fix(deps): update module github.com/corazawaf/coraza/v3 to v3.2.1

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/corazawaf/coraza/v3	v3.0.0-00010101000000-000000000000 -> v3.2.1

---

Release Notes

corazawaf/coraza (github.com/corazawaf/coraza/v3)

v3.2.1: Coraza 3.2.1

Compare Source

This is a quick patch release to fix a potential data race that was noticed right after v3.2.0 (Thanks @​MarcWort for reporting it!) and a minor fix about logging.

What's Changed

• fix: race condition on StrID by @​M4tteoP in https://github.com/corazawaf/coraza/pull/1084
• fix: makes max size log message CRS correlation rule friendly by @​M4tteoP in https://github.com/corazawaf/coraza/pull/1085

Full Changelog: v3.2.0...v3.2.1

v3.2.0: Version 3.2.0

Compare Source

Coraza v3.2.0 comes with:

• Support for SecRuleUpdateTargetByTag, Base64DecodeExt, extended support for ranges of IDs with SecRuleUpdateTargetByID.
• Support for case-sensitive matching for ARGS keys. It currently comes under the coraza.rule.case_sensitive_args_keys. Mind that, in compliance with RFC 3986 specification, it is planned to become the default behavior starting from the next major version.
• Support for auditlog formatters for tinygo builds.
• Various bug fixes, among other things, around log generation and Coraza middleware.
• Performance implements and reduced memory allocation mostly thanks to @​noboruma.
• Updated CRS support to the latest CRS v4.3.0 version.

