freebsd-ports/security/modsecurity3/files/patch-test_test-cases_regression_variable-TX.json
Li-Wen Hsu 6939bbd197 security/modsecurity3: Add patch for CVE-2020-15598
PR:		249312
Submitted by:	Felipe Zipitria <fzipitria@perceptyx.com>
Approved by:	Marius Halden <marius.halden@modirum.com> (maintainer)
MFH:		2020Q3
Security:	CVE-2020-15598
2020-09-30 17:11:21 +00:00

146 lines
3.9 KiB
JSON

--- test/test-cases/regression/variable-TX.json.orig 2020-01-13 13:09:28 UTC
+++ test/test-cases/regression/variable-TX.json
@@ -80,5 +80,143 @@
"SecRule REQUEST_HEADERS \"@rx ([A-z]+)\" \"id:1,log,pass,capture,id:14\"",
"SecRule TX:0 \"@rx ([A-z]+)\" \"id:15\""
]
+ },
+ {
+ "enabled":1,
+ "version_min":300000,
+ "title":"Testing Variables :: capture group match after unused group",
+ "client":{
+ "ip":"200.249.12.31",
+ "port":123
+ },
+ "server":{
+ "ip":"200.249.12.31",
+ "port":80
+ },
+ "request":{
+ "uri":"/?key=aadd",
+ "method":"GET"
+ },
+ "response":{
+ "headers":{
+ "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+ "Content-Type":"text/html"
+ },
+ "body":[
+ "no need."
+ ]
+ },
+ "expected":{
+ "debug_log":"Added regex subexpression TX\\.3: dd[\\s\\S]*Target value: \"dd\" \\(Variable\\: TX\\:3[\\s\\S]*Rule returned 1"
+ },
+ "rules":[
+ "SecRuleEngine On",
+ "SecRule ARGS \"@rx (aa)(bb|cc)?(dd)\" \"id:1,log,pass,capture,id:16\"",
+ "SecRule TX:3 \"@streq dd\" \"id:19,phase:2,log,pass\""
+ ]
+ },
+ {
+ "enabled":1,
+ "version_min":300000,
+ "title":"Testing Variables :: empty capture group match followed by nonempty capture group",
+ "client":{
+ "ip":"200.249.12.31",
+ "port":123
+ },
+ "server":{
+ "ip":"200.249.12.31",
+ "port":80
+ },
+ "request":{
+ "uri":"/?key=aadd",
+ "method":"GET"
+ },
+ "response":{
+ "headers":{
+ "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+ "Content-Type":"text/html"
+ },
+ "body":[
+ "no need."
+ ]
+ },
+ "expected":{
+ "debug_log":"Added regex subexpression TX\\.3: dd[\\s\\S]*Target value: \"dd\" \\(Variable\\: TX\\:3[\\s\\S]*Rule returned 1"
+ },
+ "rules":[
+ "SecRuleEngine On",
+ "SecRule ARGS \"@rx (aa)(bb|cc|)(dd)\" \"id:18,phase:1,log,pass,capture\"",
+ "SecRule TX:3 \"@streq dd\" \"id:19,phase:2,log,pass\""
+ ]
+ },
+ {
+ "enabled":1,
+ "version_min":300000,
+ "title":"Testing Variables :: repeating capture group -- alternates",
+ "client":{
+ "ip":"200.249.12.31",
+ "port":123
+ },
+ "server":{
+ "ip":"200.249.12.31",
+ "port":80
+ },
+ "request":{
+ "uri":"/?key=_abc123_",
+ "method":"GET"
+ },
+ "response":{
+ "headers":{
+ "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+ "Content-Type":"text/html"
+ },
+ "body":[
+ "no need."
+ ]
+ },
+ "expected":{
+ "debug_log":"Added regex subexpression TX\\.2: abc[\\s\\S]*Added regex subexpression TX\\.3: 123"
+ },
+ "rules":[
+ "SecRuleEngine On",
+ "SecRule ARGS \"@rx _((?:(abc)|(123))+)_\" \"id:18,phase:1,log,pass,capture\""
+ ]
+ },
+ {
+ "enabled":1,
+ "version_min":300000,
+ "title":"Testing Variables :: repeating capture group -- same (nested)",
+ "client":{
+ "ip":"200.249.12.31",
+ "port":123
+ },
+ "server":{
+ "ip":"200.249.12.31",
+ "port":80
+ },
+ "request":{
+ "uri":"/?key=a:5a:8a:9",
+ "method":"GET"
+ },
+ "response":{
+ "headers":{
+ "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+ "Content-Type":"text/html"
+ },
+ "body":[
+ "no need."
+ ]
+ },
+ "expected":{
+ "debug_log":"Added regex subexpression TX\\.1: 5[\\s\\S]*Added regex subexpression TX\\.2: 8[\\s\\S]*Added regex subexpression TX\\.3: 9"
+ },
+ "rules":[
+ "SecRuleEngine On",
+ "SecRule ARGS \"@rx a:([0-9])(?:a:([0-9])(?:a:([0-9]))*)*\" \"id:18,phase:1,log,pass,capture\""
+ ]
}
]