Errors when parsing two CRS files

[otzarri]

Hello team. Thank you for your work in this project. I'm using Caddy and Coraza for the first time to evaluate them to build a WAF-enabled reverse proxy for HTTPS and I found some problems when loading two CRS rules to coraza-caddy. I hope this information to be helpful, if I can help with anything more, please, let me know.

Problem description

Coraza-caddy fails when parsing these CRS files from:

• REQUEST-920-PROTOCOL-ENFORCEMENT.conf
• REQUEST-922-MULTIPART-ATTACK.conf
  

Environment details

Operating system:

$ lsb_release -a
LSB Version:    n/a
Distributor ID: ManjaroLinux
Description:    Manjaro Linux
Release:        22.0.0
Codename:       Sikaris

Go version:

$ go version
go version go1.18 linux/amd64

How to reproduce the problem

Install coraza-caddy following these steps (Using go 1.18):

$ go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
$ xcaddy build --with github.com/corazawaf/coraza-caddy

Download the Coraza configuration file and clone ModSecurity CRS repository:

$ wget https://github.com/raw/corazawaf/coraza/v2/master/coraza.conf-recommended
$ git clone https://github.com/coreruleset/coreruleset

Create the Caddyfile. In this Caddyfile I commented include ./coreruleset/rules/*.conf and added an include call for each rule file. This way I identified the two files which are causing problems. These files are commented in the Caddyfile.

{
        order coraza_waf first
}

http://127.0.0.1:8080 {
        coraza_waf {
                include ./coraza.conf-recommended
                include ./coreruleset/crs-setup.conf.example
                # include ./coreruleset/rules/*.conf
                include coreruleset/rules/REQUEST-901-INITIALIZATION.conf
                include coreruleset/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
                include coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
                include coreruleset/rules/REQUEST-913-SCANNER-DETECTION.conf
                # include coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
                include coreruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf
                # include coreruleset/rules/REQUEST-922-MULTIPART-ATTACK.conf
                include coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
                include coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
                include coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
                include coreruleset/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
                include coreruleset/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
                include coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
                include coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
                include coreruleset/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
                include coreruleset/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
                include coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf
                include coreruleset/rules/RESPONSE-950-DATA-LEAKAGES.conf
                include coreruleset/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
                include coreruleset/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
                include coreruleset/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
                include coreruleset/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
                include coreruleset/rules/RESPONSE-955-WEB-SHELLS.conf
                include coreruleset/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
                include coreruleset/rules/RESPONSE-980-CORRELATION.conf
        }
        reverse_proxy http://127.0.0.1:9090
}

If you run caddy now it will work well.

./caddy run

To reproduce one of the errors, uncomment line include coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf and execute ./caddy run.

To reproduce the other error, comment the include coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf line again, uncomment the line include coreruleset/rules/REQUEST-922-MULTIPART-ATTACK.conf, and execute ./caddy run.

Output when parsing REQUEST-920-PROTOCOL-ENFORCEMENT.conf

Error: loading initial config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'waf': provision http.handlers.waf: failed to compile rule (error parsing regexp: invalid nested repetition operator: `*+`): REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*(?:\s*+,\s*+(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*)*$" "id:920600,phase:1,block,t:none,t:lowercase,msg:'Illegal Accept header: charset parameter',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',ver:'OWASP_CRS/4.0.0-rc1',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

Output when parsing REQUEST-922-MULTIPART-ATTACK.conf

Error: loading initial config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'waf': provision http.handlers.waf: failed to compile rule (unknown variable): &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" "id:922100,phase:2,block,t:none,msg:'Multipart content type global _charset_ definition is not allowed by policy',logdata:'Matched Data: %{ARGS._charset_}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-multipart-header',tag:'OWASP_CRS',tag:'capec/1000/255/153',tag:'paranoia-level/1',ver:'OWASP_CRS/4.0.0-rc1',severity:'CRITICAL',chain"

[jptosso]

Hey @otzarri glad you are enjoying the project. CRS upgrade to v4 has been a bit rough and they are making constant changes and we have to keep up with new modsec features. We are aware of the lack of MULTIPART_PART_HEADERS and we have to implement it ASAP.

I will move this PR to the core coraza repo and link the PR.

Thank you!