"
|
|
|
|
# Modify CRS rule 901165. git-upload-pack has it's own content-type and uses the content-encoding header
|
|
SecRule REQUEST_URI "@endsWith git-upload-pack" \
|
|
"id:92010,\
|
|
phase:1,\
|
|
pass,\
|
|
t:none,\
|
|
ver:'gitea-proxy-rule-exclusions-plugin/1.2.0',\
|
|
nolog,\
|
|
setvar:'tx.allowed_request_content_type=%{TX.allowed_request_content_type} |application/x-git-upload-pack-request|',\
|
|
setvar:'tx.restricted_headers_basic=/proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
|
|
|
|
# Provide a way to whitelist filenames that are in restricted-files.data
|
|
SecRule REQUEST_FILENAME "@pmFromFile gitea-proxy-whitelisted-files.data" \
|
|
"id:92020,\
|
|
phase:1,\
|
|
pass,\
|
|
nolog,\
|
|
t:none,\
|
|
ver:'gitea-proxy-rule-exclusions-plugin/1.2.0',\
|
|
ctl:ruleRemoveById=930130"
|
|
|
|
# Gitea is written in Go, so disable PHP-related rules, as a PHP git project would cause false positives
|
|
SecAction \
|
|
"id:92040,\
|
|
phase:1,\
|
|
pass,\
|
|
log,\
|
|
t:none,\
|
|
ver:'gitea-proxy-rule-exclusions-plugin/1.2.0',\
|
|
ctl:ruleRemoveByTag=language-php"
|