File: REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf

package info (click to toggle)
modsecurity-crs 3.0.2-1~bpo9+1
  • links: PTS
  • area: main
  • in suites: stretch-backports
  • size: 1,064 kB
  • sloc: ansic: 727; perl: 428; python: 218; ruby: 69; makefile: 15
file content (383 lines) | stat: -rw-r--r-- 12,889 bytes parent folder | download | duplicates (3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

# These exclusions remedy false positives in a default Drupal install.
# The exclusions are only active if crs_exclusions_drupal=1 is set.
# See rule 900130 in crs-setup.conf.example for instructions.

#
# [ POLICY ]
#
# Drupal is a complex application that is hard to secure with the CRS. This set
# of exclusion rules aims to sanitise the CRS in a way that allows a default
# Drupal setup to be installed and configured without much hassle as far as
# ModSecurity and the CRS are concerned.
#
# The exclusion rules are fairly straight forward in the sense that they
# disable CRS on a set of well-known parameter fields that are often the source
# of false positives / false alarms of the CRS. This includes namely the
# session cookie, the password fields and article/node bodies.
#
# This is based on two assumptions: - You have a basic trust in your
# authenticated users who are allowed to edit nodes.  - Drupal allows html
# content in nodes and it protects your users from attacks via these fields.
#
# If you think these assumptions are wrong or if you would prefer a more
# careful/secure approach, you can disable the exclusion rules handling of said
# node body false positives. Do this by placing the following directive in
# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.
#
# SecRuleRemoveById 9001200-9001299
#
# This will mean the CRS remain intact for the editing of node bodies.
#
# The exclusion rules in this file work without the need to define a Drupal
# installation path prefix. Instead they look at the URI from the end - or
# they use regular expressions when targeting dynamic URL. This is all not
# totally foolproof. In some cases, an advanced attacker might be able to
# doctor a request in a way that one of these exclusion rules is triggered
# and the request will bypass all further inspection despite not being a
# Drupal request at all. These exclusion rules could thus be leveraged to
# disable the CRS completely. This is why these rules are off by default.
#
# The CRS rules covered by this ruleset are the rules with Paranoia Level 1 and
# 2. If you chose to run Paranoia Level 3 or 4, you will be facing additional
# false positives which you need to handle yourself.
#
# This set of exclusion rules does not cover any additional Drupal modules
# outside of core.
#
# The exclusion rules are based on Drupal 8.1.10.
#
# And finally: This set of exclusion rules is in an experimental state. If you
# encounter false positives with the basic Drupal functionality and they are
# not covered by this rule file, then please report them. The aim is to be able
# to install and run Drupal core in a seamless manner protected by
# ModSecurity / CRS up to the paranoia level 2.


SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
        "id:9001000,\
        phase:2,\
        t:none,\
        nolog,\
        pass,\
        skipAfter:END-DRUPAL-RULE-EXCLUSIONS"


# [ Table of Contents ]
#
# 9001100 Session Cookie
# 9001110 Password
# 9001120 FREE for use
# 9001130 FREE for use
# 9001140 Content and Descriptions
# 9001150 FREE for use
# 9001160 Form Token
# 9001170 Text Formats and Editors
# 9001180 WYSIWYG/CKEditor Assets and Upload
# 9001190 FREE for use
# 9001200 Content and Descriptions
#
# The rule id range from 9001200 to 9001999 is reserved for future
# use (Drupal plugins / modules).


# [ Session Cookie ]
#
# Giving the session cookie a dynamic name is most unfortunate
# from a ModSecurity perspective. The rule language does not allow
# us to disable rules in a granular way for individual cookies with
# dynamic names. So we need to disable rule causing false positives
# for all cookies and their names.
#
# Rule Exclusion Session Cookie: 942450 SQL Hex Encoding Identified
#
SecAction "id:9001100,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES_NAMES,\
        ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES"


#
# [ Password ]
#
# Disable the CRS completely for all occurrences of passwords.
#
SecRule REQUEST_FILENAME "@endsWith /core/install.php" \
        "id:9001110,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:account[pass][pass1],\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:account[pass][pass2]"

SecRule REQUEST_FILENAME "@endsWith /user/login" \
        "id:9001112,\
        phase:2,\
        t:none,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:pass"

SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \
        "id:9001114,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass1],\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass2]"

SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \
        "id:9001116,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:current_pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass1],\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass2]"


