From f35d7cb95947499a83668e946e29b940630ce1d2 Mon Sep 17 00:00:00 2001 From: Matteo Pace Date: Tue, 16 Jul 2024 23:19:38 +0200 Subject: [PATCH 1/2] chore: deny action with default status 403 --- internal/actions/deny.go | 10 +++++++++- testing/engine/disruptive_actions.go | 5 +++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/internal/actions/deny.go b/internal/actions/deny.go index 994f35c7d..b7ab5c8cd 100644 --- a/internal/actions/deny.go +++ b/internal/actions/deny.go @@ -4,6 +4,8 @@ package actions import ( + "net/http" + "github.com/corazawaf/coraza/v3/experimental/plugins/plugintypes" "github.com/corazawaf/coraza/v3/types" ) @@ -27,14 +29,20 @@ func (a *denyFn) Init(_ plugintypes.RuleMetadata, data string) error { } const noID = 0 +const noStatus = 0 func (a *denyFn) Evaluate(r plugintypes.RuleMetadata, tx plugintypes.TransactionState) { rid := r.ID() if rid == noID { rid = r.ParentID() } + status := r.Status() + // deny action defaults to status 403 + if status == noStatus { + status = http.StatusForbidden + } tx.Interrupt(&types.Interruption{ - Status: r.Status(), + Status: status, RuleID: rid, Action: "deny", }) diff --git a/testing/engine/disruptive_actions.go b/testing/engine/disruptive_actions.go index 2f1888784..1efb066d2 100644 --- a/testing/engine/disruptive_actions.go +++ b/testing/engine/disruptive_actions.go @@ -43,7 +43,7 @@ var _ = profile.RegisterProfile(profile.Profile{ Output: profile.ExpectedOutput{ TriggeredRules: []int{2}, Interruption: &profile.ExpectedInterruption{ - Status: 500, + Status: 403, Data: "", RuleID: 2, Action: "deny", @@ -285,7 +285,8 @@ var _ = profile.RegisterProfile(profile.Profile{ }, Rules: ` SecRule REQUEST_URI "/redirect1$" "phase:1,id:1,log,status:302,redirect:https://www.example.com" -SecRule REQUEST_URI "/deny1$" "phase:1,id:2,log,status:500,deny" +# deny action defaults to status 403 +SecRule REQUEST_URI "/deny1$" "phase:1,id:2,log,deny" SecRule REQUEST_URI "/drop1$" "phase:1,id:3,log,drop" SecRule REQUEST_URI "/redirect2$" "phase:2,id:21,log,status:302,redirect:https://www.example.com" From 7fa03db4418486419ba64bffe53abb92710918d5 Mon Sep 17 00:00:00 2001 From: Matteo Pace Date: Tue, 16 Jul 2024 23:43:44 +0200 Subject: [PATCH 2/2] fix for tinygo --- internal/actions/deny.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/internal/actions/deny.go b/internal/actions/deny.go index b7ab5c8cd..c9f783afd 100644 --- a/internal/actions/deny.go +++ b/internal/actions/deny.go @@ -4,8 +4,6 @@ package actions import ( - "net/http" - "github.com/corazawaf/coraza/v3/experimental/plugins/plugintypes" "github.com/corazawaf/coraza/v3/types" ) @@ -39,7 +37,8 @@ func (a *denyFn) Evaluate(r plugintypes.RuleMetadata, tx plugintypes.Transaction status := r.Status() // deny action defaults to status 403 if status == noStatus { - status = http.StatusForbidden + // TODO(M4tteop): use http.StatusForbidden once we drop Go 1.20 support. http pkg unsupported with TinyGo and Go <1.20 + status = 403 } tx.Interrupt(&types.Interruption{ Status: status,