1#vi:filetype=perl
2
3
4# A AJOUTER :
5# TEST CASE AVEC UNE REGLE SUR UN HEADER GENERIQUE
6# La même sur des arguments :)
7
8use lib 'lib';
9use Test::Nginx::Socket;
10
11plan tests => repeat_each(2) * blocks();
12no_root_location();
13no_long_string();
14$ENV{TEST_NGINX_SERVROOT} = server_root();
15run_tests();
16__DATA__
17=== WL TEST 5.0: Two whitelists on two named arguments, same URL
18--- user_files
19>>> buixor
20eh yo
21--- main_config
22load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
23--- http_config
24include /tmp/naxsi_ut/naxsi_core.rules;
25MainRule "str:1998" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1998;
26MainRule "str:1999" "msg:foobar test pattern #2" "mz:ARGS" "s:$SQL:42" id:1999;
27--- config
28location / {
29	 #LearningMode;
30	 SecRulesEnabled;
31	 DeniedUrl "/RequestDenied";
32	 CheckRule "$SQL >= 8" BLOCK;
33	 CheckRule "$RFI >= 8" BLOCK;
34	 CheckRule "$TRAVERSAL >= 4" BLOCK;
35	 CheckRule "$XSS >= 8" BLOCK;
36  	 root $TEST_NGINX_SERVROOT/html/;
37         index index.html index.htm;
38	 BasicRule wl:1999 "mz:$ARGS_VAR:bla|$URL:/buixor";
39	 BasicRule wl:1998 "mz:$ARGS_VAR:blu|$URL:/buixor";
40}
41location /RequestDenied {
42	 return 412;
43}
44--- request
45GET /buixor?bla=1999
46--- error_code: 200
47=== WL TEST 5.1: Two whitelists on two named arguments, same URL
48--- user_files
49>>> buixor
50eh yo
51--- main_config
52load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
53--- http_config
54include /tmp/naxsi_ut/naxsi_core.rules;
55MainRule "str:1998" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1998;
56MainRule "str:1999" "msg:foobar test pattern #2" "mz:ARGS" "s:$SQL:42" id:1999;
57--- config
58location / {
59	 #LearningMode;
60	 SecRulesEnabled;
61	 DeniedUrl "/RequestDenied";
62	 CheckRule "$SQL >= 8" BLOCK;
63	 CheckRule "$RFI >= 8" BLOCK;
64	 CheckRule "$TRAVERSAL >= 4" BLOCK;
65	 CheckRule "$XSS >= 8" BLOCK;
66  	 root $TEST_NGINX_SERVROOT/html/;
67         index index.html index.htm;
68	 BasicRule wl:1999 "mz:$ARGS_VAR:bla|$URL:/buixor";
69	 BasicRule wl:1998 "mz:$ARGS_VAR:blu|$URL:/buixor";
70}
71location /RequestDenied {
72	 return 412;
73}
74--- request
75GET /buixor?blu=1999
76--- error_code: 412
77=== WL TEST 5.2: Two whitelists on two named arguments, same URL
78--- user_files
79>>> buixor
80eh yo
81--- main_config
82load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
83--- http_config
84include /tmp/naxsi_ut/naxsi_core.rules;
85MainRule "str:1998" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1998;
86MainRule "str:1999" "msg:foobar test pattern #2" "mz:ARGS" "s:$SQL:42" id:1999;
87--- config
88location / {
89	 #LearningMode;
90	 SecRulesEnabled;
91	 DeniedUrl "/RequestDenied";
92	 CheckRule "$SQL >= 8" BLOCK;
93	 CheckRule "$RFI >= 8" BLOCK;
94	 CheckRule "$TRAVERSAL >= 4" BLOCK;
95	 CheckRule "$XSS >= 8" BLOCK;
96  	 root $TEST_NGINX_SERVROOT/html/;
97         index index.html index.htm;
98	 BasicRule wl:1999 "mz:$ARGS_VAR:bla|$URL:/buixor";
99	 BasicRule wl:1998 "mz:$ARGS_VAR:blu|$URL:/buixor";
100}
101location /RequestDenied {
102	 return 412;
103}
104--- request
105GET /buixor?bla=1999&blu=1998
106--- error_code: 200
107=== WL TEST 5.3: Two whitelists on two named arguments, same URL
108--- user_files
109>>> buixor
110eh yo
111--- main_config
112load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
113--- http_config
114include /tmp/naxsi_ut/naxsi_core.rules;
115MainRule "str:1998" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1998;
116MainRule "str:1999" "msg:foobar test pattern #2" "mz:ARGS" "s:$SQL:42" id:1999;
117--- config
118location / {
119	 #LearningMode;
120	 SecRulesEnabled;
121	 DeniedUrl "/RequestDenied";
