Merge branch 'main' into renovate/mcr.microsoft.com-devcontainers-jav…

…ascript-node

.github/workflows/gh-pages.yml

@@ -46,7 +46,7 @@ jobs:
       - name: Install Dart Sass
         run: sudo snap install dart-sass
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           submodules: recursive
 

.github/workflows/test.yml

@@ -31,7 +31,7 @@ jobs:
         run: sudo snap install dart-sass
 
       - name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           submodules: recursive
 
@@ -55,18 +55,18 @@ jobs:
 
       - name: Restore lychee cache
         id: restore-cache
-        uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4
+        uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4
         with:
             path: .lycheecache
             key: cache-lychee-${{ github.sha }}
             restore-keys: cache-lychee-
 
       - name: Link Checker
         id: lychee
-        uses: lycheeverse/lychee-action@7cd0af4c74a61395d455af97419279d86aafaede # v2.0.2
+        uses: lycheeverse/lychee-action@f81112d0d2814ded911bd23e3beaa9dda9093915 # v2.1.0
         with:
             fail: false
-            args: "--accept 200..=204,429 --cache --max-cache-age 1d -E './content/**/*.md'"
+            args: "--accept 200..=204,429 --cookie-jar /tmp/lychee-cookies --cache --max-cache-age 1d -E './content/**/*.md'"
             jobSummary: true
 
       - name: Create Issue From File
@@ -78,7 +78,7 @@ jobs:
           labels: report, automated issue
 
       - name: Save lychee cache
-        uses: actions/cache/save@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4
+        uses: actions/cache/save@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4
         if: always()
         with:
           path: .lycheecache

config/_default/params.yaml

@@ -13,8 +13,8 @@ images: ["images/social-preview.svg"]
 
 crs:
   release_url_prefix: "https://github.com/coreruleset/coreruleset/releases/tag"
-  latest_major_version: "4.7.0"
-  prev_major_version: "3.3.6"
+  latest_major_version: "4.8.0"
+  prev_major_version: "3.3.7"
 
 github:
   repo_url: "https://github.com/coreruleset/website/blob/main"

content/blog/2024-01-11-a-new-silver-sponsor-for-crs-swiss-post.md

@@ -7,7 +7,7 @@ title: 'A new silver sponsor for CRS: Swiss Post'
 ---
 
 
-We are proud to present [Swiss Post](https://swisspost.ch) as new silver sponsor for the OWASP ModSecurity Core Rule Set. Swiss Post is one of the longest-standing and best-known brands in Switzerland since its establishment in 1849. The company uses many open-source solutions for development and operation and in turn supports the community where possible. Ties between Swiss Post and the CRS project team have traditionally been strong with different core team members having worked for the premier Swiss provider of mail and logistics services.
+We are proud to present [Swiss Post](https://post.ch) as new silver sponsor for the OWASP ModSecurity Core Rule Set. Swiss Post is one of the longest-standing and best-known brands in Switzerland since its establishment in 1849. The company uses many open-source solutions for development and operation and in turn supports the community where possible. Ties between Swiss Post and the CRS project team have traditionally been strong with different core team members having worked for the premier Swiss provider of mail and logistics services.
 
 {{< figure src="images/2024/01/Post_Logo_digital_RGB.png" >}}
 

content/blog/2024-10-29-crs-versions-4-8-0-and-3-3-7-released.md

@@ -0,0 +1,37 @@
+---
+author: RedXanadu
+categories:
+  - Blog
+date: '2024-10-29T18:59:58+00:00'
+title: CRS versions 4.8.0 and 3.3.7 released
+slug: 'crs-versions-4-8-0-and-3-3-7-released'
+---
+
+The OWASP CRS team is pleased to announce the release of two new CRS versions: v4.8.0 and v3.3.7.
+
+For downloads and installation instructions, please refer to the [Installation](https://coreruleset.org/docs/deployment/install/) page.
+
+These are security releases which fix a recently discovered partial request body bypass of CRS. On some platforms running CRS v3.3.6 and earlier on the v3 release line or v4.7.0 and earlier on the v4 release line, it is possible to submit a specially crafted multipart or JSON request whose body content will bypass the inspection of the majority of CRS rules on a default installation. CRS users are strongly encouraged to update to a fixed version to resolve this issue.
+
+#### Bypass details
+
+This bypass was possible due to the fact that the default list of allowed request content types in CRS (both v3 and v4) included the content type `multipart/related`, which cannot be processed by current free & open-source WAF engine implementations, and the content types `application/cloudevents+json` and `application/cloudevents-batch+json`, which are not processed by default. This created a situation where a request with body content would be allowed by CRS but the request body could not, or would not, be processed by the engine. Many CRS rules thus lost the ability to perform meaningful inspection of such requests, in the absence of processed and parsed request body content. In particular, the `ARGS` collection (and related collections) was not populated by the engine: many CRS rules rely on inspecting the contents of this important collection.
+
+The newly released fixed versions remove the offending content types from the default list of allowed request content types. New advice is also provided on how to handle additional JSON content types beyond the standard `application/json` content type.
+
+Users making use of additional JSON content types, for example `application/cloudevents+json`, should follow the new advice and ensure that an appropriate rule is in place to enable JSON request body processing for these content types. Most affected users can uncomment and use optional rule 200006 in the file “modsecurity.conf-recommended” to achieve this.
+
+Note that the [official CRS Docker container images](https://github.com/coreruleset/modsecurity-crs-docker), by default, already correctly handle extended JSON types and are therefore not affected by the JSON part of this problem.
+
+#### For users unable to update
+
+Any users unable to update to a fixed version of CRS are strongly encouraged to implement the fix steps themselves by removing the content types `multipart/related`, `application/cloudevents+json`, and `application/cloudevents-batch+json` from the variable `tx.allowed_request_content_type` as set in the files `crs-setup.conf` and `REQUEST-901-INITIALIZATION.conf`. The advice on JSON processing should also be followed.
+
+#### Other release changes
+
+Aside from the security fix, the v4.8.0 release also includes a few other minor changes and improvements as part of the normal release cycle for CRS v4. The full changes included in v4.8.0 can be found on the [GitHub release page](https://github.com/coreruleset/coreruleset/releases/tag/v4.8.0).
+
+Please feel free to contact us with any questions or concerns about this release via the usual channels: directly via the [CRS GitHub repository](https://github.com/coreruleset/coreruleset), in our Slack channel (#coreruleset on [owasp.slack.com](https://owasp.slack.com/)), or on our [mailing list](https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project).
+
+Sincerely,  
+Andrew Howe on behalf of the CRS development team

layouts/partials/header.html

@@ -14,6 +14,8 @@
             <span class="site-title">{{ $.Site.Title }}</span>
         </a>
         {{ end }}
+        <!-- scarf pixel -->
+        <img referrerpolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=f0ac4a06-c84b-444a-ab50-3ec839b2aca7" />
 
         {{ with .Site.Menus.main }}
         <nav class="main-menu">

package.json

@@ -24,7 +24,7 @@
   "homepage": "https://github.com/coreruleset/website#readme",
   "dependencies": {
     "autoprefixer": "^10.4.19",
-    "hugo-extended": "^0.135.0",
+    "hugo-extended": "^0.137.0",
     "postcss": "^8.4.38",
     "postcss-cli": "^11.0.0"
   },