update: Update Coreruleset v4 to version 4.5.0

src/common/core/modsecurity/files/coreruleset-v4/.github/ISSUE_TEMPLATE/config.yml

@@ -1,8 +1,8 @@
 blank_issues_enabled: false
 contact_links:
   - name: Help and support
-    url:  https://security.stackexchange.com/questions/tagged/owasp-crs
+    url: https://security.stackexchange.com/questions/tagged/owasp-crs
     about: For help and support please go here.
   - name: OWASP Core Rule Set mailing list
-    url:  https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project
+    url: https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project
     about: Ask general usage questions and participate in discussions on the CRS.

src/common/core/modsecurity/files/coreruleset-v4/.github/workflows/test.yml

@@ -16,7 +16,7 @@ on:
 
 # Pin tool versions to prevent problems
 env:
-  GO_FTW_VERSION: '0.6.4'
+  GO_FTW_VERSION: '1.0.3'
 
 jobs:
   regression:
@@ -36,22 +36,27 @@ jobs:
             -p "ftw_${{ env.GO_FTW_VERSION }}_linux_amd64.tar.gz" -O - | tar -xzvf - ftw
 
       - name: "Run tests for ${{ matrix.modsec_version }}"
-        env:
-          FTW_LOGFILE: './tests/logs/${{ matrix.modsec_version }}/error.log'
         run: |
           mkdir -p "tests/logs/${{ matrix.modsec_version }}/{nginx,apache2}"
-          chmod -R o+rw "tests/logs"
           docker-compose -f ./tests/docker-compose.yml up -d "${{ matrix.modsec_version }}"
           docker-compose -f ./tests/docker-compose.yml logs
-          [ "$(docker inspect ${{ matrix.modsec_version }} --format='{{.State.Running}}')" = "true" ]
+          if ! [ "$(docker inspect ${{ matrix.modsec_version }} --format='{{.State.Running}}')" = "true" ]; then
+            echo "Web server failed to start. Aborting."
+            exit 1
+          fi
+
           ./ftw check -d tests/regression/tests
-          ./ftw run -d tests/regression/tests --show-failures-only
+          ./ftw run \
+            -d tests/regression/tests \
+            --log-file "tests/logs/${{ matrix.modsec_version }}/error.log" \
+            --overrides tests/regression/httpd-overrides.yaml \
+            --show-failures-only
 
-      - name: "Change permissions if failed"
+      - name: "Change permissions of artifacts for upload"
         if: failure()
         run: |
-            # we want to get the audit log, so change permissions (file is only for root on docker)
-            sudo chmod 644 tests/logs/${{ matrix.modsec_version }}/modsec_audit.log
+          # Files created from the container will belong to root
+          sudo chmod -R a+r tests/logs
 
       - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         if: failure()

src/common/core/modsecurity/files/coreruleset-v4/CONTRIBUTING.md

@@ -372,23 +372,23 @@ Documentation on how to run the CRS test suite can be found in the [online docum
 Example of a simple *positive test*:
 
 ```yaml
-- test_title: 932230-26
+- test_id: 26
   desc: "Unix command injection"
   stages:
-    - stage:
-        input:
-          dest_addr: 127.0.0.1
-          headers:
-            Host: localhost
-            User-Agent: "OWASP CRS test agent"
-            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-          method: POST
-          port: 80
-          uri: "/post"
-          data: "var=` /bin/cat /etc/passwd`"
-          version: HTTP/1.1
-        output:
-          log_contains: id "932230"
+    - input:
+        dest_addr: 127.0.0.1
+        headers:
+          Host: localhost
+          User-Agent: "OWASP CRS test agent"
+          Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+        method: POST
+        port: 80
+        uri: "/post"
+        data: "var=` /bin/cat /etc/passwd`"
+        version: HTTP/1.1
+      output:
+        log:
+          expect_ids: [932230]
 ```
 
 This test will succeed if the log output contains `id "932230"`, which would indicate that the rule in question matched and generated an alert.
@@ -402,21 +402,21 @@ The rule's description field, `desc`, is important. It should describe what is b
 Example of a simple *negative test*:
 
 ```yaml
-- test_title: 932260-4
+- test_id: 4
   stages:
-    - stage:
-        input:
-          dest_addr: "127.0.0.1"
-          method: "POST"
-          port: 80
-          headers:
-            User-Agent: "OWASP CRS test agent"
-            Host: "localhost"
-            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-          data: 'foo=ping pong tables'
-          uri: '/post'
-        output:
-          no_log_contains: id "932260"
+    - input:
+        dest_addr: "127.0.0.1"
+        method: "POST"
+        port: 80
+        headers:
+          User-Agent: "OWASP CRS test agent"
+          Host: "localhost"
+          Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+        data: 'foo=ping pong tables'
+        uri: '/post'
+      output:
+        log:
+          no_expect_ids: [932260]
 ```
 