122	 CheckRule "$SQL >= 8" BLOCK;
123	 CheckRule "$RFI >= 8" BLOCK;
124	 CheckRule "$TRAVERSAL >= 4" BLOCK;
125	 CheckRule "$XSS >= 8" BLOCK;
126  	 root $TEST_NGINX_SERVROOT/html/;
127         index index.html index.htm;
128	 BasicRule wl:1999 "mz:$ARGS_VAR:bla|$URL:/buixor";
129	 BasicRule wl:1998 "mz:$ARGS_VAR:blu|$URL:/buixor";
130}
131location /RequestDenied {
132	 return 412;
133}
134--- request
135GET /?buixor=1998
136--- error_code: 412
137=== WL TEST 5.4: Whitelists on ARGS/URLs that are URLencoded
138--- user_files
139>>> buixor
140eh yo
141--- main_config
142load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
143--- http_config
144include /tmp/naxsi_ut/naxsi_core.rules;
145MainRule "str:1998" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1998;
146MainRule "str:1999" "msg:foobar test pattern #2" "mz:ARGS" "s:$SQL:42" id:1999;
147--- config
148location / {
149	 #LearningMode;
150	 SecRulesEnabled;
151	 DeniedUrl "/RequestDenied";
152	 CheckRule "$SQL >= 8" BLOCK;
153	 CheckRule "$RFI >= 8" BLOCK;
154	 CheckRule "$TRAVERSAL >= 4" BLOCK;
155	 CheckRule "$XSS >= 8" BLOCK;
156  	 root $TEST_NGINX_SERVROOT/html/;
157         index index.html index.htm;
158	 BasicRule wl:1999 "mz:$ARGS_VAR:b_@_la|$URL:/buixor";
159	 BasicRule wl:1998 "mz:$ARGS_VAR:blu|$URL:/buixor";
160}
161location /RequestDenied {
162	 return 412;
163}
164--- request
165GET /buixor?b_@_la=1999
166--- error_code: 200
167
168=== WL TEST 5.5: Whitelists on ARGS/URLs that are URLencoded
169--- user_files
170>>> buixor
171eh yo
172--- main_config
173load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
174--- http_config
175include /tmp/naxsi_ut/naxsi_core.rules;
176MainRule "str:1998" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1998;
177MainRule "str:1999" "msg:foobar test pattern #2" "mz:ARGS" "s:$SQL:42" id:1999;
178--- config
179location / {
180	 #LearningMode;
181	 SecRulesEnabled;
182	 DeniedUrl "/RequestDenied";
183	 CheckRule "$SQL >= 8" BLOCK;
184	 CheckRule "$RFI >= 8" BLOCK;
185	 CheckRule "$TRAVERSAL >= 4" BLOCK;
186	 CheckRule "$XSS >= 8" BLOCK;
187  	 root $TEST_NGINX_SERVROOT/html/;
188         index index.html index.htm;
189	 BasicRule wl:1999 "mz:$ARGS_VAR:b[]la|$URL:/buixor";
190	 BasicRule wl:1998 "mz:$ARGS_VAR:blu|$URL:/buixor";
191}
192location /RequestDenied {
193	 return 412;
194}
195--- request
196GET /buixor?b]la=1999
197--- error_code: 412
198
199=== WL TEST 6: Whitelists trying to provoke collisions ($ARGS_VAR:x + $URL:x|ARGS)
200--- user_files
201>>> buixor
202eh yo
203>>> bla
204eh yo
205--- main_config
206load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
207--- http_config
208include /tmp/naxsi_ut/naxsi_core.rules;
209MainRule "str:1998" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1998;
210MainRule "str:1999" "msg:foobar test pattern #2" "mz:ARGS" "s:$SQL:42" id:1999;
211--- config
212location / {
213	 #LearningMode;
214	 SecRulesEnabled;
215	 DeniedUrl "/RequestDenied";
216	 CheckRule "$SQL >= 8" BLOCK;
217	 CheckRule "$RFI >= 8" BLOCK;
218	 CheckRule "$TRAVERSAL >= 4" BLOCK;
219	 CheckRule "$XSS >= 8" BLOCK;
220  	 root $TEST_NGINX_SERVROOT/html/;
221         index index.html index.htm;
222#	 BasicRule wl:1999 "mz:$ARGS_VAR:/bla";
223	 BasicRule wl:1998 "mz:$URL:/bla|ARGS";
224}
225location /RequestDenied {
226	 return 412;
227}
228--- request
229GET /bla?1998
230--- error_code: 200
231
232=== WL TEST 6.0: Whitelists trying to provoke collisions ($ARGS_VAR:x + $URL:x|ARGS)
233--- user_files
234>>> buixor
235eh yo
236--- main_config
237load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
238--- http_config
239include /tmp/naxsi_ut/naxsi_core.rules;
