Added some basic regression tests.

2025-09-30 03:34:29 +03:00 · 2008-05-22 18:44:22 +00:00
parent f90ffeb970
commit 813127aa13
4 changed files with 657 additions and 18 deletions
--- a/apache2/t/regression/config/00-load-modsec.t
+++ b/apache2/t/regression/config/00-load-modsec.t
@@ -0,0 +1,23 @@
+{
+	type => "config",
+	comment => "module loaded",
+	match_log => {
+		error => [ qr/ModSecurity for Apache.* configured\./, 10 ],
+	},
+},
+{
+	type => "config",
+	comment => "minimal config",
+	conf => sub {
+		# Open the minimal conf file, substituting the
+		# relative log paths with full paths.
+		open(C, "<$ENV{DIST_ROOT}/modsecurity.conf-minimal") or die "$!\n";
+		(my $conf = join('', <C>)) =~ s#Log logs/#Log $ENV{TEST_SERVER_ROOT}/logs/#g;
+		close C;
+
+		return $conf;
+	},
+	match_log => {
+		error => [ qr/ModSecurity for Apache.* configured\./, 10 ],
+	},
+},
--- a/apache2/t/regression/config/10-request-directives.t
+++ b/apache2/t/regression/config/10-request-directives.t
@@ -0,0 +1,144 @@
+
+### SecArgumentSeparator
+{
+	type => "config",
+	comment => "SecArgumentSeparator (get-pos)",
+	conf => q(
+		SecRuleEngine On
+		SecArgumentSeparator ";"
+		SecRule ARGS:a "@streq 1" "phase:1,deny,chain"
+		SecRule ARGS:b "@streq 2"
+	),
+	match_log => {
+		error => [ qr/Access denied with code 403 \(phase 1\). String match "2" at ARGS:b./, 1 ],
+	},
+	match_response => {
+		status => qr/^403$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt?a=1;b=2",
+	),
+},
+{
+	type => "config",
+	comment => "SecArgumentSeparator (get-neg)",
+	conf => q(
+		SecRuleEngine On
+		SecRule ARGS:a "@streq 1" "phase:1,deny,chain"
+		SecRule ARGS:b "@streq 2"
+	),
+	match_log => {
+		-error => [ qr/Access denied/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt?a=1;b=2",
+	),
+},
+{
+	type => "config",
+	comment => "SecArgumentSeparator (post-pos)",
+	conf => q(
+		SecRuleEngine On
+		SecRequestBodyAccess On
+		SecArgumentSeparator ";"
+		SecRule ARGS:a "@streq 1" "phase:2,deny,chain"
+		SecRule ARGS:b "@streq 2"
+	),
+	match_log => {
+		error => [ qr/Access denied with code 403 \(phase 2\). String match "2" at ARGS:b./, 1 ],
+	},
+	match_response => {
+		status => qr/^403$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+		[
+			"Content-Type" => "application/x-www-form-urlencoded",
+		],
+		"a=1;b=2",
+	),
+},
+{
+	type => "config",
+	comment => "SecArgumentSeparator (post-neg)",
+	conf => q(
+		SecRuleEngine On
+		SecRequestBodyAccess On
+		SecRule ARGS:a "@streq 1" "phase:2,deny"
+		SecRule ARGS:b "@streq 2" "phase:2,deny"
+	),
+	match_log => {
+		-error => [ qr/Access denied/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+		[
+			"Content-Type" => "application/x-www-form-urlencoded",
+		],
+		"a=1;b=2",
+	),
+},
+
+### SecRequestBodyAccess
+{
+	type => "config",
+	comment => "SecRequestBodyAccess (pos)",
+	conf => qq(
+		SecRuleEngine On
+		SecAuditEngine On
+		SecAuditLogParts ABCDEFGHIJKZ
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+		SecAuditLog $ENV{AUDIT_LOG}
+		SecRequestBodyAccess On
+		SecRule ARGS:a "\@streq 1" "phase:2,deny,chain"
+		SecRule ARGS:b "\@streq 2"
+	),
+	match_log => {
+		error => [ qr/Access denied with code 403 \(phase 2\). String match "2" at ARGS:b./, 1 ],
+	},
+	match_response => {
+		status => qr/^403$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+		[
+			"Content-Type" => "application/x-www-form-urlencoded",
+		],
+		"a=1&b=2",
+	),
+},
+{
+	type => "config",
+	comment => "SecRequestBodyAccess (neg)",
+	conf => qq(
+		SecRuleEngine On
+		SecAuditEngine On
+		SecAuditLogParts ABCDEFGHIJKZ
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+		SecAuditLog $ENV{AUDIT_LOG}
+		SecRequestBodyAccess Off
+		SecRule ARGS:a "\@streq 1" "phase:2,deny"
+		SecRule ARGS:b "\@streq 2" "phase:2,deny"
+	),
+	match_log => {
+		-error => [ qr/Access denied/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+		[
+			"Content-Type" => "application/x-www-form-urlencoded",
+		],
+		"a=1&b=2",
+	),
+},
--- a/apache2/t/regression/rule/00-disruptive-actions.t
+++ b/apache2/t/regression/rule/00-disruptive-actions.t
@@ -0,0 +1,427 @@
+### Pass
+{
+	type => "rule",
+	comment => "pass action in phase:1",
+	conf => qq(
+		SecRuleEngine On
+		SecAction "phase:1,pass"
+		SecAction "phase:1,deny"
+	),
+	match_log => {
+		error => [ qr/ModSecurity: Warning. Unconditional match in SecAction/, 1 ],
