fix: FPs with authentication (#51)

coreruleset · Feb 3, 2024 · 55c7d4f · 55c7d4f
1 parent 429edb6
commit 55c7d4f
Show file tree

Hide file tree

Showing 9 changed files with 950 additions and 89 deletions.
diff --git a/plugins/nextcloud-rule-exclusions-before.conf b/plugins/nextcloud-rule-exclusions-before.conf
@@ -711,16 +711,69 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/bookmarks/" \
 # This removes checks on the 'password' and related fields:
 
 # User login password.
+# Being redirected to login page via desktop app
 SecRule REQUEST_FILENAME "@endsWith /login" \
     "id:9508400,\
     phase:1,\
     pass,\
     t:none,\
     nolog,\
     ver:'nextcloud-rule-exclusions-plugin/1.0.0',\
-    ctl:ruleRemoveTargetById=941100;ARGS:requesttoken,\
+    ctl:ruleRemoveTargetById=920230;ARGS:redirect_url,\
+    ctl:ruleRemoveTargetById=932200;ARGS:redirect_url,\
+    ctl:ruleRemoveTargetById=932190;ARGS:redirect_url,\
+    ctl:ruleRemoveTargetById=942431;ARGS:redirect_url,\
+    ctl:ruleRemoveTargetById=942432;ARGS:redirect_url,\
+    ctl:ruleRemoveTargetById=920272;REQUEST_BODY,\
+    ctl:ruleRemoveTargetById=920273;REQUEST_BODY,\
     ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password"
 
+# Asking an admin to reauthenticate when performing administrative changes
+# Asking an user to reauthenticate when making changes to account settings
+SecRule REQUEST_FILENAME "@endsWith /login/confirm" \
+    "id:9508401,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    ver:'nextcloud-rule-exclusions-plugin/1.0.0',\
+    ctl:ruleRemoveTargetById=920272;REQUEST_BODY,\
+    ctl:ruleRemoveTargetById=920273;REQUEST_BODY,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.password,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password"
+
+# When logging in via FIDO2
+SecRule REQUEST_FILENAME "@endsWith /login/webauthn/finish" \
+    "id:9508402,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    ver:'nextcloud-rule-exclusions-plugin/1.0.0',\
+    ctl:ruleRemoveTargetById=920273;ARGS:json.data,\
+    ctl:ruleRemoveTargetById=932236;ARGS:json.data,\
+    ctl:ruleRemoveTargetById=942200;ARGS:json.data,\
+    ctl:ruleRemoveTargetById=942260;ARGS:json.data,\
+    ctl:ruleRemoveTargetById=942340;ARGS:json.data,\
+    ctl:ruleRemoveTargetById=942370;ARGS:json.data,\
+    ctl:ruleRemoveTargetById=942430;ARGS:json.data,\
+    ctl:ruleRemoveTargetById=942431;ARGS:json.data,\
+    ctl:ruleRemoveTargetById=942432;ARGS:json.data"
+
+# Logging in via desktop app
+SecRule REQUEST_FILENAME "@rx /login/v[0-9\.]+/grant$" \
+    "id:9508403,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ver:'nextcloud-rule-exclusions-plugin/1.0.0',\
+    chain"
+    SecRule ARGS:stateToken "@rx ^[a-zA-Z0-9]+$" \
+        "t:none,\
+        ctl:ruleRemoveTargetById=932236;ARGS:stateToken,\
+        ctl:ruleRemoveTargetById=942450;ARGS:stateToken"
+
 # Reset password.
 SecRule REQUEST_FILENAME "@endsWith /login" \
     "id:9508410,\
@@ -739,17 +792,41 @@ SecRule REQUEST_FILENAME "@endsWith /login" \
             ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
             ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"
 
