tests: adds engine tests about args with square brackets (#1230)

corazawaf · Nov 22, 2024 · fb4c990 · fb4c990
1 parent 606a1bb
commit fb4c990
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 2 deletions.
diff --git a/testing/coreruleset/go.sum b/testing/coreruleset/go.sum
@@ -8,8 +8,6 @@ github.com/bmatcuk/doublestar/v4 v4.7.1 h1:fdDeAqgT47acgwd9bd9HxJRDmc9UAmPpc+2m0
 github.com/bmatcuk/doublestar/v4 v4.7.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
 github.com/corazawaf/coraza-coreruleset v0.0.0-20240226094324-415b1017abdc h1:OlJhrgI3I+FLUCTI3JJW8MoqyM78WbqJjecqMnqG+wc=
 github.com/corazawaf/coraza-coreruleset v0.0.0-20240226094324-415b1017abdc/go.mod h1:7rsocqNDkTCira5T0M7buoKR2ehh7YZiPkzxRuAgvVU=
-github.com/corazawaf/coraza-coreruleset/v4 v4.6.0 h1:VGlMw3QMuKaV7XgifPgcqCm66K+HRSdM4d9PRh1nD50=
-github.com/corazawaf/coraza-coreruleset/v4 v4.6.0/go.mod h1:1FQt1p+JSQ6tYrafMqZrEEdDmhq6aVuIJdnk+bM9hMY=
 github.com/corazawaf/coraza-coreruleset/v4 v4.7.0 h1:j02CDxQYHVFZfBxbKLWYg66jSLbPmZp1GebyMwzN9Z0=
 github.com/corazawaf/coraza-coreruleset/v4 v4.7.0/go.mod h1:1FQt1p+JSQ6tYrafMqZrEEdDmhq6aVuIJdnk+bM9hMY=
 github.com/corazawaf/libinjection-go v0.2.2 h1:Chzodvb6+NXh6wew5/yhD0Ggioif9ACrQGR4qjTCs1g=

diff --git a/testing/engine/variables.go b/testing/engine/variables.go
@@ -108,3 +108,72 @@ SecRuleUpdateTargetById 9124 "!ARGS:t2"
 SecAction "id: 99999, log, msg:'%{env.test}'"
 `,
 })
+
+var _ = profile.RegisterProfile(profile.Profile{
+	Meta: profile.Meta{
+		Author:      "M4tteoP",
+		Description: "Test variables with []",
+		Enabled:     true,
+		Name:        "variables_with_square_brackets.yaml",
+	},
+	Tests: []profile.Test{
+		{
+			Title: "variables_with_square_brackets",
+			Stages: []profile.Stage{
+				{
+					Stage: profile.SubStage{
+						Input: profile.StageInput{
+							URI:    "/index.php",
+							Method: "POST",
+							Headers: map[string]string{
+								"content-type": "application/x-www-form-urlencoded",
+							},
+							Data: `key[value]=sensitive&key2[]=newValue`,
+						},
+						Output: profile.ExpectedOutput{
+							TriggeredRules: []int{
+								10,
+								11,
+							},
+							NonTriggeredRules: []int{
+								9,
+							},
+							LogContains: `Message from rule 10: ARGS:key[value] sensitive`,
+						},
+					},
+				},
+				{
+					Stage: profile.SubStage{
+						Input: profile.StageInput{
+							URI:    "/index.php",
+							Method: "POST",
+							Headers: map[string]string{
+								"content-type": "application/x-www-form-urlencoded",
+							},
+							Data: `key2[name]=PaYlOaD`,
+						},
+						Output: profile.ExpectedOutput{
+							TriggeredRules: []int{
+								12,
+							},
+							NonTriggeredRules: []int{
+								9,
+								10,
+								11,
+							},
+							LogContains: `Message from rule 12: ARGS:key2[name], macro expansion: PaYlOaD`,
+						},
+					},
+				},
+			},
+		},
+	},
+	Rules: `
+SecRequestBodyAccess On
+SecRule ARGS:key "@contains sensitive" "id:9,phase:2,pass"
+SecRule ARGS:key[value] "@contains sensitive" "id:10,phase:2,pass,log,logdata:'Message from rule 10: %{MATCHED_VAR_NAME} %{MATCHED_VAR}'"
+SecRule ARGS:key2[] "@contains newValue" "id:11,phase:2,pass,setvar:'tx.macro_exp_var=%{ARGS.key2[]}',chain"
+	SecRule TX:macro_exp_var "@contains newValue"
+SecRule ARGS:key2[name] "@contains PaYlOaD" "id:12,phase:2,pass,log,logdata:'Message from rule 12: %{MATCHED_VAR_NAME}, macro expansion: %{ARGS.key2[name]}'"
+`,
+})