From 341f5bae1456045cf583d0ec46527e3be9768d35 Mon Sep 17 00:00:00 2001
From: Esad Cetiner <104706115+EsadCetiner@users.noreply.github.com>
Date: Sat, 21 Dec 2024 00:18:29 +1100
Subject: [PATCH] fix: editing tag false positive (#65)

* fix: editing tag false positive

* fix: editing tag false positive

* fix: check log output correctly

* fix: move `ARGS_NAMES:users[0]` to it's own rule

* up
---
 plugins/wordpress-rule-exclusions-before.conf |  6 +++
 .../9507100.yaml                              |  4 +-
 .../9507121.yaml                              |  2 +-
 .../9507139.yaml                              |  2 +-
 .../9507140.yaml                              |  2 +-
 .../9507201.yaml                              |  2 +-
 .../9507350.yaml                              | 45 +++++++++++++++----
 7 files changed, 48 insertions(+), 15 deletions(-)

diff --git a/plugins/wordpress-rule-exclusions-before.conf b/plugins/wordpress-rule-exclusions-before.conf
index ac2bb2d..9550036 100644
--- a/plugins/wordpress-rule-exclusions-before.conf
+++ b/plugins/wordpress-rule-exclusions-before.conf
@@ -466,6 +466,7 @@ SecRule REQUEST_FILENAME "@unconditionalMatch" \
     ctl:ruleRemoveTargetById=931130;ARGS:_wp_http_referer,\
     ctl:ruleRemoveTargetById=932150;ARGS:_wp_http_referer,\
     ctl:ruleRemoveTargetById=932200;ARGS:_wp_http_referer,\
+    ctl:ruleRemoveTargetById=932235;ARGS:_wp_http_referer,\
     ctl:ruleRemoveTargetById=932236;ARGS:_wp_http_referer,\
     ctl:ruleRemoveTargetById=941100;ARGS:_wp_http_referer,\
     ctl:ruleRemoveTargetById=942130;ARGS:_wp_http_referer,\
@@ -477,6 +478,7 @@ SecRule REQUEST_FILENAME "@unconditionalMatch" \
     ctl:ruleRemoveTargetById=942432;ARGS:_wp_http_referer,\
     ctl:ruleRemoveTargetById=942440;ARGS:_wp_http_referer,\
     ctl:ruleRemoveTargetById=920230;ARGS:wp_http_referer,\
+    ctl:ruleRemoveTargetById=920273;ARGS:wp_http_referer,\
     ctl:ruleRemoveTargetById=931130;ARGS:wp_http_referer,\
     ctl:ruleRemoveTargetById=932150;ARGS:wp_http_referer,\
     ctl:ruleRemoveTargetById=932200;ARGS:wp_http_referer,\
@@ -488,6 +490,7 @@ SecRule REQUEST_FILENAME "@unconditionalMatch" \
     ctl:ruleRemoveTargetById=942230;ARGS:wp_http_referer,\
     ctl:ruleRemoveTargetById=942260;ARGS:wp_http_referer,\
     ctl:ruleRemoveTargetById=942431;ARGS:wp_http_referer,\
+    ctl:ruleRemoveTargetById=942432;ARGS:wp_http_referer,\
     ctl:ruleRemoveTargetById=932236;ARGS:_wpnonce,\
     ctl:ruleRemoveTargetById=942450;ARGS:_wpnonce,\
     ver:'wordpress-rule-exclusions-plugin/1.0.1'"
@@ -624,6 +627,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \
             ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"
 
 # The ID variable is used all over wordpress
+# Managing users
 SecRule REQUEST_FILENAME "@rx /wp-admin/(?:admin|admin-ajax|edit|users)\.php$" \
     "id:9507601,\
     phase:1,\
@@ -632,6 +636,8 @@ SecRule REQUEST_FILENAME "@rx /wp-admin/(?:admin|admin-ajax|edit|users)\.php$" \
     nolog,\
     ctl:ruleRemoveTargetById=932236;ARGS_NAMES:id,\
     ctl:ruleRemoveTargetById=932236;ARGS_NAMES:ids,\
+    ctl:ruleRemoveTargetById=920273;ARGS_NAMES:users[0],\
+    ctl:ruleRemoveTargetById=942432;ARGS_NAMES:users[0],\
     ver:'wordpress-rule-exclusions-plugin/1.0.1'"
 