What's Changed

• fix(deps): update module github.com/tidwall/gjson to v1.17.1 by @​renovate in https://github.com/corazawaf/coraza/pull/1004
• fix(deps): update module golang.org/x/net to v0.22.0 by @​renovate in https://github.com/corazawaf/coraza/pull/1011
• feat: expose expected directives for e2e test by @​fionera in https://github.com/corazawaf/coraza/pull/1012
• avoid executing costly With if noop logger by @​noboruma in https://github.com/corazawaf/coraza/pull/1015
• tests: covers eq operator. by @​jcchavezs in https://github.com/corazawaf/coraza/pull/1002
• fix: RegisterWriter/RegisterFormatter case insensitive by @​M4tteoP in https://github.com/corazawaf/coraza/pull/1026
• feat: Implements SecRuleUpdateTargetByTag, extends ByID with ranges by @​M4tteoP in https://github.com/corazawaf/coraza/pull/1020
• tests: covers zero case in eq operator. by @​jcchavezs in https://github.com/corazawaf/coraza/pull/1029
• feat: registers RegisterFormatters for tinygo by @​M4tteoP in https://github.com/corazawaf/coraza/pull/1027
• fix(deps): update module golang.org/x/net to v0.23.0 by @​renovate in https://github.com/corazawaf/coraza/pull/1033
• Fix: audit logs RelevantOnly match if interruption happens by @​M4tteoP in https://github.com/corazawaf/coraza/pull/1025
• tests: adds logs for unexpected status code. by @​jcchavezs in https://github.com/corazawaf/coraza/pull/1037
• fix(deps): update module golang.org/x/net to v0.24.0 by @​renovate in https://github.com/corazawaf/coraza/pull/1035
• cache Rule ID string version by @​noboruma in https://github.com/corazawaf/coraza/pull/1039
• chore: adds fs access check at startup time by @​M4tteoP in https://github.com/corazawaf/coraza/pull/1030
• Add support for Base64DecodeExt by @​soujanyanmbri in https://github.com/corazawaf/coraza/pull/1046
• fix: FuzzB64Decode regexp match for fuzzing by @​fzipi in https://github.com/corazawaf/coraza/pull/1054
• chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 in /testing/coreruleset in the go_modules group across 1 directory by @​dependabot in https://github.com/corazawaf/coraza/pull/1043
• fix(deps): update module github.com/mccutchen/go-httpbin/v2 to v2.13.4 by @​renovate in https://github.com/corazawaf/coraza/pull/1001
• fix(deps): update module github.com/petar-dambovaliev/aho-corasick to v0.0.0-20240411101913-e07a1f0e8eb4 by @​renovate in https://github.com/corazawaf/coraza/pull/1057
• feat: add new maps with case sensitive keys by @​fzipi in https://github.com/corazawaf/coraza/pull/1055
• fix: http parameter pollution test cases by @​fzipi in https://github.com/corazawaf/coraza/pull/1058
• fix(deps): update module golang.org/x/sync to v0.7.0 by @​renovate in https://github.com/corazawaf/coraza/pull/1034
• fix(deps): update module golang.org/x/net to v0.25.0 by @​renovate in https://github.com/corazawaf/coraza/pull/1060
• fix: RemoveTargetById Args in multiphase mode by @​M4tteoP in https://github.com/corazawaf/coraza/pull/1061
• fix: headers leaked during interruptions at phase 3/4 by @​M4tteoP in https://github.com/corazawaf/coraza/pull/1062
• chore: deletes content temporary file on close. by @​jcchavezs in https://github.com/corazawaf/coraza/pull/924
• chore: upgrades to CRS 4.1. by @​jcchavezs in https://github.com/corazawaf/coraza/pull/1032
• chore: updates CRS tests to CRS4.2 by @​M4tteoP in https://github.com/corazawaf/coraza/pull/1066
• fix(deps): update module github.com/mccutchen/go-httpbin/v2 to v2.14.0 by @​renovate in https://github.com/corazawaf/coraza/pull/1067
• feat: add support for case sensitive args by @​fzipi in https://github.com/corazawaf/coraza/pull/1059
• fix: logs multiple vars matched by same rule by @​M4tteoP in https://github.com/corazawaf/coraza/pull/1074
• fix(deps): update module github.com/corazawaf/libinjection-go to v0.2.0 by @​renovate in https://github.com/corazawaf/coraza/pull/1076
• fix(deps): update module github.com/corazawaf/libinjection-go to v0.2.1 by @​renovate in https://github.com/corazawaf/coraza/pull/1079
• fix(deps): update module golang.org/x/net to v0.26.0 by @​renovate in https://github.com/corazawaf/coraza/pull/1075
• fix: setters of INBOUND_DATA_ERROR and OUTBOUND_DATA_ERROR by @​M4tteoP in https://github.com/corazawaf/coraza/pull/1078
• fix(deps): update module github.com/rs/zerolog to v1.33.0 by @​renovate in https://github.com/corazawaf/coraza/pull/1073
• chore: updates CRS tests to CRS4.3 by @​M4tteoP in https://github.com/corazawaf/coraza/pull/1081

New Contributors (thanks a lot!)

• @​fionera made their first contribution in https://github.com/corazawaf/coraza/pull/1012
• @​noboruma made their first contribution in https://github.com/corazawaf/coraza/pull/1015
• @​soujanyanmbri made their first contribution in https://github.com/corazawaf/coraza/pull/1046

Full Changelog: v3.1.0...v3.2.0

v3.1.0: Version 3.1.0

Compare Source

This is a new minor version release with emphasis in improving the overall logging experience, fixes for interoperability of the http middleware with other middlewares, better defaults, various fixes and a few new features like the uppercase transformation, the raw body processor (both thanks to @​blotus) and a way to pass a context into a transaction to be later retrieved the error log callback.

