Skip to content
This repository was archived by the owner on Nov 8, 2023. It is now read-only.

Commit b77c172

Browse files
author
Giovanni Dante Grazioli
committed
Added regression test on FILE_EXT confusion
1 parent 9b934fc commit b77c172

File tree

1 file changed

+60
-0
lines changed

1 file changed

+60
-0
lines changed

t/29regression.t

+60
Original file line numberDiff line numberDiff line change
@@ -276,3 +276,63 @@ location /RequestDenied {
276276
GET /wp-includes/js/plupload/plupload.flash.swf/xxx/?a=bui&FOOBAR
277277
--- error_code: 404
278278
279+
=== TEST 4 - regression on FILE_EXT being detected in BODY
280+
--- user_files
281+
>>> my-account/profile
282+
eh yo
283+
--- main_config
284+
load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
285+
--- http_config
286+
include /tmp/naxsi_ut/naxsi_core.rules;
287+
MainRule negative "rx:^[\.a-z0-9_\- ]+$" "mz:FILE_EXT" "s:$UPLOAD:8" id:1502;
288+
MainRule "rx:\.ph|\.asp|\.hta|\.htp" "mz:FILE_EXT" "s:$UWA:8" id:123456;
289+
--- config
290+
set $naxsi_json_log 1;
291+
location / {
292+
BasicRule wl:1000,1001,1002,1005,1007,1010,1011,1015,1016,1100,1101,1200,1315 "mz:$HEADERS_VAR:cookie";
293+
BasicRule wl:1310,1311 "mz:$URL_X:^/my-account/profile|BODY|NAME";
294+
BasicRule wl:17,1010,1011,1015,1200 "mz:$URL_X:^/my-account/profile|$BODY_VAR_X:^sportactivities\[[0-9]\]\.";
295+
BasicRule wl:17,1010,1011,1015,1200 "mz:$URL_X:^/my-account/profile|$BODY_VAR_X:^addresses\[[0-9]\]\.";
296+
BasicRule wl:1009,1101 "mz:$URL_X:^/my-account/profile|$BODY_VAR_X:^return";
297+
298+
SecRulesEnabled;
299+
LearningMode;
300+
LibInjectionSql;
301+
LibInjectionXss;
302+
303+
DeniedUrl "/RequestDenied";
304+
CheckRule "$SQL >= 8" BLOCK;
305+
CheckRule "$RFI >= 8" BLOCK;
306+
CheckRule "$TRAVERSAL >= 5" BLOCK;
307+
CheckRule "$UPLOAD >= 5" BLOCK;
308+
CheckRule "$XSS >= 8" BLOCK;
309+
CheckRule "$UWA >= 8" DROP;
310+
CheckRule "$EVADE >= 8" BLOCK;
311+
CheckRule "$LOG >= 1" LOG;
312+
313+
root $TEST_NGINX_SERVROOT/html/;
314+
index index.html index.htm;
315+
error_page 405 = $uri;
316+
}
317+
location /RequestDenied {
318+
return 412;
319+
}
320+
--- raw_request eval
321+
"POST /my-account/profile HTTP/1.1\r
322+
Host: 127.0.0.1\r
323+
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0\r
324+
Accept: */*\r
325+
Accept-Language: en-US,en;q=0.5\r
326+
Accept-Encoding: gzip, deflate\r
327+
Content-Type: application/x-www-form-urlencoded; charset=UTF-8\r
328+
X-Requested-With: XMLHttpRequest\r
329+
Content-Length: 2772\r
330+
Origin: https://127.0.0.1\r
331+
Connection: close\r
332+
Referer: http://127.0.0.1/my-account/profile/\r
