coreruleset · theseion · Jan 26, 2024 · Jan 26, 2024 · Jan 26, 2024 · Jan 26, 2024
diff --git a/plugins/nextcloud-rule-exclusions-before.conf b/plugins/nextcloud-rule-exclusions-before.conf
@@ -1578,14 +1578,16 @@ SecRule REQUEST_FILENAME "@rx /apps/mail/api/outbox(?:/[0-9]+)?$" \
     ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.body,\
     setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT'"
 
-# When viewing email message
+# Assigning/removing flags for emails
+# Marking an email as junk/not-junk
 SecRule REQUEST_FILENAME "@rx /apps/mail/api/messages/[0-9]+/flags$" \
     "id:9508978,\
     phase:1,\
     pass,\
     t:none,\
     nolog,\
     ver:'nextcloud-rule-exclusions-plugin/1.0.0',\
+    ctl:ruleRemoveTargetById=942290;ARGS_NAMES:json.flags.$notjunk,\
     setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT'"
 
 # When clicking on an email address within Nextcloud Mail
@@ -1609,14 +1611,19 @@ SecRule REQUEST_FILENAME "@endsWith /apps/mail/api/contactIntegration/new" \
     setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT'"
 
 # Changing Nextcloud Mail Settings
-SecRule REQUEST_FILENAME "@rx /apps/mail/api/preferences/(?:tag-classified-messages|collect-data|account-settings|start-mailbox-id)$" \
+# Sorting email from oldest/newest
+# Adjusting placement of reply (top / bottom)
+# Enabling/disabling external avatars from Gravatar
+# Enabling/disabling search for message body within priority inbox
+SecRule REQUEST_FILENAME "@rx /apps/mail/api/preferences/(?:tag-classified-messages|collect-data|account-settings|start-mailbox-id|sort-order|reply-a?mode|external-avatars|search-priority-body)$" \
     "id:9508981,\
     phase:1,\
     pass,\
     t:none,\
     nolog,\
     ver:'nextcloud-rule-exclusions-plugin/1.0.0',\
     ctl:ruleRemoveTargetById=920273;ARGS:json.value,\
+    ctl:ruleRemoveTargetById=932236;ARGS:json.value,\
     ctl:ruleRemoveTargetById=942200;ARGS:json.value,\
     ctl:ruleRemoveTargetById=942260;ARGS:json.value,\
     ctl:ruleRemoveTargetById=942421;ARGS:json.value,\
@@ -1721,3 +1728,35 @@ SecRule REQUEST_FILENAME "@rx /apps/mail/api/mailboxes/[0-9]+$" \
     nolog,\
     ver:'nextcloud-rule-exclusions-plugin/1.0.0',\
     setvar:'tx.allowed_methods=%{tx.allowed_methods} DELETE'"
+
+# Writing an draft email
+# Email subject/body could be anything
+# PUT - Composing an draft email
+# DELETE - Discarding a draft email
+SecRule REQUEST_FILENAME "@rx /apps/mail/api/drafts(?:/[0-9]+|/\{id\})?$" \
+    "id:9508991,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    ver:'nextcloud-rule-exclusions-plugin/1.0.0',\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.body,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.data.body.value,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.data.editorBody,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.editorBody,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.subject,\
+    setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'"
+
+# Sending an email
+# Editing an email from outbox
+# Email subject/body could be anything
+SecRule REQUEST_FILENAME "@rx /apps/mail/api/outbox/(?:from-draft/)?[0-9]+$" \
+    "id:9508992,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    ver:'nextcloud-rule-exclusions-plugin/1.0.0',\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.body,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.editorBody,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.subject"
diff --git a/tests/regression/nextcloud-rule-exclusions-plugin/9508978.yaml b/tests/regression/nextcloud-rule-exclusions-plugin/9508978.yaml
@@ -0,0 +1,22 @@
+---
+meta:
+  author: "Esad Cetiner"
+  description: "Nextcloud Rule Exclusions Plugin"
+  enabled: true
+  name: 9508978.yaml
+tests:
+  - test_title: 9508978-1
+    desc: Marking an email as not junk
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: PUT
+            uri: /apps/mail/api/messages/1/flags?json.flags.$notjunk=1
+          output:
+            no_log_contains: id "942290"
diff --git a/tests/regression/nextcloud-rule-exclusions-plugin/9508991.yaml b/tests/regression/nextcloud-rule-exclusions-plugin/9508991.yaml
