1use lib 'lib';
2use Test::Nginx::Socket;
3
4
5plan tests => repeat_each(2) * blocks();
6no_root_location();
7no_long_string();
8$ENV{TEST_NGINX_SERVROOT} = server_root();
9run_tests();
10__DATA__
11=== json wl 0.1 : no rulematch
12--- main_config
13load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
14--- http_config
15include /tmp/naxsi_ut/naxsi_core.rules;
16MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999;
17--- config
18location / {
19         SecRulesEnabled;
20         DeniedUrl "/RequestDenied";
21         CheckRule "$SQL >= 8" BLOCK;
22         CheckRule "$RFI >= 8" BLOCK;
23         CheckRule "$TRAVERSAL >= 4" BLOCK;
24         CheckRule "$XSS >= 8" BLOCK;
25         root $TEST_NGINX_SERVROOT/html/;
26         index index.html index.htm;
27	 error_page 405 = $uri;
28}
29location /RequestDenied {
30         return 412;
31}
32--- more_headers
33Content-Type: application/json
34--- request eval
35use URI::Escape;
36"POST /
37{
38 \"lol\" : \"bar\"
39}
40"
41--- error_code: 200
42=== json wl 0.2 : rulematch
43--- main_config
44load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
45--- http_config
46include /tmp/naxsi_ut/naxsi_core.rules;
47MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999;
48--- config
49location / {
50         SecRulesEnabled;
51         DeniedUrl "/RequestDenied";
52         CheckRule "$SQL >= 8" BLOCK;
53         CheckRule "$RFI >= 8" BLOCK;
54         CheckRule "$TRAVERSAL >= 4" BLOCK;
55         CheckRule "$XSS >= 8" BLOCK;
56         root $TEST_NGINX_SERVROOT/html/;
57         index index.html index.htm;
58	 error_page 405 = $uri;
59}
60location /RequestDenied {
61         return 412;
62}
63--- more_headers
64Content-Type: application/json
65--- request eval
66use URI::Escape;
67"POST /
68{
69 \"lol\" : \"foobar\"
70}
71"
72--- error_code: 412
73=== json wl 0.3 : rulematch + wl on full zone
74--- main_config
75load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
76--- http_config
77include /tmp/naxsi_ut/naxsi_core.rules;
78MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999;
79--- config
80location / {
81         SecRulesEnabled;
82         DeniedUrl "/RequestDenied";
83         CheckRule "$SQL >= 8" BLOCK;
84         CheckRule "$RFI >= 8" BLOCK;
85         CheckRule "$TRAVERSAL >= 4" BLOCK;
86         CheckRule "$XSS >= 8" BLOCK;
87         root $TEST_NGINX_SERVROOT/html/;
88         index index.html index.htm;
89	 BasicRule wl:1999 "mz:BODY";
90	 error_page 405 = $uri;
91}
92location /RequestDenied {
93         return 412;
94}
95--- more_headers
96Content-Type: application/json
97--- request eval
98use URI::Escape;
99"POST /
100{
101 \"lol\" : \"foobar\"
102}
103"
104--- error_code: 200
105=== json wl 0.4 : rulematch + wl on zone + varname
106--- main_config
107load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
108--- http_config
109include /tmp/naxsi_ut/naxsi_core.rules;
110MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999;
111--- config
112location / {
113         SecRulesEnabled;
114         DeniedUrl "/RequestDenied";
115         CheckRule "$SQL >= 8" BLOCK;
116         CheckRule "$RFI >= 8" BLOCK;
117         CheckRule "$TRAVERSAL >= 4" BLOCK;
118         CheckRule "$XSS >= 8" BLOCK;
119         root $TEST_NGINX_SERVROOT/html/;
120         index index.html index.htm;
121	 BasicRule wl:1999 "mz:$BODY_VAR:lol";
122	 error_page 405 = $uri;
123}
124location /RequestDenied {
125         return 412;
126}
127--- more_headers
128Content-Type: application/json
129--- request eval
130use URI::Escape;
131"POST /
132{
133 \"lol\" : \"foobar\"
134}
135"
136--- error_code: 200
137
138=== json wl 0.5 : rulematch + wl on zone + varname + url
139--- user_files
140>>> test_uri
141eh yo
142--- main_config
143load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
144--- http_config
145include /tmp/naxsi_ut/naxsi_core.rules;
146MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999;
147--- config
148location / {
149         SecRulesEnabled;
150         DeniedUrl "/RequestDenied";
151         CheckRule "$SQL >= 8" BLOCK;
152         CheckRule "$RFI >= 8" BLOCK;
153         CheckRule "$TRAVERSAL >= 4" BLOCK;
154         CheckRule "$XSS >= 8" BLOCK;
155         root $TEST_NGINX_SERVROOT/html/;
156         index index.html index.htm;
157	 BasicRule wl:1999 "mz:$BODY_VAR:lol|$URL:/test_uri";
158	 error_page 405 = $uri;
159}
160location /RequestDenied {
161         return 412;
162}
163--- more_headers
164Content-Type: application/json
165--- request eval
166use URI::Escape;
167"POST /test_uri
168{
169 \"lol\" : \"foobar\"
170}
171"
172--- error_code: 200
173
174=== json wl 0.6 : rulematch + wl on zone + varname + url [fail]
175--- user_files
176>>> test_uri
177eh yo
178--- main_config
179load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
180--- http_config
181include /tmp/naxsi_ut/naxsi_core.rules;
182MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999;
183--- config
184location / {
185         SecRulesEnabled;
186         DeniedUrl "/RequestDenied";
187         CheckRule "$SQL >= 8" BLOCK;
188         CheckRule "$RFI >= 8" BLOCK;
189         CheckRule "$TRAVERSAL >= 4" BLOCK;
190         CheckRule "$XSS >= 8" BLOCK;
191         root $TEST_NGINX_SERVROOT/html/;
192         index index.html index.htm;
193	 BasicRule wl:1999 "mz:$BODY_VAR:lol|$URL:/test_uri";
194	 error_page 405 = $uri;
195}
196location /RequestDenied {
197         return 412;
198}
199--- more_headers
200Content-Type: application/json
201--- request eval
202use URI::Escape;
203"POST /
204{
205 \"lol\" : \"foobar\"
206}
207"
208--- error_code: 412
209
210=== json wl 0.7 : rulematch + wl on zone + varname (in sub-json element)
211--- user_files
212>>> test_uri
213eh yo
214--- main_config
215load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
216--- http_config
217include /tmp/naxsi_ut/naxsi_core.rules;
218MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999;
219--- config
220location / {
221         SecRulesEnabled;
222         DeniedUrl "/RequestDenied";
223         CheckRule "$SQL >= 8" BLOCK;
224         CheckRule "$RFI >= 8" BLOCK;
225         CheckRule "$TRAVERSAL >= 4" BLOCK;
226         CheckRule "$XSS >= 8" BLOCK;
227         root $TEST_NGINX_SERVROOT/html/;
228         index index.html index.htm;
229	 BasicRule wl:1999 "mz:$BODY_VAR:test_123|$URL:/test_uri";
230	 error_page 405 = $uri;
231}
232location /RequestDenied {
233         return 412;
234}
235--- more_headers
236Content-Type: application/json
237--- request eval
238use URI::Escape;
239"POST /test_uri
240{
241  \"oh\" : [\"there\", \"is\", \"no\", \"way\"],
242  \"this\" : { \"will\" : [\"work\", \"does\"],
243  \"it\" : \"??\" },
244  \"trigger\" : {\"test_123\" : [\"foobar\", \"will\", \"trigger\", \"it\"]},
245  \"foo\" : \"baar\"
246}
247"
248--- error_code: 200
249
250=== json wl 0.8 : rulematch + wl on zone + varname (in sub-json element) [fail]
251--- user_files
252>>> test_uri
253eh yo
254--- main_config
255load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
256--- http_config
257include /tmp/naxsi_ut/naxsi_core.rules;
258MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999;
259--- config
260location / {
261         SecRulesEnabled;
262         DeniedUrl "/RequestDenied";
263         CheckRule "$SQL >= 8" BLOCK;
264         CheckRule "$RFI >= 8" BLOCK;
265         CheckRule "$TRAVERSAL >= 4" BLOCK;
266         CheckRule "$XSS >= 8" BLOCK;
267         root $TEST_NGINX_SERVROOT/html/;
268         index index.html index.htm;
269	 BasicRule wl:1999 "mz:$BODY_VAR:test_123|$URL:/test_uri";
270	 error_page 405 = $uri;
271}
272location /RequestDenied {
273         return 412;
274}
275--- more_headers
276Content-Type: application/json
277--- request eval
278use URI::Escape;
279"POST /test_uri
