github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 13:56:01 +03:00
Code Issues Packages Projects Releases Wiki Activity
2,018 Commits 55 Branches 109 Tags
Commit Graph

54 Commits

Author SHA1 Message Date
Martin Vierula
afb48b2c97
Adjust one automated test 2023-01-04 08:00:49 -08:00
Martin Vierula
0981b325a7
Support configurable limit on number of arguments processed 2022-12-14 07:01:23 -08:00
Martin Vierula
bb372850ac
Adjust parser activation rules in modsecurity.conf-recommended 2022-09-07 11:43:54 -07:00
Martin Vierula
7a489bd07c
Multipart parsing fixes and new MULTIPART_PART_HEADERS collection 2022-09-07 11:09:47 -07:00
Martin Vierula
159cb4e93c
Fix a failing test. 2022-08-20 15:24:37 -07:00
Martin Vierula
4a98032b7f
Allow no-key, single-value JSON body 2022-05-03 12:34:03 -07:00
Martin Vierula
065dbe7e76
Multipart names may include single quote if double-quote enclosed 2021-12-22 10:37:03 -08:00
Martin Vierula
41918335fa
Support configurable limit on depth of JSON parsing 2021-11-18 17:35:40 -08:00
Felipe Zimmerle
25e5543c7f Allow empty arrays in JSON parser 
Issue #1576
 2018-11-26 10:40:46 -03:00
Felipe Zimmerle
fecc4296e3
Adds more tests to REQUEST_BASENAME 
Meant to test #1795
 2018-09-04 22:40:26 -03:00
Felipe Zimmerle
9f92321afb
Fix test case to match new version of curl. 
Error message was changed
 2017-07-14 10:37:58 -03:00
Mario D. Santana
e3b3721ee3 Allow mod_proxy's "nocanon" behavior to be specified in proxy actions. 2016-01-06 08:23:52 -03:00
Felipe Zimmerle
462308be74 Improves the accuracy of version identification on status calls 
Trying to differentiate among IIS, Apache, NGINX, and Standalone builds.
 2015-02-11 18:37:01 -08:00
Felipe Zimmerle
ce4cf24f6e Refactoring external resources download warn messages 
Holding the message to be displayed when Apache is ready to write on the
error_log instead of the default output. Regression tests were added.
 2014-12-11 12:42:49 -08:00
Felipe Zimmerle
b019f6056f fix typo 
- Adds a missing "s" while informing the amount of remote loaded rules.
- Renames text file that was wrongly named as .py
 2014-11-17 19:32:43 -08:00
Felipe Zimmerle
723336f1fb Adds regression test for FILE_TMP_CONTENT 2014-11-14 11:53:40 -08:00
Felipe Zimmerle
86787f2af9 Adds SecRemoteRules regression tests. 
Added two test cases for SecRemoteRules. Contents are loaded from
https://www.modsecurity.org
 2014-11-14 11:53:40 -08:00
Felipe Zimmerle
b5398abaf2 Forces downloads using https-only for resources or rules 
This commit makes ModSecurity to refuse to download or install rules
(SecRemoteRules) from sites that are not running HTTPS with a valid and
trusted certificate.
 2014-11-14 11:53:40 -08:00
Felipe Zimmerle
899ee0c365 Adds support to load remote resources to pmFromFile and ipMatchFromFile 
Initially those directives were only able to load content from a
local file. This commit extends this functionality allowing the user to
provide an HTTP URI that can be downloaded and loaded by ModSecurity.
Initially the download is associated with a server restart. For next
versions we expect to load such resources as it become outdated (Without
need to resetart the server).
 2014-11-14 11:53:40 -08:00
Felipe Zimmerle
cee205b109 Adds Status test case with the SecServerSignature being used 
If SecServerSignature is used ModSecurity should send the real data, not the
one informed to SecServerSignature.
Originally reported by: Linas
 2014-11-14 11:53:39 -08:00
Felipe Zimmerle
c64a681c65 Temporarily disable a test that is leading nginx buildbot to fail. 2014-11-14 11:53:39 -08:00
Felipe Zimmerle
a45fe95ed5 FuzzyHash: if disable giving an run time error instead of config 
FuzzyHash operator is optional and only installed if the headers for libfuzzy
was found in the system. Otherwise, the FuzzyHash operator is disable during
the compilation. After this commit, if some rules tries to use it, ModSecurity
will produce an runtime error not a config time error, allowing the web server
to procede normal with its operations.
 2014-11-14 11:53:39 -08:00
Felipe Zimmerle
fa0c97ea7b Adds regression test to cover the @fuzzeHash operator 
Added 30-fuzzyHash.t and the ssdeep hash files. Hash files was generated using
files from ModSecurity repository.
 2014-11-14 11:53:39 -08:00
Felipe Zimmerle
79639b5e47 Accepts random port on FULL_REQUEST regression test 
FULL_REQUEST regression test was failing over the buildbots due the
usage of non default ports. Now it is accepting any number.
 2014-07-25 04:46:59 -07:00
Felipe Zimmerle
66939d059b Adds initial support to @detectXSS 
Libinject was recently updated to support XSS detection. This commit adds
initial support to it.
 2014-03-31 16:22:11 -07:00
Felipe Zimmerle
52bef20ce5 Adds unit test to the JSON parser 
Unit test to test whenever the JSON parser is enabled
 2014-03-31 16:22:09 -07:00
Felipe Zimmerle
d75e443b9b Adds regression test to SecStatusEngine 
Just checking the error log while have SecStatusEngine set to On in a first
test and Off in a second.
 2014-03-31 07:14:55 -07:00
Felipe Zimmerle
d93ce9ceee Adds REQUEST_FULL and REQUEST_FULL_LENGTH variables 
This variable is a combination from REQUEST_LINE, REQUEST_HEADERS and
REQUEST_BODY (if any). Expects for \n\n in between each of those values.
