1use lib 'lib'; 2use Test::Nginx::Socket; 3 4 5plan tests => repeat_each(2) * blocks(); 6no_root_location(); 7no_long_string(); 8$ENV{TEST_NGINX_SERVROOT} = server_root(); 9run_tests(); 10__DATA__ 11=== json wl 0.1 : no rulematch 12--- main_config 13load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 14--- http_config 15include /tmp/naxsi_ut/naxsi_core.rules; 16MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999; 17--- config 18location / { 19 SecRulesEnabled; 20 DeniedUrl "/RequestDenied"; 21 CheckRule "$SQL >= 8" BLOCK; 22 CheckRule "$RFI >= 8" BLOCK; 23 CheckRule "$TRAVERSAL >= 4" BLOCK; 24 CheckRule "$XSS >= 8" BLOCK; 25 root $TEST_NGINX_SERVROOT/html/; 26 index index.html index.htm; 27 error_page 405 = $uri; 28} 29location /RequestDenied { 30 return 412; 31} 32--- more_headers 33Content-Type: application/json 34--- request eval 35use URI::Escape; 36"POST / 37{ 38 \"lol\" : \"bar\" 39} 40" 41--- error_code: 200 42=== json wl 0.2 : rulematch 43--- main_config 44load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 45--- http_config 46include /tmp/naxsi_ut/naxsi_core.rules; 47MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999; 48--- config 49location / { 50 SecRulesEnabled; 51 DeniedUrl "/RequestDenied"; 52 CheckRule "$SQL >= 8" BLOCK; 53 CheckRule "$RFI >= 8" BLOCK; 54 CheckRule "$TRAVERSAL >= 4" BLOCK; 55 CheckRule "$XSS >= 8" BLOCK; 56 root $TEST_NGINX_SERVROOT/html/; 57 index index.html index.htm; 58 error_page 405 = $uri; 59} 60location /RequestDenied { 61 return 412; 62} 63--- more_headers 64Content-Type: application/json 65--- request eval 66use URI::Escape; 67"POST / 68{ 69 \"lol\" : \"foobar\" 70} 71" 72--- error_code: 412 73=== json wl 0.3 : rulematch + wl on full zone 74--- main_config 75load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 76--- http_config 77include /tmp/naxsi_ut/naxsi_core.rules; 78MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999; 79--- config 80location / { 81 SecRulesEnabled; 82 DeniedUrl "/RequestDenied"; 83 CheckRule "$SQL >= 8" BLOCK; 84 CheckRule "$RFI >= 8" BLOCK; 85 CheckRule "$TRAVERSAL >= 4" BLOCK; 86 CheckRule "$XSS >= 8" BLOCK; 87 root $TEST_NGINX_SERVROOT/html/; 88 index index.html index.htm; 89 BasicRule wl:1999 "mz:BODY"; 90 error_page 405 = $uri; 91} 92location /RequestDenied { 93 return 412; 94} 95--- more_headers 96Content-Type: application/json 97--- request eval 98use URI::Escape; 99"POST / 100{ 101 \"lol\" : \"foobar\" 102} 103" 104--- error_code: 200 105=== json wl 0.4 : rulematch + wl on zone + varname 106--- main_config 107load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 108--- http_config 109include /tmp/naxsi_ut/naxsi_core.rules; 110MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999; 111--- config 112location / { 113 SecRulesEnabled; 114 DeniedUrl "/RequestDenied"; 115 CheckRule "$SQL >= 8" BLOCK; 116 CheckRule "$RFI >= 8" BLOCK; 117 CheckRule "$TRAVERSAL >= 4" BLOCK; 118 CheckRule "$XSS >= 8" BLOCK; 119 root $TEST_NGINX_SERVROOT/html/; 120 index index.html index.htm; 121 BasicRule wl:1999 "mz:$BODY_VAR:lol"; 122 error_page 405 = $uri; 123} 124location /RequestDenied { 125 return 412; 126} 127--- more_headers 128Content-Type: application/json 129--- request eval 130use URI::Escape; 131"POST / 132{ 133 \"lol\" : \"foobar\" 134} 135" 136--- error_code: 200 137 138=== json wl 0.5 : rulematch + wl on zone + varname + url 139--- user_files 140>>> test_uri 141eh yo 142--- main_config 143load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 144--- http_config 145include /tmp/naxsi_ut/naxsi_core.rules; 146MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999; 147--- config 148location / { 149 SecRulesEnabled; 150 DeniedUrl "/RequestDenied"; 151 CheckRule "$SQL >= 8" BLOCK; 152 CheckRule "$RFI >= 8" BLOCK; 153 CheckRule "$TRAVERSAL >= 4" BLOCK; 154 CheckRule "$XSS >= 8" BLOCK; 155 root $TEST_NGINX_SERVROOT/html/; 156 index index.html index.htm; 157 BasicRule wl:1999 "mz:$BODY_VAR:lol|$URL:/test_uri"; 158 error_page 405 = $uri; 159} 160location /RequestDenied { 161 return 412; 162} 163--- more_headers 164Content-Type: application/json 165--- request eval 166use URI::Escape; 167"POST /test_uri 168{ 169 \"lol\" : \"foobar\" 170} 171" 172--- error_code: 200 173 174=== json wl 0.6 : rulematch + wl on zone + varname + url [fail] 175--- user_files 176>>> test_uri 177eh yo 178--- main_config 179load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 180--- http_config 181include /tmp/naxsi_ut/naxsi_core.rules; 182MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999; 183--- config 184location / { 185 SecRulesEnabled; 186 DeniedUrl "/RequestDenied"; 187 CheckRule "$SQL >= 8" BLOCK; 188 CheckRule "$RFI >= 8" BLOCK; 189 CheckRule "$TRAVERSAL >= 4" BLOCK; 190 CheckRule "$XSS >= 8" BLOCK; 191 root $TEST_NGINX_SERVROOT/html/; 192 index index.html index.htm; 193 BasicRule wl:1999 "mz:$BODY_VAR:lol|$URL:/test_uri"; 194 error_page 405 = $uri; 195} 196location /RequestDenied { 197 return 412; 198} 199--- more_headers 200Content-Type: application/json 201--- request eval 202use URI::Escape; 203"POST / 204{ 205 \"lol\" : \"foobar\" 206} 207" 208--- error_code: 412 209 210=== json wl 0.7 : rulematch + wl on zone + varname (in sub-json element) 211--- user_files 212>>> test_uri 213eh yo 214--- main_config 215load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 216--- http_config 217include /tmp/naxsi_ut/naxsi_core.rules; 218MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999; 219--- config 220location / { 221 SecRulesEnabled; 222 DeniedUrl "/RequestDenied"; 223 CheckRule "$SQL >= 8" BLOCK; 224 CheckRule "$RFI >= 8" BLOCK; 225 CheckRule "$TRAVERSAL >= 4" BLOCK; 226 CheckRule "$XSS >= 8" BLOCK; 227 root $TEST_NGINX_SERVROOT/html/; 228 index index.html index.htm; 229 BasicRule wl:1999 "mz:$BODY_VAR:test_123|$URL:/test_uri"; 230 error_page 405 = $uri; 231} 232location /RequestDenied { 233 return 412; 234} 235--- more_headers 236Content-Type: application/json 237--- request eval 238use URI::Escape; 239"POST /test_uri 240{ 241 \"oh\" : [\"there\", \"is\", \"no\", \"way\"], 242 \"this\" : { \"will\" : [\"work\", \"does\"], 243 \"it\" : \"??\" }, 244 \"trigger\" : {\"test_123\" : [\"foobar\", \"will\", \"trigger\", \"it\"]}, 245 \"foo\" : \"baar\" 246} 247" 248--- error_code: 200 249 250=== json wl 0.8 : rulematch + wl on zone + varname (in sub-json element) [fail] 251--- user_files 252>>> test_uri 253eh yo 254--- main_config 255load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 256--- http_config 257include /tmp/naxsi_ut/naxsi_core.rules; 258MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999; 259--- config 260location / { 261 SecRulesEnabled; 262 DeniedUrl "/RequestDenied"; 263 CheckRule "$SQL >= 8" BLOCK; 264 CheckRule "$RFI >= 8" BLOCK; 265 CheckRule "$TRAVERSAL >= 4" BLOCK; 266 CheckRule "$XSS >= 8" BLOCK; 267 root $TEST_NGINX_SERVROOT/html/; 268 index index.html index.htm; 269 BasicRule wl:1999 "mz:$BODY_VAR:test_123|$URL:/test_uri"; 270 error_page 405 = $uri; 271} 272location /RequestDenied { 273 return 412; 274} 275--- more_headers 276Content-Type: application/json 277--- request eval 278use URI::Escape; 279"POST /test_uri 280{ 281 \"oh\" : [\"there\", \"is\", \"no\", \"way\"], 282 \"this\" : { \"will\" : [\"work\", \"does\"], 283 \"it\" : \"??