 #
diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507100.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507100.yaml
index 1de7220..4c65f81 100644
--- a/tests/regression/wordpress-rule-exclusions-plugin/9507100.yaml
+++ b/tests/regression/wordpress-rule-exclusions-plugin/9507100.yaml
@@ -20,7 +20,7 @@ tests:
             version: "HTTP/1.1"
             uri: /post/wp-login.php?pwd=<script>
           output:
-            no_log_contains: |
+            no_log_contains: |-
               id "932236"|id "941110"
   - test_title: 9507100-2
     desc: ARGS:redirect_to tends to contain multiple special characters since it'll include the redirect URL
@@ -37,5 +37,5 @@ tests:
             version: "HTTP/1.1"
             uri: /post/wp-login.php?redirect_to=;;;;;;;;;;;;
           output:
-            no_log_contains: |
+            no_log_contains: |-
               id "942430"|id "942431"|id "942432"
diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507121.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507121.yaml
index 281eda7..faa82a8 100644
--- a/tests/regression/wordpress-rule-exclusions-plugin/9507121.yaml
+++ b/tests/regression/wordpress-rule-exclusions-plugin/9507121.yaml
@@ -22,5 +22,5 @@ tests:
             uri: /post/wp-admin/admin-ajax.php
             data: |
               log=test&pwd=%3Cscript%3E&redirect_to=https%3A%2F%2Fexample.com%2Fwp-admin%2F&testcookie=1
-            no_log_contains: |
+            no_log_contains: |-
               id "932236"|id "941110"
diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507139.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507139.yaml
index 5325a23..21c0b4d 100644
--- a/tests/regression/wordpress-rule-exclusions-plugin/9507139.yaml
+++ b/tests/regression/wordpress-rule-exclusions-plugin/9507139.yaml
@@ -23,5 +23,5 @@ tests:
             uri: /post/wp-json/wp/v2/global-styles/1?wp_theme_preview=twentytwentyfour&_locale=user
             data: |
               {"id":2934,"styles":{"blocks":{"core/site-title":{"typography":{"fontWeight":"400"}},"core/pullquote":{"typography":{"fontSize":"var(--wp--preset--font-size--large)","fontStyle":"normal","fontWeight":"normal","lineHeight":"1.2"}},"core/quote":{"variations":{"plain":{"typography":{"fontStyle":"normal","fontWeight":"400"}}},"typography":{"fontFamily":"var(--wp--preset--font-family--heading)","fontSize":"var(--wp--preset--font-size--large)","fontStyle":"normal"}},"core/navigation":{"typography":{"fontWeight":"400"}}},"elements":{"button":{"typography":{"fontFamily":"var(--wp--preset--font-family--heading)","fontSize":"var(--wp--preset--font-size--small)","fontStyle":"normal"}},"heading":{"color":{"background":"#ab5a5a"}}},"css":""}}
-            no_log_contains: |
+            no_log_contains: |-
               id "942100|id "942440"
diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507140.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507140.yaml
index 227d586..1a6c946 100644
--- a/tests/regression/wordpress-rule-exclusions-plugin/9507140.yaml
+++ b/tests/regression/wordpress-rule-exclusions-plugin/9507140.yaml
@@ -26,5 +26,5 @@ tests:
             data: |
               {"id":"twentytwentyfour//header","content":"<!-- wp:group{\"align\":\"wide\",\"style\":{\"spacing\":{\"padding\":{\"top\":\"20px\",\"bottom\":\"20px\"}}},\"backgroundColor\":\"base\",\"layout\":{\"type\":\"constrained\"}} -->\n<div class=\"wp-block-groupalignwide has-base-background-color has-background\" style=\"padding-top:20px;padding-bottom:20px\"><!-- wp:group{\"align\":\"wide\",\"layout\":{\"type\":\"flex\",\"justifyContent\":\"space-between\",\"flexWrap\":\"wrap\"}} -->\n<div class=\"wp-block-group alignwide\"><!-- wp:group{\"style\":{\"spacing\":{\"blockGap\":\"var:preset|spacing|20\"},\"layout\":{\"selfStretch\":\"fit\",\"flexSize\":null}},\"layout\":{\"type\":\"flex\"}} -->\n<div class=\"wp-block-group\">
