diff --git a/internal/actions/deny.go b/internal/actions/deny.go index 994f35c7..c9f783af 100644 --- a/internal/actions/deny.go +++ b/internal/actions/deny.go @@ -27,14 +27,21 @@ func (a *denyFn) Init(_ plugintypes.RuleMetadata, data string) error { } const noID = 0 +const noStatus = 0 func (a *denyFn) Evaluate(r plugintypes.RuleMetadata, tx plugintypes.TransactionState) { rid := r.ID() if rid == noID { rid = r.ParentID() } + status := r.Status() + // deny action defaults to status 403 + if status == noStatus { + // TODO(M4tteop): use http.StatusForbidden once we drop Go 1.20 support. http pkg unsupported with TinyGo and Go <1.20 + status = 403 + } tx.Interrupt(&types.Interruption{ - Status: r.Status(), + Status: status, RuleID: rid, Action: "deny", }) diff --git a/testing/engine/disruptive_actions.go b/testing/engine/disruptive_actions.go index 2f188878..1efb066d 100644 --- a/testing/engine/disruptive_actions.go +++ b/testing/engine/disruptive_actions.go @@ -43,7 +43,7 @@ var _ = profile.RegisterProfile(profile.Profile{ Output: profile.ExpectedOutput{ TriggeredRules: []int{2}, Interruption: &profile.ExpectedInterruption{ - Status: 500, + Status: 403, Data: "", RuleID: 2, Action: "deny", @@ -285,7 +285,8 @@ var _ = profile.RegisterProfile(profile.Profile{ }, Rules: ` SecRule REQUEST_URI "/redirect1$" "phase:1,id:1,log,status:302,redirect:https://www.example.com" -SecRule REQUEST_URI "/deny1$" "phase:1,id:2,log,status:500,deny" +# deny action defaults to status 403 +SecRule REQUEST_URI "/deny1$" "phase:1,id:2,log,deny" SecRule REQUEST_URI "/drop1$" "phase:1,id:3,log,drop" SecRule REQUEST_URI "/redirect2$" "phase:2,id:21,log,status:302,redirect:https://www.example.com"