coreruleset · EsadCetiner · Jun 28, 2024 · Jun 27, 2024 · Jun 27, 2024 · Jun 27, 2024
diff --git a/plugins/wordpress-rule-exclusions-before.conf b/plugins/wordpress-rule-exclusions-before.conf
@@ -131,7 +131,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
 #
 
 # Gutenberg
-SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:posts|pages|templates|navigation)" \
+SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:navigation|pages|posts|template-parts|templates)" \
     "id:9507140,\
     phase:1,\
     pass,\
@@ -230,8 +230,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
             ctl:ruleRemoveTargetById=942100;ARGS"
 
 # Cannot update page|post in WordPress due to `x-http-method-override` header.
-# This rule is a copy of rule 900250 and must be synchronised with that rule.
-SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:posts|pages|users|templates|navigation)" \
+SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:navigation|pages|posts|template-parts|templates|users)" \
     "id:9507146,\
     phase:1,\
     pass,\
@@ -383,6 +382,54 @@ SecRule REQUEST_COOKIES:_wp_session "@rx ^[0-9a-f]+\|\|\d+\|\|\d+$" \
         "t:none,\
         ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:_wp_session"
 
+#
+# [ General exclusions ]
+#
+
+# Operator @unconditionalMatch is used instead of a SecAction because of a bug
+# in ModSecurity v3 which prevents SecActions to be removed using ctl action.
+# _wp_http_referer and wp_http_referer are passed on a lot of wp-admin pages
+SecRule REQUEST_FILENAME "@unconditionalMatch" \
+    "id:9507350,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetById=932236;ARGS:nonce,\
+    ctl:ruleRemoveTargetById=942450;ARGS:nonce,\
+    ctl:ruleRemoveTargetById=932236;ARGS:ver,\
+    ctl:ruleRemoveTargetById=942450;ARGS:ver,\
+    ctl:ruleRemoveTargetById=920230;ARGS:_wp_http_referer,\
+    ctl:ruleRemoveTargetById=920273;ARGS:_wp_http_referer,\
+    ctl:ruleRemoveTargetById=931130;ARGS:_wp_http_referer,\
+    ctl:ruleRemoveTargetById=932150;ARGS:_wp_http_referer,\
+    ctl:ruleRemoveTargetById=932200;ARGS:_wp_http_referer,\
+    ctl:ruleRemoveTargetById=932236;ARGS:_wp_http_referer,\
+    ctl:ruleRemoveTargetById=941100;ARGS:_wp_http_referer,\
+    ctl:ruleRemoveTargetById=942130;ARGS:_wp_http_referer,\
+    ctl:ruleRemoveTargetById=942200;ARGS:_wp_http_referer,\
+    ctl:ruleRemoveTargetById=942230;ARGS:_wp_http_referer,\
+    ctl:ruleRemoveTargetById=942260;ARGS:_wp_http_referer,\
+    ctl:ruleRemoveTargetById=942430;ARGS:_wp_http_referer,\
+    ctl:ruleRemoveTargetById=942431;ARGS:_wp_http_referer,\
+    ctl:ruleRemoveTargetById=942432;ARGS:_wp_http_referer,\
+    ctl:ruleRemoveTargetById=942440;ARGS:_wp_http_referer,\
+    ctl:ruleRemoveTargetById=920230;ARGS:wp_http_referer,\
+    ctl:ruleRemoveTargetById=931130;ARGS:wp_http_referer,\
+    ctl:ruleRemoveTargetById=932150;ARGS:wp_http_referer,\
+    ctl:ruleRemoveTargetById=932200;ARGS:wp_http_referer,\
+    ctl:ruleRemoveTargetById=932236;ARGS:wp_http_referer,\
+    ctl:ruleRemoveTargetById=932370;ARGS:wp_http_referer,\
+    ctl:ruleRemoveTargetById=941100;ARGS:wp_http_referer,\
+    ctl:ruleRemoveTargetById=942130;ARGS:wp_http_referer,\
+    ctl:ruleRemoveTargetById=942200;ARGS:wp_http_referer,\
+    ctl:ruleRemoveTargetById=942230;ARGS:wp_http_referer,\
+    ctl:ruleRemoveTargetById=942260;ARGS:wp_http_referer,\
+    ctl:ruleRemoveTargetById=942431;ARGS:wp_http_referer,\
+    ctl:ruleRemoveTargetById=932236;ARGS:_wpnonce,\
+    ctl:ruleRemoveTargetById=942450;ARGS:_wpnonce,\
+    ver:'wordpress-rule-exclusions-plugin/1.0.1'"
+
 
 #
 # -=[ WordPress Administration Back-End (wp-admin) ]=-
@@ -514,55 +561,6 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \
             ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
             ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"
 
-
-#
-# [ General exclusions ]
-#
-
-# Operator @unconditionalMatch is used instead of a SecAction because of a bug
-# in ModSecurity v3 which prevents SecActions to be removed using ctl action.