-# Logout token
-SecRule REQUEST_FILENAME "@endsWith /logout" \
-    "id:9508420,\
+# Password reset used in newer versions of Nextcloud
+SecRule REQUEST_FILENAME "@rx /lostpassword/set/[^/]+/[^/]+$" \
+    "id:9508411,\
     phase:1,\
     pass,\
     t:none,\
     nolog,\
     ver:'nextcloud-rule-exclusions-plugin/1.0.0',\
-    ctl:ruleRemoveTargetById=941120;ARGS:requesttoken"
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.password"
+
+# requesttoken is used when logging in or when authenticating via a public share
+# Matches:
+# /login
+# /s/share-id/authenticate/showShare
+# /login/v2/grant
+# /logout
+SecRule REQUEST_FILENAME "@rx /(?:login(?:/v[0-9\.]+/grant)?|s/[^/]+/authenticate/showShare|logout)$" \
+    "id:9508420,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ver:'nextcloud-rule-exclusions-plugin/1.0.0',\
+    chain"
+    SecRule ARGS:requesttoken "@rx ^[a-zA-Z0-9+=:/]+$" \
+        "t:none,\
+        ctl:ruleRemoveTargetById=920273;ARGS:requesttoken,\
+        ctl:ruleRemoveTargetById=932236;ARGS:requesttoken,\
+        ctl:ruleRemoveTargetById=941100;ARGS:requesttoken,\
+        ctl:ruleRemoveTargetById=941120;ARGS:requesttoken,\
+        ctl:ruleRemoveTargetById=942432;ARGS:requesttoken,\
+        ctl:ruleRemoveTargetById=942450;ARGS:requesttoken"
 
 # Logging in with webauthn
+# HTTP 500 error code may sometimes be returned when authenticating
 SecRule REQUEST_FILENAME "@endsWith /login/webauthn/finish" \
     "id:9508421,\
     phase:3,\
@@ -809,10 +886,13 @@ SecAction \
     t:none,\
     nolog,\
     ver:'nextcloud-rule-exclusions-plugin/1.0.0',\
-    ctl:ruleRemoveTargetById=942210;REQUEST_COOKIES:oc_sessionPassphrase,\
-    ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES:oc_sessionPassphrase,\
+    ctl:ruleRemoveTargetById=932236;REQUEST_COOKIES:nc_session_id,\
     ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES:nc_session_id,\
-    ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES:nc_token"
+    ctl:ruleRemoveTargetById=932236;REQUEST_COOKIES:nc_token,\
+    ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES:nc_token,\
+    ctl:ruleRemoveTargetById=932236;REQUEST_COOKIES:oc_sessionPassphrase,\
+    ctl:ruleRemoveTargetById=942210;REQUEST_COOKIES:oc_sessionPassphrase,\
+    ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES:oc_sessionPassphrase"
 
 #
 # [ Nextcloud Setup ]
@@ -1079,6 +1159,7 @@ SecRule REQUEST_FILENAME "@endsWith /settings/api/personal/webauthn/registration
     nolog,\
     ver:'nextcloud-rule-exclusions-plugin/1.0.0',\
     ctl:ruleRemoveTargetById=920273;ARGS:json.data,\
+    ctl:ruleRemoveTargetById=932236;ARGS:json.data,\
     ctl:ruleRemoveTargetById=942200;ARGS:json.data,\
     ctl:ruleRemoveTargetById=942260;ARGS:json.data,\
     ctl:ruleRemoveTargetById=942340;ARGS:json.data,\