What's Changed

• chore: improve GetField logic by @​jptosso in https://github.com/corazawaf/coraza/pull/897
• chore: setvar minor fix, tests, added warning when missing variable, deprecates usage of tx.LogData by @​M4tteoP in https://github.com/corazawaf/coraza/pull/892
• chore: fixes audit log. by @​jcchavezs in https://github.com/corazawaf/coraza/pull/889
• fix http.Flusher and io.ReaderFrom implementation by @​romainmenke in https://github.com/corazawaf/coraza/pull/923
• fix: stack overflow in ReadFrom by @​romainmenke in https://github.com/corazawaf/coraza/pull/925
• fix: Disables implicit Cookies url decoding by @​M4tteoP in https://github.com/corazawaf/coraza/pull/928
• feat: add uppercase transformation by @​blotus in https://github.com/corazawaf/coraza/pull/935
• fix: parse multiple cookies with spaces by @​fzipi in https://github.com/corazawaf/coraza/pull/943
• fix: more forgiving base64 transformation [custom implementation] by @​M4tteoP in https://github.com/corazawaf/coraza/pull/944
• fix: filling variables struct to complete audit info by @​CArellanoOrbik in https://github.com/corazawaf/coraza/pull/968
• feat: adds context to transaction. by @​jcchavezs in https://github.com/corazawaf/coraza/pull/963
• feat: improves logging. by @​jcchavezs in https://github.com/corazawaf/coraza/pull/971
• feat: add raw body processor by @​blotus in https://github.com/corazawaf/coraza/pull/983
• chore: updates CRS tests to CRS 4.0.0-rc2 by @​M4tteoP in https://github.com/corazawaf/coraza/pull/899
• fix(seclang): merge chained raw rules by @​jptosso in https://github.com/corazawaf/coraza/pull/985
• fix: BodyLimit related documented default values, default RequestBodyLimitAction, adds some tests by @​M4tteoP in https://github.com/corazawaf/coraza/pull/895
• chore: Go 1.20 as minimum supported version by @​jcchavezs in https://github.com/corazawaf/coraza/pull/996
• chore: upgrades go-ftw to 0.6.4. by @​jcchavezs in https://github.com/corazawaf/coraza/pull/998

New Contributors (thanks a lot!)

• @​testwill made their first contribution in https://github.com/corazawaf/coraza/pull/894
• @​renovate made their first contribution in https://github.com/corazawaf/coraza/pull/903
• @​romainmenke made their first contribution in https://github.com/corazawaf/coraza/pull/923
• @​blotus made their first contribution in https://github.com/corazawaf/coraza/pull/935
• @​CArellanoOrbik made their first contribution in https://github.com/corazawaf/coraza/pull/968

Full Changelog: v3.0.4...v3.1.0

v3.0.4: Version 3.0.4

Compare Source

What's Changed

• chore(deps): bump golang.org/x/sync from 0.1.0 to 0.3.0 by @​dependabot in https://github.com/corazawaf/coraza/pull/862
• chore: upgrades coraza to latest aho-corasick. by @​jcchavezs in https://github.com/corazawaf/coraza/pull/867
• fix: Logs print different messages for each the disruptive actions by @​M4tteoP in https://github.com/corazawaf/coraza/pull/827
• chore(deps): bump github.com/tidwall/gjson from 1.14.4 to 1.17.0 by @​dependabot in https://github.com/corazawaf/coraza/pull/878

Full Changelog: v3.0.3...v3.0.4

v3.0.3: Version 3.0.3

Compare Source

What's Changed

• chore(readme): explicits CRS supported version by @​M4tteoP in https://github.com/corazawaf/coraza/pull/834
• chore: adds go mod tidy and go work sync for all modules. by @​jcchavezs in https://github.com/corazawaf/coraza/pull/835
• adds more verbosity on go mod tidy errors by @​jcchavezs in https://github.com/corazawaf/coraza/pull/837
• add https audit log support by @​jptosso in https://github.com/corazawaf/coraza/pull/826
• chore: fixes e2e pkg. by @​jcchavezs in https://github.com/corazawaf/coraza/pull/841
• chore: updates e2e standalone command by @​M4tteoP in https://github.com/corazawaf/coraza/pull/845
• Adds Log() to MatchedRule, fixes audit log without log by @​M4tteoP in https://github.com/corazawaf/coraza/pull/848
• chore(e2e): check response body read error only if a body is expected by @​M4tteoP in https://github.com/corazawaf/coraza/pull/852
• chore: drops benchmark CI. by @​jcchavezs in https://github.com/corazawaf/coraza/pull/857
• implement https mime by @​jptosso in https://github.com/corazawaf/coraza/pull/850
• chore: adds memoize implementation for regexes and ahocorasick by @​jcchavezs in https://github.com/corazawaf/coraza/pull/836