               <!-- wp:site-logo{\"width\":60,\"shouldSyncIcon\":false} /-->\n\n<!-- wp:group {\"style\":{\"spacing\":{\"blockGap\":\"0px\"}}} -->\n<div class=\"wp-block-group\"><!-- wp:site-title {\"level\":0} /--></div>\n<!-- /wp:group--></div>\n<!-- /wp:group -->\n\n<!-- wp:navigation{\"ref\":2180,\"icon\":\"menu\",\"layout\":{\"type\":\"flex\",\"justifyContent\":\"right\",\"orientation\":\"horizontal\",\"flexWrap\":\"wrap\"},\"style\":{\"spacing\":{\"margin\":{\"top\":\"0\"},\"blockGap\":\"va>/--></div>\n<!-- /wp:group -->\n\n<!-- wp:paragraph -->\n<p></p>\n<!-- /wp:paragraph --></div>\n<!-- /wp:group -->"}
-            no_log_contains: |
+            no_log_contains: |-
               id "932240"|id "932236"|id "941100"|id "941150"|id "941160"|id "941180"|id "941181"|id "941320"|id "942210"|id "942330"|id "942340"|id "942370"|id "942430"|id "942431"|id "942432"|id "942440"|id "942520"
diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507201.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507201.yaml
index 6fd1ea1..e4e1bad 100644
--- a/tests/regression/wordpress-rule-exclusions-plugin/9507201.yaml
+++ b/tests/regression/wordpress-rule-exclusions-plugin/9507201.yaml
@@ -24,5 +24,5 @@ tests:
               {"validation":"require-all-validate","requests":[{"path":"/wp/v2/widgets","body":{"id_base":"block","instance":{"raw":{"content":"<!-- wp:paragraph -->\n<p>test</p>\n<!--/wp:paragraph -->"}},"sidebar":"sidebar-1"},"method":"POST"},{"path":"/wp/v2/widgets","body":{"id_base":"block","instance":{"raw":{"content":"<!-- wp:search{\"label\":\"Search\",\"buttonText\":\"Search\"} /-->"}},
               "sidebar":"sidebar-1"},"method":"POST"},{"path":"/wp/v2/widgets","body":{"id_base":"block","instance":{"raw":{"content":"<!-- wp:table-->\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td></td><td></td></tr><tr><td></td><td></td></tr></tbody></table></figure>\n<!-- /wp:table-->"}},"sidebar":"sidebar-1"},"method":"POST"}]}
           output:
-            no_log_contains: |
+            no_log_contains: |-
               id "920272"|id "920273"|id "932200"|id "932236"|id "932240"|id "932370"|id "941150"|id "941180"|id "941181"|id "941320"|id "941330"|id "942130"|id "942131"|id "942200"|id "942210"|id "942260"|id "942330"|id "942340"|id "942370"|id "942430"|id "942431"|id "942432"|id "942440"|id "942460"|id "942520"
diff --git a/tests/regression/wordpress-rule-exclusions-plugin/9507350.yaml b/tests/regression/wordpress-rule-exclusions-plugin/9507350.yaml
index 484648c..392060e 100644
--- a/tests/regression/wordpress-rule-exclusions-plugin/9507350.yaml
+++ b/tests/regression/wordpress-rule-exclusions-plugin/9507350.yaml
@@ -20,7 +20,8 @@ tests:
             version: "HTTP/1.1"
             uri: /get/wp-admin/user-edit.php?user_id=9&wp_http_referer=%2Fwp-admin%2Fusers.php%3Fupdate%3Dadd%26id%3D9
           output:
-            no_log_contains: id "932236"
+            no_log_contains: |-
+              id "920230"|id "932235"|id "932236"|id "942430"|id "942431"|id "942432"|id "942450"
   - test_title: 9507350-2
     desc: Deleteing a user account
     stages:
@@ -37,8 +38,8 @@ tests:
             version: "HTTP/1.1"
             uri: /post/wp-admin/users.php?s=&_wpnonce=random&_wp_http_referer=%2Fwp-admin%2Fusers.php&action=delete&new_role=&paged=1&users%5B0%5D=9&action2=delete&new_role2=