diff --git a/tests/regression/nextcloud-rule-exclusions-plugin/9508400.yaml b/tests/regression/nextcloud-rule-exclusions-plugin/9508400.yaml
@@ -0,0 +1,73 @@
+---
+meta:
+  author: "Esad Cetiner"
+  description: "FPs during login"
+  enabled: true
+  name: 9508400.yaml
+tests:
+  - test_title: 9508400-1
+    desc: Disable OWASP CRS for password with pretty URLs
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /login
+            data: "password=<script>"
+          output:
+            no_log_contains: id "941101"
+  - test_title: 9508400-2
+    desc: Disable OWASP CRS for password without pretty URLs
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /index.php/login
+            data: "password=<script>"
+          output:
+            no_log_contains: id "941101"
+  - test_title: 9508400-3
+    desc: Desktop app redirecting to web gui to authenticate with pretty URLs
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /login
+            data: "redirect_url=/login/v2/grant?user=Esad%20Cetiner&stateToken=sample-token"
+          output:
+            no_log_contains: |
+              id "920230"|id "932(?:19|20)0"|id "94243[12]"
+  - test_title: 9508400-4
+    desc: Desktop app redirecting to web gui to authenticate without pretty URLs
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /index.php/login
+            data: "redirect_url=/login/v2/grant?user=Esad%20Cetiner&stateToken=sample-token"
+          output:
+            no_log_contains: |
+              id "920230"|id "932(?:19|20)0"|id "94243[12]"
diff --git a/tests/regression/nextcloud-rule-exclusions-plugin/9508401.yaml b/tests/regression/nextcloud-rule-exclusions-plugin/9508401.yaml
@@ -0,0 +1,71 @@
+---
+meta:
+  author: "Esad Cetiner"
+  description: "FPs during reauthentication / verification"
+  enabled: true
+  name: 9508401.yaml
+tests:
+  - test_title: 9508401-1
+    desc: Disable OWASP CRS for password when an admin is reauthenticating with pretty URLs
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /login/confirm
+            data: "password=<script>"
+          output:
+            no_log_contains: id "941101"
+  - test_title: 9508401-2
+    desc: Disable OWASP CRS for password when an admin is reauthenticating with pretty URLs
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /login/confirm
+            data: "json.password=<script>"
+          output:
+            no_log_contains: id "941101"
+  - test_title: 9508401-3
+    desc: Disable OWASP CRS for password when an admin is reauthenticating without pretty URLs
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /index.php/login/confirm
+            data: "password=<script>"
+          output:
+            no_log_contains: id "941101"
+  - test_title: 9508401-4
+    desc: Disable OWASP CRS for password when an admin is reauthenticating without pretty URLs
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /index.php/login/confirm
+            data: "json.password=<script>"
+          output:
+            no_log_contains: id "941101"
diff --git a/tests/regression/nextcloud-rule-exclusions-plugin/9508402.yaml b/tests/regression/nextcloud-rule-exclusions-plugin/9508402.yaml
@@ -0,0 +1,43 @@
+---
+meta:
+  author: "Esad Cetiner"
+  description: "FPs during login with FIDO2"
+  enabled: true
+  name: 9508402.yaml
+tests:
+  - test_title: 9508402-1
+    desc: Logging in via webauthn with pretty URLs
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /login/webauthn/finish
+            data: |
+              json.data={"id":"RanDom__02Data","type":"public-key","rawId":"FDADG34//fsd88DF=","response":{"authenticatorData":"3/fds+dsf79dDAF/SQ+sdfaf89sDFS==","clientDataJSON":"7sdfybsdfbyubYUFDBVASUBYFASD7687gdsfb==","signature":"dsyuifabHBJDAF989+sfddsfDFKJ6678+fsd676JKG+S8dg=","userHandle":"random="}}
+          output:
+            no_log_contains: |
+              id"920273"|id "932236"|id "942(?:2[06]0|3[47]0|43[012])"
+  - test_title: 9508402-2
+    desc: Logging in via webauthn without pretty URLs
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /index.php/login/webauthn/finish
+            data: |
+              json.data={"id":"RanDom__02Data","type":"public-key","rawId":"FDADG34//fsd88DF=","response":{"authenticatorData":"3/fds+dsf79dDAF/SQ+sdfaf89sDFS==","clientDataJSON":"7sdfybsdfbyubYUFDBVASUBYFASD7687gdsfb==","signature":"dsyuifabHBJDAF989+sfddsfDFKJ6678+fsd676JKG+S8dg=","userHandle":"random="}}
+          output:
+            no_log_contains: |
+              id "920273"|id "932236"|id "942(?:2[06]0|3[47]0|43[012])"