280{
281  \"oh\" : [\"there\", \"is\", \"no\", \"way\"],
282  \"this\" : { \"will\" : [\"work\", \"does\"],
283  \"it\" : \"??\" },
284  \"trigger\" : {\"test_1234\" : [\"foobar\", \"will\", \"trigger\", \"it\"]},
285  \"foo\" : \"baar\"
286}
287"
288--- error_code: 412
289=== json wl 0.9 : match in varname
290--- user_files
291>>> test_uri
292eh yo
293--- main_config
294load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
295--- http_config
296include /tmp/naxsi_ut/naxsi_core.rules;
297--- config
298location / {
299         SecRulesEnabled;
300         DeniedUrl "/RequestDenied";
301         CheckRule "$SQL >= 8" BLOCK;
302         CheckRule "$RFI >= 8" BLOCK;
303         CheckRule "$TRAVERSAL >= 4" BLOCK;
304         CheckRule "$XSS >= 8" BLOCK;
305         root $TEST_NGINX_SERVROOT/html/;
306         index index.html index.htm;
307	 error_page 405 = $uri;
308}
309location /RequestDenied {
310         return 412;
311}
312--- more_headers
313Content-Type: application/json
314--- request eval
315use URI::Escape;
316"POST /test_uri
317{
318  \"oh\" : [\"there\", \"is\", \"no\", \"way\"],
319  \"this\" : { \"will\" : [\"work\", \"does\"],
320  \"it\" : \"??\" },
321  \"tr<igger\" : {\"test_1234\" : [\"foobar\", \"will\", \"trigger\", \"it\"]},
322  \"foo\" : \"baar\"
323}
324"
325--- error_code: 412
326=== json wl 1.0 : match in varname + wl on varname
327--- user_files
328>>> test_uri
329eh yo
330--- main_config
331load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
332--- http_config
333include /tmp/naxsi_ut/naxsi_core.rules;
334--- config
335location / {
336         SecRulesEnabled;
337         DeniedUrl "/RequestDenied";
338         CheckRule "$SQL >= 8" BLOCK;
339         CheckRule "$RFI >= 8" BLOCK;
340         CheckRule "$TRAVERSAL >= 4" BLOCK;
341         CheckRule "$XSS >= 8" BLOCK;
342         root $TEST_NGINX_SERVROOT/html/;
343         index index.html index.htm;
344	 BasicRule wl:1302 "mz:$BODY_VAR:tr<igger|NAME";
345	 error_page 405 = $uri;
346}
347location /RequestDenied {
348         return 412;
349}
350--- more_headers
351Content-Type: application/json
352--- request eval
353use URI::Escape;
354"POST /test_uri
355{
356  \"oh\" : [\"there\", \"is\", \"no\", \"way\"],
357  \"this\" : { \"will\" : [\"work\", \"does\"],
358  \"it\" : \"??\" },
359  \"tr<igger\" : {\"test_1234\" : [\"foobar\", \"will\", \"trigger\", \"it\"]},
360  \"foo\" : \"baar\"
361}
362"
363--- error_code: 200
364=== json wl 1.1 : match (empty variable name)
365--- user_files
366>>> test_uri
367eh yo
368--- main_config
369load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
370--- http_config
371include /tmp/naxsi_ut/naxsi_core.rules;
372--- config
373location / {
374         SecRulesEnabled;
375         DeniedUrl "/RequestDenied";
376         CheckRule "$SQL >= 8" BLOCK;
377         CheckRule "$RFI >= 8" BLOCK;
378         CheckRule "$TRAVERSAL >= 4" BLOCK;
379         CheckRule "$XSS >= 8" BLOCK;
380         root $TEST_NGINX_SERVROOT/html/;
381         index index.html index.htm;
382	 error_page 405 = $uri;
383}
384location /RequestDenied {
385         return 412;
386}
387--- more_headers
388Content-Type: application/json
389--- request eval
390use URI::Escape;
391"POST /test_uri
392{
393  \"\" : [\"there\", \"is\", \"no\", \"way\"]
394}
395"
396--- error_code: 200
397=== json wl 1.1 : match (no variable name)
398--- user_files
399>>> test_uri
400eh yo
401--- main_config
402load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
403--- http_config
404include /tmp/naxsi_ut/naxsi_core.rules;
405--- config
406location / {
407         SecRulesEnabled;
408         DeniedUrl "/RequestDenied";
409         CheckRule "$SQL >= 8" BLOCK;
410         CheckRule "$RFI >= 8" BLOCK;
411         CheckRule "$TRAVERSAL >= 4" BLOCK;
412         CheckRule "$XSS >= 8" BLOCK;
413         root $TEST_NGINX_SERVROOT/html/;
