github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-09-29 19:24:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

Support SecRequestBodyNoFilesLimit

Browse Source
This commit is contained in:
Martin Vierula
2022-02-15 14:53:34 -08:00
parent 6bd1c7764e
commit 4c526fc218
3 changed files with 463 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

392
test/test-cases/regression/config-body_limits.json
View File

@@ -386,6 +386,398 @@
"SecResponseBodyLimitAction Reject",
"SecResponseBodyLimit 5"
]
},
{
"enabled":1,
"version_min":300000,
"title":"SecRequestBodyNoFilesLimit - urlencoded, limit exceeded",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Content-Length": "41",
"Content-Type": "application/x-www-form-urlencoded"
},
"uri":"/",
"method":"POST",
"body": [
"param1=value1&param2=value2&param3=value3"
]
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"debug_log":"Request body excluding files is bigger than the maximum expected.",
"http_code":400
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRequestBodyNoFilesLimit 20",
"SecRule REQBODY_ERROR \"!@eq 0\" \"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"SecRequestBodyNoFilesLimit - urlencoded, limit not exceeded",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Content-Length": "41",
"Content-Type": "application/x-www-form-urlencoded"
},
"uri":"/",
"method":"POST",
"body": [
"param1=value1&param2=value2&param3=value3"
]
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"http_code":200
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRequestBodyNoFilesLimit 60",
"SecRule REQBODY_ERROR \"!@eq 0\" \"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"SecRequestBodyNoFilesLimit - json, limit exceeded",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Content-Length": "41",
"Content-Type": "application/json"
},
"uri":"/",
"method":"POST",
"body": [
"{\"param1\":{\"param2\":\"value2\",\"param3\":\"value3\"}}"
]
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"debug_log":"Request body excluding files is bigger than the maximum expected.",
"http_code":400
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRequestBodyNoFilesLimit 20",
"SecRule REQUEST_HEADERS:Content-Type \"application/json\" \"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON\"",
"SecRule REQBODY_ERROR \"!@eq 0\" \"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"SecRequestBodyNoFilesLimit - json, limit not exceeded",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Content-Length": "41",
"Content-Type": "application/json"
},
"uri":"/",
"method":"POST",
"body": [
"{\"param1\":{\"param2\":\"value2\",\"param3\":\"value3\"}}"
]
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"http_code":200
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRequestBodyNoFilesLimit 80",
"SecRule REQUEST_HEADERS:Content-Type \"application/json\" \"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON\"",
"SecRule REQBODY_ERROR \"!@eq 0\" \"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"SecRequestBodyNoFilesLimit - xml, limit exceeded",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Content-Length": "77",
"Content-Type": "application/xml"
},
"uri":"/",
"method":"POST",
"body": [
"<?xml version=\"1.0\" encoding=\"UTF-8\"?><aaa><bbb>ccc</bbb><ddd>eee</ddd></aaa>"
]
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"debug_log":"Request body excluding files is bigger than the maximum expected.",
"http_code":400
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRequestBodyNoFilesLimit 20",
"SecRule REQUEST_HEADERS:Content-Type \"(?:application(?:/soap\\+|/)|text/)xml\" \"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML\"",
"SecRule REQBODY_ERROR \"!@eq 0\" \"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"SecRequestBodyNoFilesLimit - xml, limit not exceeded",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Content-Length": "77",
"Content-Type": "application/xml"
},
"uri":"/",
"method":"POST",
"body": [
"<?xml version=\"1.0\" encoding=\"UTF-8\"?><aaa><bbb>ccc</bbb><ddd>eee</ddd></aaa>"
]
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"http_code":200
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRequestBodyNoFilesLimit 90",
"SecRule REQUEST_HEADERS:Content-Type \"(?:application(?:/soap\\+|/)|text/)xml\" \"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML\"",
"SecRule REQBODY_ERROR \"!@eq 0\" \"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"SecRequestBodyNoFilesLimit - multipart, limit exceeded",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Content-Length": "77",
"Content-Type": "multipart/form-data; boundary=0000"
},
"uri":"/",
"method":"POST",
"body": [
"--0000",
"Content-Disposition: form-data; name=\"a\"",
"",
"1",
"--0000",
"Content-Disposition: form-data; name=\"b\"; filename=\"c.txt\"",
"",
"2222222222222222222222222222222222222222222222222222222222222222222222",
"--0000--"
]
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"debug_log":"Request body excluding files is bigger than the maximum expected.",
"http_code":400
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRequestBodyNoFilesLimit 80",
"SecRule REQBODY_ERROR \"!@eq 0\" \"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\""
]
},
{
"enabled":1,
"version_min":300000,
"title":"SecRequestBodyNoFilesLimit - multipart, limit not exceeded",
"client":{
"ip":"200.249.12.31",
"port":123
},
"server":{
"ip":"200.249.12.31",
"port":80
},
"request":{
"headers":{
"Host":"localhost",
"User-Agent":"curl/7.38.0",
"Accept":"*/*",
"Content-Length": "77",
"Content-Type": "multipart/form-data; boundary=0000"
},
"uri":"/",
"method":"POST",
"body": [
"--0000",
"Content-Disposition: form-data; name=\"a\"",
"",
"1",
"--0000",
"Content-Disposition: form-data; name=\"b\"; filename=\"c.txt\"",
"",
"2222222222222222222222222222222222222222222222222222222222222222222222",
"--0000--"
]
},
"response":{
"headers":{
"Date":"Mon, 13 Jul 2015 20:02:41 GMT",
"Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
"Content-Type":"text/html"
},
"body":[
"no need."
]
},
"expected":{
"http_code":200
},
"rules":[
"SecRuleEngine On",
"SecRequestBodyAccess On",
"SecRequestBodyNoFilesLimit 120",
"SecRule REQBODY_ERROR \"!@eq 0\" \"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\""
]
}
]