-# _wp_http_referer and wp_http_referer are passed on a lot of wp-admin pages
-SecRule REQUEST_FILENAME "@unconditionalMatch" \
-    "id:9507600,\
-    phase:1,\
-    pass,\
-    t:none,\
-    nolog,\
-    ctl:ruleRemoveTargetById=932236;ARGS:nonce,\
-    ctl:ruleRemoveTargetById=942450;ARGS:nonce,\
-    ctl:ruleRemoveTargetById=932236;ARGS:ver,\
-    ctl:ruleRemoveTargetById=942450;ARGS:ver,\
-    ctl:ruleRemoveTargetById=920230;ARGS:_wp_http_referer,\
-    ctl:ruleRemoveTargetById=920273;ARGS:_wp_http_referer,\
-    ctl:ruleRemoveTargetById=931130;ARGS:_wp_http_referer,\
-    ctl:ruleRemoveTargetById=932150;ARGS:_wp_http_referer,\
-    ctl:ruleRemoveTargetById=932200;ARGS:_wp_http_referer,\
-    ctl:ruleRemoveTargetById=932236;ARGS:_wp_http_referer,\
-    ctl:ruleRemoveTargetById=941100;ARGS:_wp_http_referer,\
-    ctl:ruleRemoveTargetById=942130;ARGS:_wp_http_referer,\
-    ctl:ruleRemoveTargetById=942200;ARGS:_wp_http_referer,\
-    ctl:ruleRemoveTargetById=942230;ARGS:_wp_http_referer,\
-    ctl:ruleRemoveTargetById=942260;ARGS:_wp_http_referer,\
-    ctl:ruleRemoveTargetById=942430;ARGS:_wp_http_referer,\
-    ctl:ruleRemoveTargetById=942431;ARGS:_wp_http_referer,\
-    ctl:ruleRemoveTargetById=942432;ARGS:_wp_http_referer,\
-    ctl:ruleRemoveTargetById=942440;ARGS:_wp_http_referer,\
-    ctl:ruleRemoveTargetById=920230;ARGS:wp_http_referer,\
-    ctl:ruleRemoveTargetById=931130;ARGS:wp_http_referer,\
-    ctl:ruleRemoveTargetById=932150;ARGS:wp_http_referer,\
-    ctl:ruleRemoveTargetById=932200;ARGS:wp_http_referer,\
-    ctl:ruleRemoveTargetById=932236;ARGS:wp_http_referer,\
-    ctl:ruleRemoveTargetById=932370;ARGS:wp_http_referer,\
-    ctl:ruleRemoveTargetById=941100;ARGS:wp_http_referer,\
-    ctl:ruleRemoveTargetById=942130;ARGS:wp_http_referer,\
-    ctl:ruleRemoveTargetById=942200;ARGS:wp_http_referer,\
-    ctl:ruleRemoveTargetById=942230;ARGS:wp_http_referer,\
-    ctl:ruleRemoveTargetById=942260;ARGS:wp_http_referer,\
-    ctl:ruleRemoveTargetById=942431;ARGS:wp_http_referer,\
-    ctl:ruleRemoveTargetById=932236;ARGS:_wpnonce,\
-    ctl:ruleRemoveTargetById=942450;ARGS:_wpnonce,\
-    ver:'wordpress-rule-exclusions-plugin/1.0.1'"
-
 # The ID variable is used all over wordpress
 SecRule REQUEST_FILENAME "@rx /wp-admin/(?:admin|admin-ajax|edit|users)\.php$" \
     "id:9507601,\
@@ -1064,6 +1062,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
 SecMarker "END-WORDPRESS-ADMIN"
 
 
+
 #
 # [ Plugins ]
 #

diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507100.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507100.yaml
@@ -6,77 +6,36 @@ meta:
   name: 9507100.yaml
 tests:
   - test_title: 9507100-1
-    desc: Disable OWASP CRS for password
+    desc: Disable OWASP CRS for password and 932236 for ARGS_NAMES:pwd
     stages:
       - stage:
           input:
             dest_addr: 127.0.0.1
             headers:
               Host: localhost
-              User-Agent: OWASP CRS
+              User-Agent: OWASP CRS test agent
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             port: 80
             method: POST
-            uri: /wp-login.php?pwd=<script>
+            version: "HTTP/1.1"
+            uri: /post/wp-login.php?pwd=<script>
           output:
-            no_log_contains: id "941110"
+            no_log_contains: |
+              id "932236" | id "941110"
   - test_title: 9507100-2
-    desc: Disable 942430 for ARGS:redirect_to
+    desc: ARGS:redirect_to tends to contain multiple special characters since it'll include the redirect URL
     stages:
       - stage:
           input:
             dest_addr: 127.0.0.1
             headers:
               Host: localhost
-              User-Agent: OWASP CRS
