1use lib 'lib';
2use Test::Nginx::Socket;
3
4plan tests => repeat_each(2) * blocks();
5no_root_location();
6no_long_string();
7$ENV{TEST_NGINX_SERVROOT} = server_root();
8run_tests();
9__DATA__
10=== ID TEST 1.0: Drop rule without learning
11--- main_config
12load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
13--- http_config
14include /tmp/naxsi_ut/naxsi_core.rules;
15MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:DROP" id:1999;
16--- config
17location / {
18         SecRulesEnabled;
19         DeniedUrl "/RequestDenied";
20         CheckRule "$SQL >= 8" BLOCK;
21         CheckRule "$RFI >= 8" BLOCK;
22         CheckRule "$TRAVERSAL >= 4" BLOCK;
23         CheckRule "$XSS >= 8" BLOCK;
24         root $TEST_NGINX_SERVROOT/html/;
25         index index.html index.htm;
26}
27location /RequestDenied {
28         return 412;
29}
30--- request
31GET /?bla=1999
32--- error_code: 412
33
34=== ID TEST 1.1: whitelisted drop rule without learning
35--- main_config
36load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
37--- http_config
38include /tmp/naxsi_ut/naxsi_core.rules;
39MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:DROP" id:1999;
40--- config
41location / {
42         SecRulesEnabled;
43         DeniedUrl "/RequestDenied";
44         CheckRule "$SQL >= 8" BLOCK;
45         CheckRule "$RFI >= 8" BLOCK;
46         CheckRule "$TRAVERSAL >= 4" BLOCK;
47         CheckRule "$XSS >= 8" BLOCK;
48         root $TEST_NGINX_SERVROOT/html/;
49	 BasicRule wl:1999 "mz:ARGS";
50         index index.html index.htm;
51}
52location /RequestDenied {
53         return 412;
54}
55--- request
56GET /?bla=1999
57--- error_code: 200
58
59=== ID TEST 1.2: bad whitelisted drop rule without learning
60--- main_config
61load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
62--- http_config
63include /tmp/naxsi_ut/naxsi_core.rules;
64MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:DROP" id:1999;
65--- config
66location / {
67         SecRulesEnabled;
68         DeniedUrl "/RequestDenied";
69         CheckRule "$SQL >= 8" BLOCK;
70         CheckRule "$RFI >= 8" BLOCK;
71         CheckRule "$TRAVERSAL >= 4" BLOCK;
72         CheckRule "$XSS >= 8" BLOCK;
73         root $TEST_NGINX_SERVROOT/html/;
74	 BasicRule wl:1999 "mz:URL";
75         index index.html index.htm;
76}
77location /RequestDenied {
78         return 412;
79}
80--- request
81GET /?bla=1999
82--- error_code: 412
83
84=== ID TEST 1.3: drop rule with learning
85--- main_config
86load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
87--- http_config
88include /tmp/naxsi_ut/naxsi_core.rules;
89MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:DROP" id:1999;
90--- config
91location / {
92         SecRulesEnabled;
93	 LearningMode;
94         DeniedUrl "/RequestDenied";
95         CheckRule "$SQL >= 8" BLOCK;
96         CheckRule "$RFI >= 8" BLOCK;
97         CheckRule "$TRAVERSAL >= 4" BLOCK;
98         CheckRule "$XSS >= 8" BLOCK;
99         root $TEST_NGINX_SERVROOT/html/;
100         index index.html index.htm;
101}
102location /RequestDenied {
103         return 412;
104}
105--- request
106GET /?bla=1999
107--- error_code: 412
108
109
110
111=== ID TEST 1.4: drop rule with learning + correct whitelist
112--- main_config
113load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
114--- http_config
115include /tmp/naxsi_ut/naxsi_core.rules;
116MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:DROP" id:1999;
117--- config
118location / {
119         SecRulesEnabled;
120	 LearningMode;
121         DeniedUrl "/RequestDenied";
122         CheckRule "$SQL >= 8" BLOCK;
123         CheckRule "$RFI >= 8" BLOCK;
124         CheckRule "$TRAVERSAL >= 4" BLOCK;
125         CheckRule "$XSS >= 8" BLOCK;
126	 BasicRule wl:1999 "mz:$ARGS_VAR:bla";
127         root $TEST_NGINX_SERVROOT/html/;