Full Changelog: v3.0.2...v3.0.3

v3.0.2: Version 3.0.2

Compare Source

What's Changed

• fix: blocks body buffer reader once the body buffer has been reset. by @​jcchavezs in https://github.com/corazawaf/coraza/pull/825
• fix: benchmark and propagate the status to not to swallow the failure by @​jcchavezs in https://github.com/corazawaf/coraza/pull/808

Full Changelog: v3.0.1...v3.0.2

v3.0.1

Compare Source

Important

This tag fixes a high-severity vulnerability. See GHSA-c2pj-v37r-2p6h

Full Changelog: v3.0.0...v3.0.1

v3.0.0

Compare Source

What's Changed

Coraza's latest v3.0.0 release brings a highly refactored engine that offers more flexibility and major improvements.

Notable changes include:

• Performance improvement: Performance has been improved by up to 100 times due to several key enhancements such as:
  • New debug logs system based on Zerolog for a fast and with low to zero allocations.
  • Cache transformation logic across the same transaction.
  • Optimized variable collection types.
• Refactored API: Coraza now relies on a more straightforward and user-friendly API.
• New Plugin Package: The new package simplifies the extension of Coraza's functionalities.
• Full CRS v4 Support: Coraza fully supports the CRS v4 branch, always making CRS compatibility of top priority. The CI now includes a CRS testing suite to guarantee a regression-free development.
• Cross-platform support: Both Go and TinyGo for WASM builds are now supported.
• New experimental Multiphase feature: Introducing a new way for early data evaluation and blocking.
• Dataset support: designed for in-config .data files emulation.

Contributors

Many thanks to all the contributors and users that made this release possible:

• @​anuraaga
• @​bxlxx
• @​codefromthecrypt
• @​fzipi
• @​Hayak3
• @​jcchavezs
• @​jptosso
• @​M4tteoP
• @​manojgop
• @​nacx
• @​ns-sundar
• @​piyushroshan
• @​ShiMing-Q
• @​sts
• @​y05h1k1ng
• @​zc2638

v3.0.0-rc.3

Compare Source

What's Changed

• registers pmFromDataset, fixes Dataset propagation, adds tests by @​M4tteoP in https://github.com/corazawaf/coraza/pull/777
• docs: update README and SECURITY by @​fzipi in https://github.com/corazawaf/coraza/pull/780
• Validate audit log parts by @​Hayak3 in https://github.com/corazawaf/coraza/pull/779
• Remove intermediate string allocation when writing match details log by @​anuraaga in https://github.com/corazawaf/coraza/pull/781
• fix: aligns multimatch to modsec behavior by @​M4tteoP in https://github.com/corazawaf/coraza/pull/778
• chore: increases rule.go test coverage by @​M4tteoP in https://github.com/corazawaf/coraza/pull/786
• remove wrong loop in matchData by @​Hayak3 in https://github.com/corazawaf/coraza/pull/785
• hotfix: fixes rule_test after merge by @​M4tteoP in https://github.com/corazawaf/coraza/pull/788
• chore(deps): bump github.com/magefile/mage from 1.14.0 to 1.15.0 by @​dependabot in https://github.com/corazawaf/coraza/pull/791
• chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 by @​dependabot in https://github.com/corazawaf/coraza/pull/789
• feat(ci): stale only awaiting for feedback's issue by @​M4tteoP in https://github.com/corazawaf/coraza/pull/793
• Multiphase: chains further support, ARGS split, CRS like tests by @​M4tteoP in https://github.com/corazawaf/coraza/pull/719
• feat: adds auditlog plugins API by @​jcchavezs in https://github.com/corazawaf/coraza/pull/787
• fix/feat: Macro expansions, error logs redundancy, support msg/logdata in inner rules by @​M4tteoP in https://github.com/corazawaf/coraza/pull/792
• remove alpha disclosure from README by @​jptosso in https://github.com/corazawaf/coraza/pull/796
• breaking: removes code parameter from ErrorLog and AuditLog by @​M4tteoP in https://github.com/corazawaf/coraza/pull/800