+              User-Agent: OWASP CRS test agent
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             port: 80
             method: POST
-            uri: /wp-login.php?redirect_to=;;;;;;;;;;;;
+            version: "HTTP/1.1"
+            uri: /post/wp-login.php?redirect_to=;;;;;;;;;;;;
           output:
-            no_log_contains: id "942430"
-  - test_title: 9507100-3
-    desc: Disable 942431 for ARGS:redirect_to
-    stages:
-      - stage:
-          input:
-            dest_addr: 127.0.0.1
-            headers:
-              Host: localhost
-              User-Agent: OWASP CRS
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-            port: 80
-            method: POST
-            uri: /wp-login.php?redirect_to=;;;;;;;;;;;;
-          output:
-            no_log_contains: id "942431"
-  - test_title: 9507100-4
-    desc: Disable 942432 for ARGS:redirect_to
-    stages:
-      - stage:
-          input:
-            dest_addr: 127.0.0.1
-            headers:
-              Host: localhost
-              User-Agent: OWASP CRS
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-            port: 80
-            method: POST
-            uri: /wp-login.php?redirect_to=;;;;;;;;;;;;
-          output:
-            no_log_contains: id "942432"
-  - test_title: 9507100-5
-    desc: Disable 932236 for ARGS_NAMES:pwd
-    stages:
-      - stage:
-          input:
-            dest_addr: 127.0.0.1
-            headers:
-              Host: localhost
-              User-Agent: OWASP CRS
-              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
-            port: 80
-            method: POST
-            uri: /wp-login.php?pwd=foo
-          output:
-            no_log_contains: id "932236"
+            no_log_contains: |
+              id "942430" | id "942431" | id "942432"
diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507140.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507140.yaml
@@ -0,0 +1,30 @@
+---
+meta:
+  author: "Esad Cetiner"
+  description: "Wordpress Rule Exclusions Plugin"
+  enabled: true
+  name: 9507140.yaml
+tests:
+  - test_title: 9507140-1
+    desc: Editing template part of a website i.e header or footer
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS test agent
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Content-Type: application/json
+              x-http-method-override: PUT
+            port: 80
+            method: POST
+            version: "HTTP/1.1"
+            # URI is actually sent with double slashes
+            uri: /post/wp-json/wp/v2/template-parts/twentytwentyfour//header?_locale=user
+            # Data is sent with some special characters escaped
+            data: |
+              {"id":"twentytwentyfour//header","content":"<!-- wp:group{\"align\":\"wide\",\"style\":{\"spacing\":{\"padding\":{\"top\":\"20px\",\"bottom\":\"20px\"}}},\"backgroundColor\":\"base\",\"layout\":{\"type\":\"constrained\"}} -->\n<div class=\"wp-block-groupalignwide has-base-background-color has-background\" style=\"padding-top:20px;padding-bottom:20px\"><!-- wp:group{\"align\":\"wide\",\"layout\":{\"type\":\"flex\",\"justifyContent\":\"space-between\",\"flexWrap\":\"wrap\"}} -->\n<div class=\"wp-block-group alignwide\"><!-- wp:group{\"style\":{\"spacing\":{\"blockGap\":\"var:preset|spacing|20\"},\"layout\":{\"selfStretch\":\"fit\",\"flexSize\":null}},\"layout\":{\"type\":\"flex\"}} -->\n<div class=\"wp-block-group\">