           output:
-            no_log_contains: |
-              id "920230"|id "942430"|id "942431"|id "942432"
+            no_log_contains: |-
+              id "920230"|id "932235"|id "932236"|id "942430"|id "942431"|id "942432"|id "942450"
   - test_title: 9507350-3
     desc: Disable 932236 for randomly generated nonce
     stages:
@@ -54,7 +55,8 @@ tests:
             version: "HTTP/1.1"
             uri: /post/wp-admin/users.php?s=&_wpnonce=lsrandom&_wp_http_referer=%2Fwp-admin%2Fusers.php&action=delete&new_role=&paged=1&users%5B0%5D=9&action2=delete&new_role2=
           output:
-            no_log_contains: id "932236"
+            no_log_contains: |-
+              id "920230"|id "932235"|id "932236"|id "942430"|id "942431"|id "942432"|id "942450"
   - test_title: 9507350-4
     desc: Disable 942450 for randomly generated nonce
     stages:
@@ -70,7 +72,8 @@ tests:
             version: "HTTP/1.1"
             uri: /post/wp-admin/users.php?s=&_wpnonce=0x0800random&_wp_http_referer=%2Fwp-admin%2Fusers.php&action=delete&new_role=&paged=1&users%5B0%5D=9&action2=delete&new_role2=
           output:
-            no_log_contains: id "942450"
+            no_log_contains: |-
+              id "920230"|id "932235"|id "932236"|id "942430"|id "942431"|id "942432"|id "942450"
   - test_title: 9507350-5
     desc: Disable 932236 for randomly generated nonce
     stages:
@@ -86,7 +89,8 @@ tests:
             version: "HTTP/1.1"
             uri: /post/wp-admin/users.php?s=&nonce=lsrandom
           output:
-            no_log_contains: id "932236"
+            no_log_contains: |-
+              id "920230"|id "932235"|id "932236"|id "942430"|id "942431"|id "942432"|id "942450"
   - test_title: 9507350-6
     desc: Disable 942450 for randomly generated nonce
     stages:
@@ -102,7 +106,8 @@ tests:
             version: "HTTP/1.1"
             uri: /post/wp-admin/users.php?s=&nonce=0x0800random
           output:
-            no_log_contains: id "942450"
+            no_log_contains: |-
+              id "920230"|id "932235"|id "932236"|id "942430"|id "942431"|id "942432"|id "942450"
   - test_title: 9507350-7
     desc: Requesting a static file with randomly generated version
     stages:
@@ -118,7 +123,8 @@ tests:
             version: "HTTP/1.1"
             uri: /get/example.js?ver=lsrandom
           output:
-            no_log_contains: id "932236"
+            no_log_contains: |-
+              id "920230"|id "932235"|id "932236"|id "942430"|id "942431"|id "942432"|id "942450"
   - test_title: 9507350-8
     desc: Requesting a static file with randomly generated version
     stages:
@@ -134,4 +140,25 @@ tests:
             version: "HTTP/1.1"
             uri: /get/example.js?ver=0x0000
           output:
-            no_log_contains: id "942450"
+            no_log_contains: |-
+              id "920230"|id "932235"|id "932236"|id "942430"|id "942431"|id "942432"|id "942450"
+  - test_title: 9507350-9
+    desc: Editing tags
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS test agent
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Content-Type: application/x-www-form-urlencoded
+            port: 80
+            method: POST
+            version: "HTTP/1.1"
+            uri: /post/wp-admin/edit-tags.php
+            data: |
+              _wp_http_referer=/wp-admin/term.php?taxonomy=post_tag&tag_ID=12&post_type=post&wp_http_referer=%2Fwp-admin%2Fedit-tags.php%3Ftaxonomy%3Dpost_tag
+          output:
+            no_log_contains: |-
+              id "920230"|id "932235"|id "932236"|id "942430"|id "942431"|id "942432"|id "942450"