333+
Cookie: t2s-p=ca0ac96b-6177-4e4a-f554-3f0a10469d9e; _gcl_au=1.1.1782048568.1605605979; gtm_nbpv=8; gtm_cookieConsent=1; __trossion=1605605980_1800_1__caa5d2de-ec72-4c61-b1c4-96bf4b22f5da%3A1605605980_1605607565_8_; __troRUID=caa5d2de-ec72-4c61-b1c4-96bf4b22f5da; __troSYNC=1; _pin_unauth=dWlkPU1EUTBZVFZqTXpNdE1EQTNOeTAwTURNd0xXSmlORGd0TTJZeU1EWmlaVGsxT1RCag; JSESSIONID=D426452D0BFCCAD4D384E972D7770861.Agassi; miniCartCount=0; _ga=GA1.2.243283519.1605605987; _gid=GA1.2.266115569.1605605987; _fbp=fb.1.1605605989339.1901530086; acceleratorSecureGUID=a21d40c7cdb55b323a686b37facfded200814ecf; customerFavoriteStore=SOME%2B-%2BPREMILHAT%7C%5B%7B%22closingTime2%22%3A%2219%3A00%22%2C%22weekDay%22%3A%22lundi%22%2C%22closed%22%3Afalse%2C%22closingTime1%22%3A%2212%3A00%22%2C%22openingTime2%22%3A%2214%3A00%22%2C%22openingTime1%22%3A%2209%3A30%22%7D%2C%7B%22closingTime2%22%3A%2219%3A00%22%2C%22weekDay%22%3A%22mardi%22%2C%22closed%22%3Afalse%2C%22closingTime1%22%3A%2212%3A00%22%2C%22openingTime2%22%3A%2214%3A00%22%2C%22openingTime1%22%3A%2209%3A30%22%7D%2C%7B%22closingTime2%22%3A%2219%3A00%22%2C%22weekDay%22%3A%22mercredi%22%2C%22closed%22%3Afalse%2C%22closingTime1%22%3A%2212%3A00%22%2C%22openingTime2%22%3A%2214%3A00%22%2C%22openingTime1%22%3A%2209%3A30%22%7D%2C%7B%22closingTime2%22%3A%2219%3A00%22%2C%22weekDay%22%3A%22jeudi%22%2C%22closed%22%3Afalse%2C%22closingTime1%22%3A%2212%3A00%22%2C%22openingTime2%22%3A%2214%3A00%22%2C%22openingTime1%22%3A%2209%3A30%22%7D%2C%7B%22closingTime2%22%3A%2219%3A00%22%2C%22weekDay%22%3A%22vendredi%22%2C%22closed%22%3Afalse%2C%22closingTime1%22%3A%2212%3A00%22%2C%22openingTime2%22%3A%2214%3A00%22%2C%22openingTime1%22%3A%2209%3A30%22%7D%2C%7B%22weekDay%22%3A%22samedi%22%2C%22closed%22%3Afalse%2C%22closingTime1%22%3A%2219%3A00%22%2C%22openingTime1%22%3A%2209%3A30%22%7D%2C%7B%22closingTime2%22%3A%22%22%2C%22weekDay%22%3A%22dimanche%22%2C%22closed%22%3Atrue%2C%22closingTime1%22%3A%22%22%2C%22openingTime2%22%3A%22%22%2C%22openingTime1%22%3A%22%22%7D%5D%7C%2FAllier-03%2FAAAAAA%C3%87ON-Pr%C3%A9milhat-03410%2FSOME-PREMILHAT%2F00574_000%2F; isFidelity=false; CLICKANDCOLLECT-customerInformations=c29vb29vb29vb0BhYWFhYWEuY29t|Test+Test%2CTest|MTExMTExMTExMTExMQ==|; isNewCustomer=true; t2s-rank=rank1; _dc_gtm_UA-52322712-6=1; _uetsid=d060e34028b811eb8d3ef174562c91c3; _uetvid=d060d20028b811eb98dc9b58b7dbeb20\r
334+
\r
335+