@@ -0,0 +1,205 @@
+---
+meta:
+  author: "Esad Cetiner"
+  description: "Nextcloud Rule Exclusions Plugin"
+  enabled: true
+  name: 9508991.yaml
+tests:
+  - test_title: 9508991-1
+    desc: |
+      Drafting an email, content could be anything.
+      Draft ID set: yes
+      Formatting option: disabled
+      Target: json.body
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: PUT
+            uri: /apps/mail/api/drafts/1
+            data: "json.body=<script>"
+          output:
+            no_log_contains: id "941101"
+  - test_title: 9508991-2
+    desc: |
+      Drafting an email, content could be anything.
+      Draft ID set: yes
+      Formatting option: disabled
+      Target: json.data.body.value
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: PUT
+            uri: /apps/mail/api/drafts/1
+            data: "json.data.body.value=<script>"
+          output:
+            no_log_contains: id "941101"
+  - test_title: 9508991-3
+    desc: |
+      Drafting an email, content could be anything.
+      Draft ID set: yes
+      Formatting option: enabled
+      Target: json.data.editorBody
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: PUT
+            uri: /apps/mail/api/drafts/1
+            data: "json.data.editorBody=<script>"
+          output:
+            no_log_contains: id "941101"
+  - test_title: 9508991-4
+    desc: |
+      Drafting an email, content could be anything.
+      Draft ID set: yes
+      Formatting option: enabled
+      Target: json.editorBody
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: PUT
+            uri: /apps/mail/api/drafts/1
+            data: "json.editorBody=<script>"
+          output:
+            no_log_contains: id "941101"
+  - test_title: 9508991-5
+    desc: |
+      Drafting an email, content could be anything.
+      Draft ID set: no
+      Formatting option: disabled
+      Target: json.body
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: PUT
+            uri: /apps/mail/api/drafts/{id}
+            data: "json.body=<script>"
+          output:
+            no_log_contains: id "941101"
+  - test_title: 9508991-6
+    desc: |
+      Drafting an email, content could be anything.
+      Draft ID set: no
+      Formatting option: disabled
+      Target: json.data.body.value
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: PUT
+            uri: /apps/mail/api/drafts/{id}
+            data: "json.data.body.value=<script>"
+          output:
+            no_log_contains: id "941101"
+  - test_title: 9508991-7
+    desc: |
+      Drafting an email, content could be anything.
+      Draft ID set: no
+      Formatting option: enabled
+      Target: json.data.editorBody
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: PUT
+            uri: /apps/mail/api/drafts/{id}
+            data: "json.data.editorBody=<script>"
+          output:
+            no_log_contains: id "941101"
+  - test_title: 9508991-8
+    desc: |
+      Drafting an email, content could be anything.
+      Draft ID set: no
+      Formatting option: enabled
+      Target: json.editorBody
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: PUT
+            uri: /apps/mail/api/drafts/{id}
+            data: "json.editorBody=<script>"
+          output:
+            no_log_contains: id "941101"
+  - test_title: 9508991-9
+    desc: |
+      Drafting an email, subject could be anything.
+      Draft ID set: no
+      Target: json.subject
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: PUT
+            uri: /apps/mail/api/drafts/{id}
+            data: "json.subject=<script>"
+          output:
+            no_log_contains: id "941101"
+  - test_title: 9508991-10
+    desc: |
+      Drafting an email, subject could be anything.
+      Draft ID set: yes
+      Target: json.subject
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP ModSecurity Core Rule Set
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: PUT
+            uri: /apps/mail/api/drafts/1
+            data: "json.subject=<script>"
+          output:
+            no_log_contains: id "941101"