#
# [ Admin Settings (general) ]
#
# Disable known false positives for various fields used on admin pages.
#
# Rule Exclusion: 920271 Invalid character in request on multiple fields/paths
# Rule Exclusion: 942430 Restricted SQL Character Anomaly Detection (args)
#                        Disabled completely for admin/config pages
# For the people/accounts page, we disable the CRS completely for a number of
# freeform text fields.
#
SecRule REQUEST_FILENAME "@contains /admin/config/" \
        "id:9001122,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveById=942430"

SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \
        "id:9001124,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveById=920271,\
        ctl:ruleRemoveById=942440,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_cancel_confirm_body,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_password_reset_body,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_admin_created_body,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_no_approval_required_body,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_pending_approval_body,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_activated_body,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_blocked_body,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_canceled_body"

SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/single/import" \
        "id:9001126,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveById=920271,\
        ctl:ruleRemoveById=942440"

SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
        "id:9001128,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveById=942440"


#
#
# [ Content and Descriptions ]
#
# Disable known false positives for field "ids[]".
#
# Rule Exclusion: 942130 SQL Injection Attack: SQL Tautology Detected
#
SecRule REQUEST_FILENAME "@endsWith /contextual/render" \
        "id:9001140,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetById=942130;ARGS:ids[]"


#
# [ Form Token / Build ID ]
#
# Rule Exclusion for form_build_id: 942440 SQL Comment Sequence Detected on ...
# Rule Exclusion for form_token:    942450 SQL Hex Encoding
# Rule Exclusion for form_build_id: 942450 SQL Hex Encoding
#
# This is applied site-wide.
#
SecAction "id:9001160,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetById=942440;ARGS:form_build_id,\
        ctl:ruleRemoveTargetById=942450;ARGS:form_token,\
        ctl:ruleRemoveTargetById=942450;ARGS:form_build_id"


#
# [ Text Formats and Editors ]
#
# Disable the CRS completely for two fields triggering many, many rules
#
# Rule Exclusion for two fields: 942440 SQL Comment Sequence Detected
#
SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_html" \
        "id:9001170,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:editor[settings][toolbar][button_groups],\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:filters[filter_html][settings][allowed_html]"


#
# [ WYSIWYG/CKEditor Assets and Upload ]
#
# Disable the unnecessary requestBodyAccess and for binary uploads
# bigger than an arbitrary limit of 31486341 bytes.
#
# Extensive checks make sure these uploads are really legitimate.
#
SecRule REQUEST_METHOD "@streq POST" \
        "id:'9001180',\
        phase:1,\
        t:none,\
        pass,\
        nolog,\
        noauditlog,\
        chain"
        SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \
            chain
            SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "^[a-zA-Z0-9_-]+" \
                ctl:requestBodyAccess=Off

SecRule REQUEST_METHOD "@streq POST" \
        "id:'9001182',\
        phase:1,\
        t:none,\
        pass,\
        nolog,\
        noauditlog,\
        chain"
        SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \
            chain
            SecRule ARGS:destination "@streq admin/content/assets" \
                chain
                SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
                    chain
                    SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
                        ctl:requestBodyAccess=Off

SecRule REQUEST_METHOD "@streq POST" \
        "id:'9001184',\
        phase:1,\
        t:none,\
        pass,\
        nolog,\
        noauditlog,\
        chain"
        SecRule REQUEST_FILENAME \
            "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \
            chain
            SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
                chain
                SecRule REQUEST_HEADERS:Content-Type "@streq multipart/form-data" \
                    chain
                    SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "^@rx [a-zA-Z0-9_-]+" \
                        ctl:requestBodyAccess=Off


#
# [ Content and Descriptions ]
#
# Disable the CRS completely for node bodies and other free text fields.
# Other rules are disabled individually.
#
# Rule Exclusion for ARGS:uid[0][target_id]: 942410 SQL Injection Attack
# Rule Exclusion for ARGS:destination:       932110 RCE: Windows Command Inj.
#
SecRule REQUEST_FILENAME "@endsWith /node/add/article" \
        "id:9001200,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\
        ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id]"

SecRule REQUEST_FILENAME "@endsWith /node/add/page" \
        "id:9001202,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\
        ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id]"

SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \
        "id:9001204,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\
        ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
        ctl:ruleRemoveTargetById=932110;ARGS:destination"

SecRule REQUEST_FILENAME "@endsWith /block/add" \
        "id:9001206,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value]"

SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/basic" \
        "id:9001208,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:description"

SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(full|basic)_html$" \
        "id:9001210,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:value"

SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \
        "id:9001212,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:message[0][value]"

SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
        "id:9001214,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:maintenance_mode_message"

SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \
        "id:9001216,\
        phase:2,\
        nolog,\
        pass,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:feed_description"


SecMarker END-DRUPAL-RULE-EXCLUSIONS