+              <!-- wp:site-logo{\"width\":60,\"shouldSyncIcon\":false} /-->\n\n<!-- wp:group {\"style\":{\"spacing\":{\"blockGap\":\"0px\"}}} -->\n<div class=\"wp-block-group\"><!-- wp:site-title {\"level\":0} /--></div>\n<!-- /wp:group--></div>\n<!-- /wp:group -->\n\n<!-- wp:navigation{\"ref\":2180,\"icon\":\"menu\",\"layout\":{\"type\":\"flex\",\"justifyContent\":\"right\",\"orientation\":\"horizontal\",\"flexWrap\":\"wrap\"},\"style\":{\"spacing\":{\"margin\":{\"top\":\"0\"},\"blockGap\":\"va>/--></div>\n<!-- /wp:group -->\n\n<!-- wp:paragraph -->\n<p></p>\n<!-- /wp:paragraph --></div>\n<!-- /wp:group -->"}
+            no_log_contains: |
+              id "932240" | id "932236" | id "941100" | id "941150" | id "941160" | id "941180" | id "941181" | id "941320" | id "942210" | id "942330" | id "942340" | id "942370" | id "942430" | id "942431" | id "942432" | id "942440" | id "942520"
diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507145.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507145.yaml
@@ -13,12 +13,13 @@ tests:
             dest_addr: 127.0.0.1
             headers:
               Host: localhost
-              User-Agent: OWASP CRS
+              User-Agent: OWASP CRS test agent
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
               Content-Type: application/json
             port: 80
             method: POST
-            uri: /index.php?rest_route=%2Fwp%2Fv2%2Fglobal-styles%2F50&_locale=user
+            version: "HTTP/1.1"
+            uri: /post/index.php?rest_route=%2Fwp%2Fv2%2Fglobal-styles%2F50&_locale=user
             # stripped down version of the full payload
             data: |
               {"id":50,"styles":{"blocks":{"core/comment-author-name":{"elements":{"link":{":active":{"color":{"text":"var(--wp--preset--color--tertiary)"}}}}}},"color":{"gradient":"var(--wp--preset--gradient--dots)"},"elements":{"button":{":active":{"color":{"background":"var(--wp--preset--color--secondary)","gradient":"none"}},":focus":{"color":{"gradient":"var(--wp--preset--gradient--secondary-primary)"}},":hover":{"color":{"gradient":"var(--wp--preset--gradient--secondary-primary)"}},":visited":{"color":{"text":"var(--wp--preset--color--base)"}},"border":{"radius":"5px"},"color":{"gradient":"var(--wp--preset--gradient--primary-secondary)","text":"var(--wp--preset--color--base)"}}}},"settings":{"color":{"duotone":{"theme":[{"colors":["#222828","#9EF9FD"],"slug":"default-filter","name":"Default filter"}]}}}}

diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507146.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507146.yaml
@@ -0,0 +1,29 @@
+---
+meta:
+  author: "Esad Cetiner"
+  description: "Wordpress Rule Exclusions Plugin"
+  enabled: true
+  name: 9507146.yaml
+tests:
+  - test_title: 9507146-1
+    desc: Editing template part of a website i.e header or footer
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS test agent
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Content-Type: application/json
+              x-http-method-override: PUT
+            port: 80
+            method: POST
+            version: "HTTP/1.1"
+            # URI is actually sent with double slashes
+            uri: /post/wp-json/wp/v2/template-parts/twentytwentyfour//header?_locale=user
+            # Data is sent with some special characters escaped
+            data: |
+              {"id":"twentytwentyfour//header","content":"<!-- wp:group{\"align\":\"wide\",\"style\":{\"spacing\":{\"padding\":{\"top\":\"20px\",\"bottom\":\"20px\"}}},\"backgroundColor\":\"base\",\"layout\":{\"type\":\"constrained\"}} -->\n<div class=\"wp-block-groupalignwide has-base-background-color has-background\" style=\"padding-top:20px;padding-bottom:20px\"><!-- wp:group{\"align\":\"wide\",\"layout\":{\"type\":\"flex\",\"justifyContent\":\"space-between\",\"flexWrap\":\"wrap\"}} -->\n<div class=\"wp-block-group alignwide\"><!-- wp:group{\"style\":{\"spacing\":{\"blockGap\":\"var:preset|spacing|20\"},\"layout\":{\"selfStretch\":\"fit\",\"flexSize\":null}},\"layout\":{\"type\":\"flex\"}} -->\n<div class=\"wp-block-group\">