240MainRule "str:1998" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1998;
241MainRule "str:1999" "msg:foobar test pattern #2" "mz:ARGS" "s:$SQL:42" id:1999;
242--- config
243location / {
244	 #LearningMode;
245	 SecRulesEnabled;
246	 DeniedUrl "/RequestDenied";
247	 CheckRule "$SQL >= 8" BLOCK;
248	 CheckRule "$RFI >= 8" BLOCK;
249	 CheckRule "$TRAVERSAL >= 4" BLOCK;
250	 CheckRule "$XSS >= 8" BLOCK;
251  	 root $TEST_NGINX_SERVROOT/html/;
252         index index.html index.htm;
253#	 BasicRule wl:1999 "mz:$ARGS_VAR:/bla";
254	 BasicRule wl:1998 "mz:$URL:/bla|ARGS";
255}
256location /RequestDenied {
257	 return 412;
258}
259--- request
260GET /?/bla=1998
261--- error_code: 412
262
263=== WL TEST 6.1: Whitelists trying to provoke collisions ($ARGS_VAR:x + $URL:x|ARGS)
264--- user_files
265>>> buixor
266eh yo
267>>> bla
268eh yo
269--- main_config
270load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
271--- http_config
272include /tmp/naxsi_ut/naxsi_core.rules;
273MainRule "str:1998" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1998;
274MainRule "str:1999" "msg:foobar test pattern #2" "mz:ARGS" "s:$SQL:42" id:1999;
275--- config
276location / {
277	 #LearningMode;
278	 SecRulesEnabled;
279	 DeniedUrl "/RequestDenied";
280	 CheckRule "$SQL >= 8" BLOCK;
281	 CheckRule "$RFI >= 8" BLOCK;
282	 CheckRule "$TRAVERSAL >= 4" BLOCK;
283	 CheckRule "$XSS >= 8" BLOCK;
284  	 root $TEST_NGINX_SERVROOT/html/;
285         index index.html index.htm;
286	 BasicRule wl:1999 "mz:$ARGS_VAR:bla";
287	 BasicRule wl:1998 "mz:$URL:/bla|ARGS";
288}
289location /RequestDenied {
290	 return 412;
291}
292--- request
293GET /bla?bla=1999&toto=1998
294--- error_code: 200
295
296=== WL TEST 6.2: Whitelists trying to provoke collisions ($ARGS_VAR:x + $URL:x|ARGS)
297--- user_files
298>>> buixor
299eh yo
300--- main_config
301load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
302--- http_config
303include /tmp/naxsi_ut/naxsi_core.rules;
304MainRule "str:1998" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1998;
305MainRule "str:1999" "msg:foobar test pattern #2" "mz:ARGS" "s:$SQL:42" id:1999;
306--- config
307location / {
308	 #LearningMode;
309	 SecRulesEnabled;
310	 DeniedUrl "/RequestDenied";
311	 CheckRule "$SQL >= 8" BLOCK;
312	 CheckRule "$RFI >= 8" BLOCK;
313	 CheckRule "$TRAVERSAL >= 4" BLOCK;
314	 CheckRule "$XSS >= 8" BLOCK;
315  	 root $TEST_NGINX_SERVROOT/html/;
316         index index.html index.htm;
317	 BasicRule wl:1999 "mz:$ARGS_VAR:/bla";
318	 BasicRule wl:1998 "mz:$URL:/bla|ARGS";
319}
320location /RequestDenied {
321	 return 412;
322}
323--- request
324GET /buixor?/bla=1999
325--- error_code: 200
326
327=== WL TEST 6.3: Whitelists trying to provoke collisions ($ARGS_VAR:x + $URL:x|ARGS)
328--- user_files
329>>> buixor
330eh yo
331>>> bla
332eh yo
333--- main_config
334load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
335--- http_config
336include /tmp/naxsi_ut/naxsi_core.rules;
337MainRule "str:1998" "msg:foobar test pattern" "mz:ARGS" "s:$SQL:42" id:1998;
338MainRule "str:1999" "msg:foobar test pattern #2" "mz:ARGS" "s:$SQL:42" id:1999;
339--- config
340location / {
341	 #LearningMode;
342	 SecRulesEnabled;
343	 DeniedUrl "/RequestDenied";
344	 CheckRule "$SQL >= 8" BLOCK;
345	 CheckRule "$RFI >= 8" BLOCK;
346	 CheckRule "$TRAVERSAL >= 4" BLOCK;
347	 CheckRule "$XSS >= 8" BLOCK;
348  	 root $TEST_NGINX_SERVROOT/html/;
349         index index.html index.htm;
350	 BasicRule wl:1999 "mz:$ARGS_VAR:/bla";
351	 BasicRule wl:1998 "mz:$URL:/bla|ARGS";
352}
353location /RequestDenied {
354	 return 412;
355}
356--- request
357GET /bla?/bla=1999&bu=1998
358--- error_code: 200
359
360