fix: editing widgets false positive (#54)

* fix: editing widgets false positive * fix: missing indendation and new lines * fix: failing tests * fix: failing tests * fix: failing tests nginx
coreruleset · Jul 13, 2024 · 4a17202 · 4a17202
1 parent ccd9314
commit 4a17202
Show file tree

Hide file tree

Showing 3 changed files with 88 additions and 2 deletions.
diff --git a/plugins/wordpress-rule-exclusions-before.conf b/plugins/wordpress-rule-exclusions-before.conf
@@ -255,7 +255,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
             ctl:ruleRemoveTargetById=942100;ARGS"
 
 # Cannot update page|post in WordPress due to `x-http-method-override` header.
-SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:global-styles|navigation|pages|posts|template-parts|templates|users)" \
+SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:global-styles|navigation|pages|posts|sidebars|template-parts|templates|users)" \
     "id:9507146,\
     phase:1,\
     pass,\
@@ -386,6 +386,45 @@ SecRule REQUEST_FILENAME "@endsWith /wp-cron.php" \
     ctl:ruleRemoveById=920300,\
     ver:'wordpress-rule-exclusions-plugin/1.0.1'"
 
+# Modifying widgets under Appearance --> Widgets
+# Rules are disabled for all args because the paramater name keeps on changing
+SecRule REQUEST_FILENAME "@rx /wp-json/batch/v[0-9]$" \
+    "id:9507201,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ver:'wordpress-rule-exclusions-plugin/1.0.1',\
+    chain"
+    SecRule ARGS:_locale "@streq user" \
+        "t:none,\
+        ctl:ruleRemoveTargetById=920272;ARGS,\
+        ctl:ruleRemoveTargetById=920273;ARGS,\
+        ctl:ruleRemoveTargetById=932200;ARGS,\
+        ctl:ruleRemoveTargetById=932236;ARGS,\
+        ctl:ruleRemoveTargetById=932240;ARGS,\
+        ctl:ruleRemoveTargetById=932370;ARGS,\
+        ctl:ruleRemoveTargetById=941150;ARGS,\
+        ctl:ruleRemoveTargetById=941180;ARGS,\
+        ctl:ruleRemoveTargetById=941181;ARGS,\
+        ctl:ruleRemoveTargetById=941320;ARGS,\
+        ctl:ruleRemoveTargetById=941330;ARGS,\
+        ctl:ruleRemoveTargetById=942130;ARGS,\
+        ctl:ruleRemoveTargetById=942131;ARGS,\
+        ctl:ruleRemoveTargetById=942200;ARGS,\
+        ctl:ruleRemoveTargetById=942210;ARGS,\
+        ctl:ruleRemoveTargetById=942260;ARGS,\
+        ctl:ruleRemoveTargetById=942330;ARGS,\
+        ctl:ruleRemoveTargetById=942340;ARGS,\
+        ctl:ruleRemoveTargetById=942370;ARGS,\
+        ctl:ruleRemoveTargetById=942430;ARGS,\
+        ctl:ruleRemoveTargetById=942431;ARGS,\
+        ctl:ruleRemoveTargetById=942432;ARGS,\
+        ctl:ruleRemoveTargetById=942440;ARGS,\
+        ctl:ruleRemoveTargetById=942460;ARGS,\
+        ctl:ruleRemoveTargetById=942520;ARGS,\
+        ctl:ruleRemoveTargetById=920272;REQUEST_BODY,\
+        ctl:ruleRemoveTargetById=920273;REQUEST_BODY"
 
 #
 # [ Cookies ]
@@ -858,7 +897,6 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/async-upload.php" \
             ctl:ruleRemoveTargetById=933210;ARGS:name,\
             ctl:ruleRemoveTargetById=942100;ARGS:name"
 
-
 #
 # [ Options and Settings ]
 #

diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507146.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507146.yaml
@@ -46,3 +46,23 @@ tests:
             data: |
               {"id":2934,"styles":{"blocks":{"core/site-title":{"typography":{"fontWeight":"400"}},"core/pullquote":{"typography":{"fontSize":"var(--wp--preset--font-size--large)","fontStyle":"normal","fontWeight":"normal","lineHeight":"1.2"}},"core/quote":{"variations":{"plain":{"typography":{"fontStyle":"normal","fontWeight":"400"}}},"typography":{"fontFamily":"var(--wp--preset--font-family--heading)","fontSize":"var(--wp--preset--font-size--large)","fontStyle":"normal"}},"core/navigation":{"typography":{"fontWeight":"400"}}},"elements":{"button":{"typography":{"fontFamily":"var(--wp--preset--font-family--heading)","fontSize":"var(--wp--preset--font-size--small)","fontStyle":"normal"}},"heading":{"color":{"background":"#ab5a5a"}}},"css":""}}
             no_log_contains: id "920450"
+  - test_title: 9507146-3
+    desc: Editing widgets
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Content-Type: application/json
+              x-http-method-override: PUT
+            port: 80
+            method: POST
+            version: "HTTP/1.1"
+            uri: /post/wp-json/wp/v2/sidebars/sidebar-1?_locale=user
+            data: |
+              {"id":"sidebar-1","widgets":["block-16","block-17","block-18"]}
+          output:
+            no_log_contains: id "920450"
diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507201.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507201.yaml
@@ -0,0 +1,28 @@
+---
+meta:
+  author: "Esad Cetiner"
+  description: "Wordpress Rule Exclusions Plugin"
+  enabled: true
+  name: 9507201.yaml
+tests:
+  - test_title: 9507201-1
+    desc:
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Content-Type: application/json
+            port: 80
+            method: POST
+            version: "HTTP/1.1"
+            uri: /post/wp-json/batch/v1?_locale=user
+            data: |
+              {"validation":"require-all-validate","requests":[{"path":"/wp/v2/widgets","body":{"id_base":"block","instance":{"raw":{"content":"<!-- wp:paragraph -->\n<p>test</p>\n<!--/wp:paragraph -->"}},"sidebar":"sidebar-1"},"method":"POST"},{"path":"/wp/v2/widgets","body":{"id_base":"block","instance":{"raw":{"content":"<!-- wp:search{\"label\":\"Search\",\"buttonText\":\"Search\"} /-->"}},
+              "sidebar":"sidebar-1"},"method":"POST"},{"path":"/wp/v2/widgets","body":{"id_base":"block","instance":{"raw":{"content":"<!-- wp:table-->\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td></td><td></td></tr><tr><td></td><td></td></tr></tbody></table></figure>\n<!-- /wp:table-->"}},"sidebar":"sidebar-1"},"method":"POST"}]}
+          output:
+            no_log_contains: |
+              id "920272"|id "920273"|id "932200"|id "932236"|id "932240"|id "932370"|id "941150"|id "941180"|id "941181"|id "941320"|id "941330"|id "942130"|id "942131"|id "942200"|id "942210"|id "942260"|id "942330"|id "942340"|id "942370"|id "942430"|id "942431"|id "942432"|id "942440"|id "942460"|id "942520"