+	},
+	match_response => {
+		status => qr/^403$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
+{
+	type => "rule",
+	comment => "pass action in phase:2",
+	conf => qq(
+		SecRuleEngine On
+		SecAction "phase:2,pass"
+		SecAction "phase:2,deny"
+	),
+	match_log => {
+		error => [ qr/ModSecurity: Warning. Unconditional match in SecAction/, 1 ],
+	},
+	match_response => {
+		status => qr/^403$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
+{
+	type => "rule",
+	comment => "pass action in phase:3",
+	conf => qq(
+		SecRuleEngine On
+		SecAction "phase:3,pass"
+		SecAction "phase:3,deny"
+	),
+	match_log => {
+		error => [ qr/ModSecurity: Warning. Unconditional match in SecAction/, 1 ],
+	},
+	match_response => {
+		status => qr/^403$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
+{
+	type => "rule",
+	comment => "pass action in phase:4",
+	conf => qq(
+		SecRuleEngine On
+		SecAction "phase:4,pass"
+		SecAction "phase:4,deny"
+	),
+	match_log => {
+		error => [ qr/ModSecurity: Warning. Unconditional match in SecAction/, 1 ],
+	},
+	match_response => {
+		status => qr/^403$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
+
+### Allow
+{
+	type => "rule",
+	comment => "allow action in phase:1",
+	conf => qq(
+		SecRuleEngine On
+		SecAction "phase:1,allow"
+		SecAction "phase:1,deny"
+	),
+	match_log => {
+		error => [ qr/ModSecurity: Access allowed \(phase 1\). Unconditional match in SecAction/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
+{
+	type => "rule",
+	comment => "allow action in phase:2",
+	conf => qq(
+		SecRuleEngine On
+		SecAction "phase:2,allow"
+		SecAction "phase:2,deny"
+	),
+	match_log => {
+		error => [ qr/ModSecurity: Access allowed \(phase 2\). Unconditional match in SecAction/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
+{
+	type => "rule",
+	comment => "allow action in phase:3",
+	conf => qq(
+		SecRuleEngine On
+		SecAction "phase:3,allow"
+		SecAction "phase:3,deny"
+	),
+	match_log => {
+		error => [ qr/ModSecurity: Access allowed \(phase 3\). Unconditional match in SecAction/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
+{
+	type => "rule",
+	comment => "allow action in phase:4",
+	conf => qq(
+		SecRuleEngine On
+		SecAction "phase:4,allow"
+		SecAction "phase:4,deny"
+	),
+	match_log => {
+		error => [ qr/ModSecurity: Access allowed \(phase 4\). Unconditional match in SecAction/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
+
+### Deny
+{
+	type => "rule",
+	comment => "deny action in phase:1",
+	conf => qq(
+		SecRuleEngine On
+		SecAction "phase:1,deny"
+	),
+	match_log => {
+		error => [ qr/Access denied with code 403 \(phase 1\). Unconditional match in SecAction./, 1 ],
+	},
+	match_response => {
+		status => qr/^403$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
+{
+	type => "rule",
+	comment => "deny action in phase:2",
+	conf => qq(
+		SecRuleEngine On
+		SecAction "phase:2,deny"
+	),
+	match_log => {
+		error => [ qr/Access denied with code 403 \(phase 2\). Unconditional match in SecAction./, 1 ],
+	},
+	match_response => {
+		status => qr/^403$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
+{
+	type => "rule",
+	comment => "deny action in phase:3",
+	conf => qq(
+		SecRuleEngine On
+		SecAction "phase:3,deny"
+	),
+	match_log => {
+		error => [ qr/Access denied with code 403 \(phase 3\). Unconditional match in SecAction./, 1 ],
+	},
+	match_response => {
+		status => qr/^403$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
+{
+	type => "rule",
+	comment => "deny action in phase:4",
+	conf => qq(
+		SecRuleEngine On
+		SecAction "phase:4,deny"
+	),
+	match_log => {
+		error => [ qr/Access denied with code 403 \(phase 4\). Unconditional match in SecAction./, 1 ],
+	},
+	match_response => {
+		status => qr/^403$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
+
+### Drop
+{
+	type => "rule",
+	comment => "drop action in phase:1",
+	conf => qq(
+		SecRuleEngine On
+		SecAction "phase:1,drop"
+	),
+	match_log => {
+		error => [ qr/Access denied with connection close \(phase 1\). Unconditional match in SecAction./, 1 ],
+	},
+	match_response => {
+		status => qr/^500$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
+{
+	type => "rule",
+	comment => "drop action in phase:2",
+	conf => qq(
+		SecRuleEngine On
+		SecAction "phase:2,drop"
+	),