\" }, 284 \"trigger\" : {\"test_1234\" : [\"foobar\", \"will\", \"trigger\", \"it\"]}, 285 \"foo\" : \"baar\" 286} 287" 288--- error_code: 412 289=== json wl 0.9 : match in varname 290--- user_files 291>>> test_uri 292eh yo 293--- main_config 294load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 295--- http_config 296include /tmp/naxsi_ut/naxsi_core.rules; 297--- config 298location / { 299 SecRulesEnabled; 300 DeniedUrl "/RequestDenied"; 301 CheckRule "$SQL >= 8" BLOCK; 302 CheckRule "$RFI >= 8" BLOCK; 303 CheckRule "$TRAVERSAL >= 4" BLOCK; 304 CheckRule "$XSS >= 8" BLOCK; 305 root $TEST_NGINX_SERVROOT/html/; 306 index index.html index.htm; 307 error_page 405 = $uri; 308} 309location /RequestDenied { 310 return 412; 311} 312--- more_headers 313Content-Type: application/json 314--- request eval 315use URI::Escape; 316"POST /test_uri 317{ 318 \"oh\" : [\"there\", \"is\", \"no\", \"way\"], 319 \"this\" : { \"will\" : [\"work\", \"does\"], 320 \"it\" : \"??\" }, 321 \"tr<igger\" : {\"test_1234\" : [\"foobar\", \"will\", \"trigger\", \"it\"]}, 322 \"foo\" : \"baar\" 323} 324" 325--- error_code: 412 326=== json wl 1.0 : match in varname + wl on varname 327--- user_files 328>>> test_uri 329eh yo 330--- main_config 331load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 332--- http_config 333include /tmp/naxsi_ut/naxsi_core.rules; 334--- config 335location / { 336 SecRulesEnabled; 337 DeniedUrl "/RequestDenied"; 338 CheckRule "$SQL >= 8" BLOCK; 339 CheckRule "$RFI >= 8" BLOCK; 340 CheckRule "$TRAVERSAL >= 4" BLOCK; 341 CheckRule "$XSS >= 8" BLOCK; 342 root $TEST_NGINX_SERVROOT/html/; 343 index index.html index.htm; 344 BasicRule wl:1302 "mz:$BODY_VAR:tr<igger|NAME"; 345 error_page 405 = $uri; 346} 347location /RequestDenied { 348 return 412; 349} 350--- more_headers 351Content-Type: application/json 352--- request eval 353use URI::Escape; 354"POST /test_uri 355{ 356 \"oh\" : [\"there\", \"is\", \"no\", \"way\"], 357 \"this\" : { \"will\" : [\"work\", \"does\"], 358 \"it\" : \"??\" }, 359 \"tr<igger\" : {\"test_1234\" : [\"foobar\", \"will\", \"trigger\", \"it\"]}, 360 \"foo\" : \"baar\" 361} 362" 363--- error_code: 200 364=== json wl 1.1 : match (empty variable name) 365--- user_files 366>>> test_uri 367eh yo 368--- main_config 369load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 370--- http_config 371include /tmp/naxsi_ut/naxsi_core.rules; 372--- config 373location / { 374 SecRulesEnabled; 375 DeniedUrl "/RequestDenied"; 376 CheckRule "$SQL >= 8" BLOCK; 377 CheckRule "$RFI >= 8" BLOCK; 378 CheckRule "$TRAVERSAL >= 4" BLOCK; 379 CheckRule "$XSS >= 8" BLOCK; 380 root $TEST_NGINX_SERVROOT/html/; 381 index index.html index.htm; 382 error_page 405 = $uri; 383} 384location /RequestDenied { 385 return 412; 386} 387--- more_headers 388Content-Type: application/json 389--- request eval 390use URI::Escape; 391"POST /test_uri 392{ 393 \"\" : [\"there\", \"is\", \"no\", \"way\"] 394} 395" 396--- error_code: 200 397=== json wl 1.1 : match (no variable name) 398--- user_files 399>>> test_uri 400eh yo 401--- main_config 402load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 403--- http_config 404include /tmp/naxsi_ut/naxsi_core.rules; 405--- config 406location / { 407 SecRulesEnabled; 408 DeniedUrl "/RequestDenied"; 409 CheckRule "$SQL >= 8" BLOCK; 410 CheckRule "$RFI >= 8" BLOCK; 411 CheckRule "$TRAVERSAL >= 4" BLOCK; 412 CheckRule "$XSS >= 8" BLOCK; 413 root $TEST_NGINX_SERVROOT/html/; 