New Contributors

• @​Hayak3 made their first contribution in https://github.com/corazawaf/coraza/pull/779

Full Changelog: v3.0.0-rc.2...v3.0.0-rc.3

v3.0.0-rc.2

Compare Source

What's Changed

• Use bitset for inferred phases by @​anuraaga in https://github.com/corazawaf/coraza/pull/727
• Document test failures due to regex matching arbitrary bytes by @​anuraaga in https://github.com/corazawaf/coraza/pull/730
• Enable multiline mode for rx by @​anuraaga in https://github.com/corazawaf/coraza/pull/732
• Use binaryregexp for rx operator by @​anuraaga in https://github.com/corazawaf/coraza/pull/731
• Add rx test case confirming case-insensitive rules will work by @​anuraaga in https://github.com/corazawaf/coraza/pull/733
• fix(ci): remove sonarcloud by @​fzipi in https://github.com/corazawaf/coraza/pull/738
• fix(bodyprocessors): fix forcerequestbodyvariable overriding processor by @​jptosso in https://github.com/corazawaf/coraza/pull/740
• fix(bodyprocessors): force response body overrides mime requirements by @​jptosso in https://github.com/corazawaf/coraza/pull/741
• chore: create plugins package. by @​jcchavezs in https://github.com/corazawaf/coraza/pull/734
• chore: drops unused methods in TransactionState by @​jcchavezs in https://github.com/corazawaf/coraza/pull/739
• chore: describes currently excluded CRS excluded rules by @​M4tteoP in https://github.com/corazawaf/coraza/pull/744
• fix: fixes fuzz target. by @​jcchavezs in https://github.com/corazawaf/coraza/pull/745
• Update tool versions by @​anuraaga in https://github.com/corazawaf/coraza/pull/710
• fix(action): Add many validations for setvar by @​jptosso in https://github.com/corazawaf/coraza/pull/747
• fix: adds full support for ruleRemoveById. by @​jcchavezs in https://github.com/corazawaf/coraza/pull/749
• Small simplification to macro readability by @​anuraaga in https://github.com/corazawaf/coraza/pull/751
• Remove Single.Set from API for now by @​anuraaga in https://github.com/corazawaf/coraza/pull/750
• chore: updates tests to latest CRS, updates go-ftw by @​M4tteoP in https://github.com/corazawaf/coraza/pull/752
• transform expireVar to noop by @​jptosso in https://github.com/corazawaf/coraza/pull/755
• Move remaining plugin-related logic to experimental by @​anuraaga in https://github.com/corazawaf/coraza/pull/753
• Small simplification to cmd_line code by @​anuraaga in https://github.com/corazawaf/coraza/pull/761
• Use standard library for base64 decode by @​anuraaga in https://github.com/corazawaf/coraza/pull/758
• Small simpflication to css_decode by @​anuraaga in https://github.com/corazawaf/coraza/pull/762
• Delegate to normalisePath from normalisePathWin by @​anuraaga in https://github.com/corazawaf/coraza/pull/763
• Append into output buffer for removecommentschar by @​anuraaga in https://github.com/corazawaf/coraza/pull/764
• chore(deps): bump golang.org/x/net from 0.8.0 to 0.9.0 by @​dependabot in https://github.com/corazawaf/coraza/pull/766
• fix: synthesizes Transfer-Encoding header inside the transaction by @​M4tteoP in https://github.com/corazawaf/coraza/pull/768
• Include key size in ARGS_COMBINED_SIZE by @​anuraaga in https://github.com/corazawaf/coraza/pull/756

Full Changelog: v3.0.0-rc.1...v3.0.0-rc.2

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v3.2.1). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.