title=mr&firstName=Test+Test&lastName=Test&phoneNumber=1111111111&phoneCountry.isocode=FR&email=sooooooooo%40aaaaaa.com&addresses%5B0%5D.id=9189547245591&addresses%5B0%5D.defaultAddress=true&addresses%5B0%5D.lastName=Test&addresses%5B0%5D.firstName=Test+Test&addresses%5B0%5D.postalCode=75013&addresses%5B0%5D.town=PARIS&addresses%5B0%5D.line1=6+ALLEE+PARIS+IVRY&addresses%5B0%5D.country.isocode=FR&addresses%5B0%5D.addressPhoneCountry.isocode=FR&addresses%5B0%5D.phone=0755911324&addresses%5B0%5D.billingAddress=true&child-count=0&sportActivities%5B0%5D.name=Course+%C3%A0+pied&sportActivities%5B0%5D.code=4&sportActivities%5B0%5D.id=&sportActivities%5B0%5D.me=&sportActivities%5B0%5D.myChildren=&sportActivities%5B1%5D.name=Cycles+(V%C3%A9lo%2C+VTT%2C+%E2%80%A6)&sportActivities%5B1%5D.code=1&sportActivities%5B1%5D.id=&sportActivities%5B1%5D.me=&sportActivities%5B1%5D.myChildren=&sportActivities%5B2%5D.name=Danse%2C+gymnastique%2C+fitness&sportActivities%5B2%5D.code=3&sportActivities%5B2%5D.id=&sportActivities%5B2%5D.me=&sportActivities%5B2%5D.myChildren=&sportActivities%5B3%5D.name=Musculation&sportActivities%5B3%5D.code=5&sportActivities%5B3%5D.id=&sportActivities%5B3%5D.me=&sportActivities%5B3%5D.myChildren=&sportActivities%5B4%5D.name=Randonn%C3%A9es&sportActivities%5B4%5D.code=10&sportActivities%5B4%5D.id=&sportActivities%5B4%5D.me=&sportActivities%5B4%5D.myChildren=&sportActivities%5B5%5D.name=Roller&sportActivities%5B5%5D.code=2&sportActivities%5B5%5D.id=&sportActivities%5B5%5D.me=&sportActivities%5B5%5D.myChildren=&sportActivities%5B6%5D.name=Ski&sportActivities%5B6%5D.code=14&sportActivities%5B6%5D.id=&sportActivities%5B6%5D.me=&sportActivities%5B6%5D.myChildren=&sportActivities%5B7%5D.name=Sport+d'eau+(Natation%2C+surf%2C+voile%2C+%E2%80%A6)&sportActivities%5B7%5D.code=12&sportActivities%5B7%5D.id=&sportActivities%5B7%5D.me=&sportActivities%5B7%5D.myChildren=&sportActivities%5B8%5D.name=Sports+collectifs+(Foot%2C+rugby%2C+basket%2C+%E2%80%A6)&sportActivities%5B8%5D.code=7&sportActivities%5B8%5D.id=&sportActivities%5B8%5D.me=&sportActivities%5B8%5D.myChildren=&sportActivities%5B9%5D.name=Sports+de+combat+(Judo%2C+karat%C3%A9%2C+aikido%2C+%E2%80%A6)&sportActivities%5B9%5D.code=13&sportActivities%5B9%5D.id=&sportActivities%5B9%5D.me=&sportActivities%5B9%5D.myChildren=&sportActivities%5B10%5D.name=Sports+de+raquette&sportActivities%5B10%5D.code=8&sportActivities%5B10%5D.id=&sportActivities%5B10%5D.me=&sportActivities%5B10%5D.myChildren=&sportActivities%5B11%5D.name=Autres&sportActivities%5B11%5D.code=6&sportActivities%5B11%5D.id=&sportActivities%5B11%5D.me=&sportActivities%5B11%5D.myChildren=&birthdate=12%2F11%2F1999&isWebNewsletterSubscribed=false&isSmsNewsletterSubscribed=false&CSRFToken=e87a083d-9743-4d47-8d60-d25e5f00e15e\r
336+
"
337+
--- error_code: 200
338+

0 commit comments

Comments
 (0)