fix: false positive related to navigation menu update

[azurit]

Fixes #46.

[EsadCetiner]

@azurit You've missed the other false positive op reported for json.content, could you expand 9507140 to include /wp-json/wp/v2/navigation/?

[azurit]

@EsadCetiner Hm, what about to join rules 9507146 and 9507140 into one?

[EsadCetiner]

@azurit Normally I would, but in this case the restricted headers has to be kept in sync with crs-setup.conf and it won't respect any additional restricted headers added by an end user. I'd rewrite 9507146 similar to 9507144 so it doesn't have to be kept in sync with any changes made by CRS, and it respects changes made by end users. It's easier to expand the regex to cover more endpoints vs having to remember to keep something in sync, especially if this happens with multiple plugins.

[azurit]

Ok, that makes sense.

[azurit]

@EsadCetiner Ready to merge?

[EsadCetiner]

@azurit Are you going to rewrite 9507146 like how I suggested to reduce the maintenance of that rule, or do you have a better idea?

SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:posts|pages|users|templates|navigation)" \
    "id:9507146,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ver:'wordpress-rule-exclusions-plugin/1.0.1',\
    chain"
-   SecRule REQUEST_METHOD "@streq POST" \
+   SecRule &REQUEST_HEADERS:x-http-method-override "!@eq 0" \
        "t:none,\
-        setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method/ /x-method-override/'"
+        ctl:ruleRemoveById=920450"

[azurit]

I misunderstood you, done.