128         index index.html index.htm;
129}
130location /RequestDenied {
131         return 412;
132}
133--- request
134GET /?bla=1999
135--- error_code: 200
136
137
138=== ID TEST 1.5: drop rule with learning + incorrect whitelist
139--- main_config
140load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
141--- http_config
142include /tmp/naxsi_ut/naxsi_core.rules;
143MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:DROP" id:1999;
144--- config
145location / {
146         SecRulesEnabled;
147	 LearningMode;
148         DeniedUrl "/RequestDenied";
149         CheckRule "$SQL >= 8" BLOCK;
150         CheckRule "$RFI >= 8" BLOCK;
151         CheckRule "$TRAVERSAL >= 4" BLOCK;
152         CheckRule "$XSS >= 8" BLOCK;
153	 BasicRule wl:1999 "mz:$ARGS_VAR:bla|$URL:/x";
154         root $TEST_NGINX_SERVROOT/html/;
155         index index.html index.htm;
156}
157location /RequestDenied {
158         return 412;
159}
160--- request
161GET /?bla=1999
162--- error_code: 412
163
164
165
166=== ID TEST 2.0: drop checkrule
167--- main_config
168load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
169--- http_config
170include /tmp/naxsi_ut/naxsi_core.rules;
171MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:8" id:1999;
172--- config
173location / {
174         SecRulesEnabled;
175	 LearningMode;
176         DeniedUrl "/RequestDenied";
177         CheckRule "$FOO >= 8" DROP;
178         root $TEST_NGINX_SERVROOT/html/;
179         index index.html index.htm;
180}
181location /RequestDenied {
182         return 412;
183}
184--- request
185GET /?bla=1999
186--- error_code: 412
187
188=== ID TEST 2.1: drop checkrule, with whitelisted rule
189--- main_config
190load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
191--- http_config
192include /tmp/naxsi_ut/naxsi_core.rules;
193MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:8" id:1999;
194--- config
195location / {
196         SecRulesEnabled;
197	 LearningMode;
198         DeniedUrl "/RequestDenied";
199         CheckRule "$FOO >= 8" DROP;
200	 BasicRule wl:1999 "mz:$URL:/|$ARGS_VAR_X:^bla$";
201         root $TEST_NGINX_SERVROOT/html/;
202         index index.html index.htm;
203}
204location /RequestDenied {
205         return 412;
206}
207--- request
208GET /?bla=1999
209--- error_code: 200
210=== ID TEST 2.2: drop checkrule, with failed whitelisted rule
211--- main_config
212load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
213--- http_config
214include /tmp/naxsi_ut/naxsi_core.rules;
215MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:8" id:1999;
216--- config
217location / {
218         SecRulesEnabled;
219	 LearningMode;
220         DeniedUrl "/RequestDenied";
221         CheckRule "$FOO >= 8" DROP;
222	 BasicRule wl:1999 "mz:$URL:/|$ARGS_VAR_X:^bla1";
223         root $TEST_NGINX_SERVROOT/html/;
224         index index.html index.htm;
225}
226location /RequestDenied {
227         return 412;
228}
229--- request
230GET /?bla=1999
231--- error_code: 412
232
233
234
235=== ID TEST 3.0: <= checkrule (why not dude)
236--- main_config
237load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
238--- http_config
239include /tmp/naxsi_ut/naxsi_core.rules;
240MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:8" id:1999;
241--- config
242location / {
243         SecRulesEnabled;
244         DeniedUrl "/RequestDenied";
245         CheckRule "$FOO <= 8" BLOCK;
246         root $TEST_NGINX_SERVROOT/html/;
247         index index.html index.htm;
248}
249location /RequestDenied {
250         return 412;
251}
252--- request
253GET /?bla=1999
254--- error_code: 412
255=== ID TEST 3.1: <= checkrule : Is useless, as score will go through value 8 before reaching 16, thus the checkrule will be applied
256--- main_config
257load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
258--- http_config
259include /tmp/naxsi_ut/naxsi_core.rules;
260MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:8" id:1999;
261--- config
262location / {
263         SecRulesEnabled;
264         DeniedUrl "/RequestDenied";
265         CheckRule "$FOO <= 8" BLOCK;
266         root $TEST_NGINX_SERVROOT/html/;
267         index index.html index.htm;
268}
269location /RequestDenied {
270         return 412;
271}
272--- request
273GET /?bla=1999&blu=1999
274--- error_code: 412
275=== ID TEST 3.2: < checkrule (why not dude)
276--- main_config
277load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
278--- http_config
279include /tmp/naxsi_ut/naxsi_core.rules;
280MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:8" id:1999;
281--- config
282location / {
283         SecRulesEnabled;
284         DeniedUrl "/RequestDenied";
285         CheckRule "$FOO < 8" BLOCK;
286         root $TEST_NGINX_SERVROOT/html/;
287         index index.html index.htm;
288}
289location /RequestDenied {
290         return 412;
291}
292--- request
293GET /?bla=1999
294--- error_code: 200
295=== ID TEST 3.3: < checkrule (why not dude)
296--- main_config
297load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
298--- http_config
299include /tmp/naxsi_ut/naxsi_core.rules;
300MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:7" id:1999;
301--- config
302location / {
303         SecRulesEnabled;
304         DeniedUrl "/RequestDenied";
305         CheckRule "$FOO < 8" BLOCK;
306         root $TEST_NGINX_SERVROOT/html/;
307         index index.html index.htm;
308}
309location /RequestDenied {
310         return 412;
311}
312--- request
313GET /?bla=1999
314--- error_code: 412
315=== ID TEST 3.4: > checkrule (why not dude)
316--- main_config
317load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
318--- http_config
319include /tmp/naxsi_ut/naxsi_core.rules;
320MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:8" id:1999;
321--- config
322location / {
323         SecRulesEnabled;
324         DeniedUrl "/RequestDenied";
325         CheckRule "$FOO > 8" BLOCK;
326         root $TEST_NGINX_SERVROOT/html/;
327         index index.html index.htm;
328}
329location /RequestDenied {
330         return 412;
331}
332--- request
333GET /?bla=1999
334--- error_code: 200
335
336=== ID TEST 3.5: > checkrule (why not dude)
337--- main_config
338load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
339--- http_config
340include /tmp/naxsi_ut/naxsi_core.rules;
341MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:9" id:1999;
342--- config
343location / {
344         SecRulesEnabled;
345         DeniedUrl "/RequestDenied";
346         CheckRule "$FOO > 8" BLOCK;
347         root $TEST_NGINX_SERVROOT/html/;
348         index index.html index.htm;
349}
350location /RequestDenied {
351         return 412;
352}
353--- request
354GET /?bla=1999
355--- error_code: 412
356
357
358=== ID TEST 4.0: super long exception (trigger 400 bad request on old versions)
359--- main_config
360load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
361--- http_config
362include /tmp/naxsi_ut/naxsi_core.rules;
363--- config
364location / {
365         SecRulesEnabled;
366	 LearningMode;
367         DeniedUrl "/RequestDenied";
368         CheckRule "$FOO > 8" BLOCK;
369         root $TEST_NGINX_SERVROOT/html/;
370         index index.html index.htm;
371	 error_page 405 = $uri;
372}
373location /RequestDenied {
374         return 412;
375}
376--- request eval
377use URI::Escape;
378"POST /
379a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2=<>(){}[]'--;=a&a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1=<>(){}[]'--;=a&a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3=<>(){}[]'--;=a&a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4=<>(){}[]'&a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5=<>(){}[]'"
380--- error_code: 200
381
382