 This test will succeed if the log output does **not** contain `id "932260"`, which would indicate that the rule in question did **not** match and so did **not** generate an alert.

src/common/core/modsecurity/files/coreruleset-v4/README.md

@@ -1,10 +1,11 @@
-![GHA build main](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=main)</br>
-![GHA build v4.0/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v4.0%2Fdev)
-![GHA build v3.3/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v3.3%2Fdev)
 [![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-38a047.svg)](https://owasp.org/projects/)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1390/badge)](https://bestpractices.coreinfrastructure.org/projects/1390)
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 
+| Branch | Status |
+---------|-------|
+| main | ![GHA build main](https://github.com/coreruleset/coreruleset/actions/workflows/test.yml/badge.svg?branch=main) |
+| v3.3/master | ![GHA build v3.3/master](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v3.3%2Fmaster) |
 
 
 # OWASP CRS

src/common/core/modsecurity/files/coreruleset-v4/SECURITY.md

@@ -11,9 +11,12 @@ Along those lines, OWASP CRS team may not issue security notifications for unsup
 
 | Version   | Supported          |
 | --------- | ------------------ |
-| 4.2.0     | :white_check_mark: |
-| 4.1.0     | :white_check_mark: |
-| 4.0.0     | :white_check_mark: |
+| 4.5.x     | :white_check_mark: |
+| 4.4.x     | :white_check_mark: |
+| 4.3.x     | :x: |
+| 4.2.x     | :x: |
+| 4.1.x     | :x: |
+| 4.0.x     | :x: |
 | 3.3.x     | :white_check_mark: |
 | 3.2.x     | :x:                |
 | 3.1.x     | :x:                |

src/common/core/modsecurity/files/coreruleset-v4/crs-setup.conf.example

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.4.0
+# OWASP CRS ver.4.5.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
 # Copyright (c) 2021-2024 CRS project. All rights reserved.
 #
@@ -181,7 +181,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.blocking_paranoia_level=1"
 
 
@@ -209,7 +209,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.detection_paranoia_level=1"
 
 
@@ -235,7 +235,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.enforce_bodyproc_urlencoded=1"
 
 
@@ -270,7 +270,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.critical_anomaly_score=5,\
 #    setvar:tx.error_anomaly_score=4,\
 #    setvar:tx.warning_anomaly_score=3,\
@@ -324,7 +324,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.inbound_anomaly_score_threshold=5,\
 #    setvar:tx.outbound_anomaly_score_threshold=4"
 
@@ -385,7 +385,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.reporting_level=4"
 
 
@@ -417,7 +417,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.early_blocking=1"
 
 
@@ -438,7 +438,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.enable_default_collections=1"
 
 
@@ -466,7 +466,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
 
 # Content-Types that a client is allowed to send in a request.
@@ -496,7 +496,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    nolog,\
 #    tag:'OWASP_CRS',\
 #    ctl:ruleRemoveById=920420,\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    chain"
 #    SecRule REQUEST_URI "@rx ^/foo/bar" \
 #        "t:none"
@@ -510,7 +510,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
 
 # Allowed HTTP versions.
@@ -526,7 +526,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
 
 # Forbidden file extensions.
@@ -550,7 +550,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
 
 # Restricted request headers.
@@ -595,7 +595,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
 #
 # [ Extended ]
@@ -621,7 +621,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:'tx.restricted_headers_extended=/accept-charset/'"
 
 # Content-Types charsets that a client is allowed to send in a request.
@@ -635,7 +635,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
 
 #
@@ -661,7 +661,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.max_num_args=255"
 
 # Block request if the length of any argument name is too high
@@ -675,7 +675,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.arg_name_length=100"
 
 # Block request if the length of any argument value is too high
@@ -689,7 +689,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.arg_length=400"
 
 # Block request if the total length of all combined arguments is too high
@@ -703,7 +703,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.total_arg_length=64000"
 
 # Block request if the file size of any individual uploaded file is too high
@@ -717,7 +717,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.max_file_size=1048576"
 
 # Block request if the total size of all combined uploaded files is too high
@@ -731,7 +731,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.combined_file_sizes=1048576"
 
 
@@ -771,7 +771,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    pass,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.sampling_percentage=100"
 
 
@@ -792,7 +792,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.4.0',\
+#    ver:'OWASP_CRS/4.5.0',\
 #    setvar:tx.crs_validate_utf8_encoding=1"
 
 
@@ -814,5 +814,5 @@ SecAction \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.4.0',\
-    setvar:tx.crs_setup_version=440"
+    ver:'OWASP_CRS/4.5.0',\
+    setvar:tx.crs_setup_version=450"