 2014-03-31 07:14:55 -07:00
Felipe Zimmerle
5f996d45f0 Adds regression test to SecRequestBodyLimitAction 
This commits adds the following regiression test to SecRequestBodyLimitAction:
* config - SecRequestBodyLimitAction Reject (multipart/greater - chunked): passed
* config - SecRequestBodyLimitAction Reject (plain/greater): passed
* config - SecRequestBodyLimitAction ProcessPartial (multipart/greater - chunked): passed
* config - SecRequestBodyLimitAction ProcessPartial (plain/greater): passed
 2014-02-28 13:33:49 -08:00
Felipe Zimmerle
5d2e3d4321 test: 10-misc-directives.t is not considering log anymore 
In this case the new server name is expected to be logged, only in the Apache
version or the debug version of Nginx. The test is still valid, in the sense
that it is checking for the server response, expecting the new "Server:"
header.
 2014-01-17 13:02:48 -08:00
Felipe Zimmerle
8804b55cdd test: Makes regression test mac friendly 
Apache configuration was updated and the configure script is using
an alternative way to discovery the libexecdir.
 2014-01-17 11:24:53 -08:00
Felipe Zimmerle
9bf1f6a2b3 test: removes uncessary ifDefine at 10-tfn-cache.t 
IfDefines such as: <IfDefine MODSEC_2.5> are just compatible with Apache a
solution to check if some resource is available or not have to be developed
to be used in situations like that. This commit just removes the IfDefine.
 2014-01-13 08:11:42 -08:00
Felipe Zimmerle
6c106b1fd7 test: disabling: SecAuditLogType Concurrent 
The test is making usage of a custom script, which is not functional in
in Nginx due to timing issues. Disabling it for now until we came up
with a solution that works for every port/version.
 2014-01-13 05:44:28 -08:00
Felipe Zimmerle
3cf1701794 test: Adds loading tests also to nginx. 
It was trying to match "ModSecurity for Apache.* configured". This patch
makes it expect for "ModSecurity for nginx.* configured" while nginx
version is being used/tested.
 2014-01-09 12:13:47 -08:00
Felipe Zimmerle
795d6a64d2 nginx: Warn about not workable 'proxy' 
Proxy is not yet ready for nginx. Instead of give a generic error, this patch
adds a clean message explains that such functionality is not available on the
nginx port. This patch also modifies the test cases to reflect this changes.
 2014-01-09 11:12:28 -08:00
Felipe Zimmerle
21e25c50af test: nginx: Adds missing files 
This commit is just to circunvent a problem, there is no need to have
those files duplicated in our repository, that will be fixed soon.
 2014-01-06 19:52:10 -08:00
Felipe Zimmerle
176396ddc1 tests: nginx: Allow POSTs in static files 
By default Nginx does not allow POST in static files, which is very
used by the regression test. This is a ugly hack just to make possible
to gather some numbers. Better solution will arrive soon.
 2014-01-06 19:22:27 -08:00
Felipe Zimmerle
fb4e1f1b6b tests: Adds random data to a post making it workable in nginx 
For some reason nginx fails in a post with no body. This patch adds some random
data here. Other platforms should not be affected.
 2014-01-03 09:36:25 -08:00
Felipe Zimmerle
0ad390d12d Tests: fixes tests/regression/rule/10-xml.t 
SecXmlExternalEntity was not informed. By default its value is Off. This patch
set the SecXmlExternalEntity to On in order to load the external resources
needed for this test case.
 2014-01-01 20:56:06 -08:00
Felipe Zimmerle
ba0818ca32 tests: cleans up the apache configuration file 
Simplified the apache configuration file, so that, we can handle easily
different Apaches versions
 2014-01-01 16:09:21 -08:00
Felipe Zimmerle
6325ed8d41 Tests: fixes regression/misc/10-tfn-cache.t 
Tests were failing because they were writing wrong/outdated.
 2014-01-01 11:49:08 -08:00
Felipe Zimmerle
ddb4fceb63 Tests: fixes regression/rule/20-exceptions.t 
Tests were failing because they were writing wrong/outdated.
 2014-01-01 11:21:37 -08:00
Felipe Zimmerle
0c99063aae Tests: fixes regression/rule/00-basics.t 
Tests were failing because they were writing wrong/outdated.
 2014-01-01 11:02:20 -08:00
Felipe Zimmerle
7c9ebfeb20 Tests: fixes regression/action/10-logging.t 
Tests were failing because they were writing wrong/outdated.
 2014-01-01 10:52:44 -08:00
Felipe Zimmerle
11287a6b95 test: fixes regression/misc/00-multipart-parser.t 
Tests were failing because they were writing wrong/outdated.
 2014-01-01 10:29:21 -08:00
Felipe Zimmerle
b0025c88fa tests: fixes regression/config/10-request-directives.t 
Tests were failing because they were writing wrong/outdated.
 2014-01-01 10:28:56 -08:00
Felipe Zimmerle
e5560a6a43 tests: fixes regression/config/10-misc-directives.t 
SecDefaultAction was failing due to a wrong written test.
 2014-01-01 10:00:08 -08:00
Felipe Zimmerle
ae252ee876 Regression tests: makes configuration compatible with 2.2 and 2.4 (try 2) 2013-12-12 14:53:49 -08:00
Felipe Zimmerle
6fc4cac37a regression-tests: makes configuration compatible with 2.2 and 2.4 2013-12-12 14:53:49 -08:00
Felipe Zimmerle
e9813cd0d9 Regression test: get it working with apache 2.4 
Changes in httpd.conf.in to get it working with apache 2.4
 2013-12-12 14:53:49 -08:00