+              <!-- wp:site-logo{\"width\":60,\"shouldSyncIcon\":false} /-->\n\n<!-- wp:group {\"style\":{\"spacing\":{\"blockGap\":\"0px\"}}} -->\n<div class=\"wp-block-group\"><!-- wp:site-title {\"level\":0} /--></div>\n<!-- /wp:group--></div>\n<!-- /wp:group -->\n\n<!-- wp:navigation{\"ref\":2180,\"icon\":\"menu\",\"layout\":{\"type\":\"flex\",\"justifyContent\":\"right\",\"orientation\":\"horizontal\",\"flexWrap\":\"wrap\"},\"style\":{\"spacing\":{\"margin\":{\"top\":\"0\"},\"blockGap\":\"va>/--></div>\n<!-- /wp:group -->\n\n<!-- wp:paragraph -->\n<p></p>\n<!-- /wp:paragraph --></div>\n<!-- /wp:group -->"}
+            no_log_contains: id "920450"
diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507147.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507147.yaml
@@ -13,11 +13,12 @@ tests:
             dest_addr: 127.0.0.1
             headers:
               Host: localhost
-              User-Agent: OWASP CRS
+              User-Agent: OWASP CRS test agent
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             port: 80
             method: GET
-            uri: /index.php?_fields=id
+            version: "HTTP/1.1"
+            uri: /get/index.php?_fields=id
           output:
             no_log_contains: id "932236"
   - test_title: 9507147-2
@@ -28,11 +29,12 @@ tests:
             dest_addr: 127.0.0.1
             headers:
               Host: localhost
-              User-Agent: OWASP CRS
+              User-Agent: OWASP CRS test agent
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             port: 80
             method: GET
-            uri: /index.php?_fields=id,name
+            version: "HTTP/1.1"
+            uri: /get/index.php?_fields=id,name
           output:
             no_log_contains: id "932236"
   - test_title: 9507147-3
@@ -43,10 +45,11 @@ tests:
             dest_addr: 127.0.0.1
             headers:
               Host: localhost
-              User-Agent: OWASP CRS
+              User-Agent: OWASP CRS test agent
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             port: 80
             method: GET
-            uri: /index.php?_fields=id,name,description,slug
+            version: "HTTP/1.1"
+            uri: /get/index.php?_fields=id,name,description,slug
           output:
             no_log_contains: id "932236"
diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507148.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507148.yaml
@@ -13,10 +13,11 @@ tests:
             dest_addr: 127.0.0.1
             headers:
               Host: localhost
-              User-Agent: OWASP CRS
+              User-Agent: OWASP CRS test agent
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             port: 80
             method: GET
-            uri: /index.php?orderby=id
+            version: "HTTP/1.1"
+            uri: /get/index.php?orderby=id
           output:
             no_log_contains: id "932236"
diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507149.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507149.yaml
@@ -13,10 +13,11 @@ tests:
             dest_addr: 127.0.0.1
             headers:
               Host: localhost
-              User-Agent: OWASP CRS
+              User-Agent: OWASP CRS test agent
               Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
             port: 80
             method: GET
-            uri: /index.php?rest_route=%2Fwp-block-editor%2Fv1%2Furl-details&url=https%3A%2F%2Fexample.com%
+            version: "HTTP/1.1"
+            uri: /get/index.php?rest_route=%2Fwp-block-editor%2Fv1%2Furl-details&url=https%3A%2F%2Fexample.com%
           output:
             no_log_contains: id "931130"