414         index index.html index.htm;
415	 error_page 405 = $uri;
416}
417location /RequestDenied {
418         return 412;
419}
420--- more_headers
421Content-Type: application/json
422--- request eval
423use URI::Escape;
424"POST /test_uri
425{
426  [\"there\", \"is\", \"no\", \"way\"]
427}
428"
429--- error_code: 200
430=== json wl 2.0 : malformed json (missing opening {)
431--- main_config
432load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
433--- http_config
434include /tmp/naxsi_ut/naxsi_core.rules;
435MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999;
436--- config
437location / {
438         SecRulesEnabled;
439         DeniedUrl "/RequestDenied";
440         CheckRule "$SQL >= 8" BLOCK;
441         CheckRule "$RFI >= 8" BLOCK;
442         CheckRule "$TRAVERSAL >= 4" BLOCK;
443         CheckRule "$XSS >= 8" BLOCK;
444         root $TEST_NGINX_SERVROOT/html/;
445         index index.html index.htm;
446	 error_page 405 = $uri;
447}
448location /RequestDenied {
449         return 412;
450}
451--- more_headers
452Content-Type: application/json
453--- request eval
454use URI::Escape;
455"POST /
456
457 \"lol\" : \"bar\"
458}
459"
460--- error_code: 412
461=== json wl 2.1 : Numeric content json
462--- main_config
463load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
464--- http_config
465include /tmp/naxsi_ut/naxsi_core.rules;
466MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999;
467--- config
468location / {
469         SecRulesEnabled;
470         DeniedUrl "/RequestDenied";
471         CheckRule "$SQL >= 8" BLOCK;
472         CheckRule "$RFI >= 8" BLOCK;
473         CheckRule "$TRAVERSAL >= 4" BLOCK;
474         CheckRule "$XSS >= 8" BLOCK;
475         root $TEST_NGINX_SERVROOT/html/;
476         index index.html index.htm;
477	 error_page 405 = $uri;
478}
479location /RequestDenied {
480         return 412;
481}
482--- more_headers
483Content-Type: application/json
484--- request eval
485use URI::Escape;
486"POST /
487{
488 \"lol\" : 372
489}
490"
491--- error_code: 200
492=== json wl 2.2 : true/false content json
493--- main_config
494load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
495--- http_config
496include /tmp/naxsi_ut/naxsi_core.rules;
497MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999;
498--- config
499location / {
500         SecRulesEnabled;
501         DeniedUrl "/RequestDenied";
502         CheckRule "$SQL >= 8" BLOCK;
503         CheckRule "$RFI >= 8" BLOCK;
504         CheckRule "$TRAVERSAL >= 4" BLOCK;
505         CheckRule "$XSS >= 8" BLOCK;
506         root $TEST_NGINX_SERVROOT/html/;
507         index index.html index.htm;
508	 error_page 405 = $uri;
509}
510location /RequestDenied {
511         return 412;
512}
513--- more_headers
514Content-Type: application/json
515--- request eval
516use URI::Escape;
517"POST /
518{
519 \"lol\" : false,
520 \"serious_stuff\" : true,
521 \"extra_coverage\" : null
522}
523"
524--- error_code: 200
525
526=== json wl 2.3 : malformed json
527--- main_config
528load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
529--- http_config
530include /tmp/naxsi_ut/naxsi_core.rules;
531MainRule "str:foobar" "msg:foobar test pattern" "mz:BODY" "s:$SQL:42" id:1999;
532--- config
533location / {
534         SecRulesEnabled;
535         DeniedUrl "/RequestDenied";
536         CheckRule "$SQL >= 8" BLOCK;
537         CheckRule "$RFI >= 8" BLOCK;
538         CheckRule "$TRAVERSAL >= 4" BLOCK;
539         CheckRule "$XSS >= 8" BLOCK;
540         root $TEST_NGINX_SERVROOT/html/;
541         index index.html index.htm;
542	 error_page 405 = $uri;
543}
544location /RequestDenied {
545         return 412;
546}
547--- more_headers
548Content-Type: application/json
549--- request eval
550use URI::Escape;
551"POST /
552{
553 \"lol\" : false,
554 \"serious_stuff\" : true,
555 \"extra_coverage\" : null
556"
557--- error_code: 412
558
559
560