414 index index.html index.htm; 415 error_page 405 = $uri; 416} 417location /RequestDenied { 418 return 412; 419} 420--- more_headers 421Content-Type: application/json 422--- request eval 423use URI::Escape; 424"POST /test_uri 425{ 426 [\"there\", \"is\", \"no\", \"way\"] 427} 428" 429--- error_code: 200 430=== json wl 2.0 : malformed json (missing opening {) 431--- main_config 432load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 433--- http_config 434include /tmp/naxsi_ut/naxsi_core.rules; 435MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999; 436--- config 437location / { 438 SecRulesEnabled; 439 DeniedUrl "/RequestDenied"; 440 CheckRule "$SQL >= 8" BLOCK; 441 CheckRule "$RFI >= 8" BLOCK; 442 CheckRule "$TRAVERSAL >= 4" BLOCK; 443 CheckRule "$XSS >= 8" BLOCK; 444 root $TEST_NGINX_SERVROOT/html/; 445 index index.html index.htm; 446 error_page 405 = $uri; 447} 448location /RequestDenied { 449 return 412; 450} 451--- more_headers 452Content-Type: application/json 453--- request eval 454use URI::Escape; 455"POST / 456 457 \"lol\" : \"bar\" 458} 459" 460--- error_code: 412 461=== json wl 2.1 : Numeric content json 462--- main_config 463load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 464--- http_config 465include /tmp/naxsi_ut/naxsi_core.rules; 466MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999; 467--- config 468location / { 469 SecRulesEnabled; 470 DeniedUrl "/RequestDenied"; 471 CheckRule "$SQL >= 8" BLOCK; 472 CheckRule "$RFI >= 8" BLOCK; 473 CheckRule "$TRAVERSAL >= 4" BLOCK; 474 CheckRule "$XSS >= 8" BLOCK; 475 root $TEST_NGINX_SERVROOT/html/; 476 index index.html index.htm; 477 error_page 405 = $uri; 478} 479location /RequestDenied { 480 return 412; 481} 482--- more_headers 483Content-Type: application/json 484--- request eval 485use URI::Escape; 486"POST / 487{ 488 \"lol\" : 372 489} 490" 491--- error_code: 200 492=== json wl 2.2 : true/false content json 493--- main_config 494load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 495--- http_config 496include /tmp/naxsi_ut/naxsi_core.rules; 497MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999; 498--- config 499location / { 500 SecRulesEnabled; 501 DeniedUrl "/RequestDenied"; 502 CheckRule "$SQL >= 8" BLOCK; 503 CheckRule "$RFI >= 8" BLOCK; 504 CheckRule "$TRAVERSAL >= 4" BLOCK; 505 CheckRule "$XSS >= 8" BLOCK; 506 root $TEST_NGINX_SERVROOT/html/; 507 index index.html index.htm; 508 error_page 405 = $uri; 509} 510location /RequestDenied { 511 return 412; 512} 513--- more_headers 514Content-Type: application/json 515--- request eval 516use URI::Escape; 517"POST / 518{ 519 \"lol\" : false, 520 \"serious_stuff\" : true, 521 \"extra_coverage\" : null 522} 523" 524--- error_code: 200 525 526=== json wl 2.3 : malformed json 527--- main_config 528load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 529--- http_config 530include /tmp/naxsi_ut/naxsi_core.rules; 531MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999; 532--- config 533location / { 534 SecRulesEnabled; 535 DeniedUrl "/RequestDenied"; 536 CheckRule "$SQL >= 8" BLOCK; 537 CheckRule "$RFI >= 8" BLOCK; 538 CheckRule "$TRAVERSAL >= 4" BLOCK; 539 CheckRule "$XSS >= 8" BLOCK; 540 root $TEST_NGINX_SERVROOT/html/; 541 index index.html index.htm; 542 error_page 405 = $uri; 543} 544location /RequestDenied { 545 return 412; 546} 547--- more_headers 548Content-Type: application/json 549--- request eval 550use URI::Escape; 551"POST / 552{ 553 \"lol\" : false, 554 \"serious_stuff\" : true, 555 \"extra_coverage\" : null 556" 557--- error_code: 412 558 559 560