+	match_log => {
+		error => [ qr/Access denied with connection close \(phase 2\). Unconditional match in SecAction./, 1 ],
+	},
+	match_response => {
+		status => qr/^500$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
+{
+	type => "rule",
+	comment => "drop action in phase:3",
+	conf => qq(
+		SecRuleEngine On
+		SecAction "phase:3,drop"
+	),
+	match_log => {
+		error => [ qr/Access denied with connection close \(phase 3\). Unconditional match in SecAction./, 1 ],
+	},
+	match_response => {
+		status => qr/^500$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
+{
+	type => "rule",
+	comment => "drop action in phase:4",
+	conf => qq(
+		SecRuleEngine On
+		SecAction "phase:4,drop"
+	),
+	match_log => {
+		error => [ qr/Access denied with connection close \(phase 4\). Unconditional match in SecAction./, 1 ],
+	},
+	match_response => {
+		status => qr/^500$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
+
+### Redirect
+{
+	type => "rule",
+	comment => "redirect action in phase:1 (get)",
+	conf => qq(
+		SecRuleEngine On
+		SecRule REQUEST_URI "\@streq /test2.txt" "phase:1,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'"
+	),
+	match_log => {
+		error => [ qr/ModSecurity: Access denied with redirection to .* using status 302 \(phase 1\)/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test2.txt",
+	),
+},
+{
+	type => "rule",
+	comment => "redirect action in phase:2 (get)",
+	conf => qq(
+		SecRuleEngine On
+		SecRule REQUEST_URI "\@streq /test2.txt" "phase:2,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'"
+	),
+	match_log => {
+		error => [ qr/ModSecurity: Access denied with redirection to .* using status 302 \(phase 2\)/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test2.txt",
+	),
+},
+{
+	type => "rule",
+	comment => "redirect action in phase:3 (get)",
+	conf => qq(
+		SecRuleEngine On
+		SecRule REQUEST_URI "\@streq /test2.txt" "phase:3,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'"
+	),
+	match_log => {
+		error => [ qr/ModSecurity: Access denied with redirection to .* using status 302 \(phase 3\)/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test2.txt",
+	),
+},
+{
+	type => "rule",
+	comment => "redirect action in phase:4 (get)",
+	conf => qq(
+		SecRuleEngine On
+		SecRule REQUEST_URI "\@streq /test2.txt" "phase:4,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'"
+	),
+	match_log => {
+		error => [ qr/ModSecurity: Access denied with redirection to .* using status 302 \(phase 4\)/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test2.txt",
+	),
+},
+
+### Proxy
+{
+	type => "rule",
+	comment => "proxy action in phase:1 (get)",
+	conf => qq(
+		SecRuleEngine On
+		SecRule REQUEST_URI "\@streq /test2.txt" "phase:1,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'"
+	),
+	match_log => {
+		error => [ qr/ModSecurity: Access denied using proxy to \(phase 1\)/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test2.txt",
+	),
+},
+{
+	type => "rule",
+	comment => "proxy action in phase:2 (get)",
+	conf => qq(
+		SecRuleEngine On
+		SecRule REQUEST_URI "\@streq /test2.txt" "phase:2,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'"
+	),
+	match_log => {
+		error => [ qr/ModSecurity: Access denied using proxy to \(phase 2\)/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test2.txt",
+	),
+},
+{
+	type => "rule",
+	comment => "proxy action in phase:3 (get)",
+	conf => qq(
+		SecRuleEngine On
+		SecRule REQUEST_URI "\@streq /test2.txt" "phase:3,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'"
+	),
+	match_log => {
+		error => [ qr/ModSecurity: Access denied with code 500 \(phase 3\) \(Configuration Error: Proxy action requested but it does not work in output phases\)./, 1 ],
+	},
+	match_response => {
+		status => qr/^500$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test2.txt",
+	),
+},
+{
+	type => "rule",
+	comment => "proxy action in phase:4 (get)",
+	conf => qq(
+		SecRuleEngine On
+		SecRule REQUEST_URI "\@streq /test2.txt" "phase:4,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'"
+	),
+	match_log => {
+		error => [ qr/ModSecurity: Access denied with code 500 \(phase 4\) \(Configuration Error: Proxy action requested but it does not work in output phases\)./, 1 ],
+	},
+	match_response => {
+		status => qr/^500$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test2.txt",
+	),
+},