Added regression test on FILE_EXT confusion

nbs-system · Nov 17, 2020 · b77c172 · b77c172
1 parent 9b934fc
commit b77c172
Showing 1 changed file with 60 additions and 0 deletions.
diff --git a/t/29regression.t b/t/29regression.t
@@ -276,3 +276,63 @@ location /RequestDenied {
 GET /wp-includes/js/plupload/plupload.flash.swf/xxx/?a=bui&FOOBAR
 --- error_code: 404
 
+=== TEST 4 - regression on FILE_EXT being detected in BODY
+--- user_files
+>>> my-account/profile
+eh yo
+--- main_config
+load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so;
+--- http_config
+include /tmp/naxsi_ut/naxsi_core.rules;
+MainRule negative "rx:^[\.a-z0-9_\- ]+$" "mz:FILE_EXT" "s:$UPLOAD:8" id:1502;
+MainRule "rx:\.ph|\.asp|\.hta|\.htp" "mz:FILE_EXT" "s:$UWA:8" id:123456;
+--- config
+set $naxsi_json_log 1;
+location / {
+   BasicRule wl:1000,1001,1002,1005,1007,1010,1011,1015,1016,1100,1101,1200,1315 "mz:$HEADERS_VAR:cookie";
+   BasicRule wl:1310,1311 "mz:$URL_X:^/my-account/profile|BODY|NAME";
+   BasicRule wl:17,1010,1011,1015,1200 "mz:$URL_X:^/my-account/profile|$BODY_VAR_X:^sportactivities\[[0-9]\]\.";
+   BasicRule wl:17,1010,1011,1015,1200 "mz:$URL_X:^/my-account/profile|$BODY_VAR_X:^addresses\[[0-9]\]\.";
+   BasicRule wl:1009,1101 "mz:$URL_X:^/my-account/profile|$BODY_VAR_X:^return";
+
+   SecRulesEnabled;
+   LearningMode;
+   LibInjectionSql;
+   LibInjectionXss;
+
+   DeniedUrl "/RequestDenied";
+   CheckRule "$SQL >= 8" BLOCK;
+   CheckRule "$RFI >= 8" BLOCK;
+   CheckRule "$TRAVERSAL >= 5" BLOCK;
+   CheckRule "$UPLOAD >= 5" BLOCK;
+   CheckRule "$XSS >= 8" BLOCK;
+   CheckRule "$UWA >= 8" DROP;
+   CheckRule "$EVADE >= 8" BLOCK;
+   CheckRule "$LOG >= 1" LOG;
+
+   root $TEST_NGINX_SERVROOT/html/;
+   index index.html index.htm;
+   error_page 405 = $uri;
+}
+location /RequestDenied {
+    return 412;
+}
+--- raw_request eval
+"POST /my-account/profile HTTP/1.1\r
+Host: 127.0.0.1\r
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0\r
+Accept: */*\r
+Accept-Language: en-US,en;q=0.5\r
+Accept-Encoding: gzip, deflate\r
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8\r
+X-Requested-With: XMLHttpRequest\r
+Content-Length: 2772\r
+Origin: https://127.0.0.1\r
+Connection: close\r
+Referer: http://127.0.0.1/my-account/profile/\r
+Cookie: t2s-p=ca0ac96b-6177-4e4a-f554-3f0a10469d9e; _gcl_au=1.1.1782048568.1605605979; gtm_nbpv=8; gtm_cookieConsent=1; __trossion=1605605980_1800_1__caa5d2de-ec72-4c61-b1c4-96bf4b22f5da%3A1605605980_1605607565_8_; __troRUID=caa5d2de-ec72-4c61-b1c4-96bf4b22f5da; __troSYNC=1; _pin_unauth=dWlkPU1EUTBZVFZqTXpNdE1EQTNOeTAwTURNd0xXSmlORGd0TTJZeU1EWmlaVGsxT1RCag; JSESSIONID=D426452D0BFCCAD4D384E972D7770861.Agassi; miniCartCount=0; _ga=GA1.2.243283519.1605605987; _gid=GA1.2.266115569.1605605987; _fbp=fb.1.1605605989339.1901530086; acceleratorSecureGUID=a21d40c7cdb55b323a686b37facfded200814ecf; customerFavoriteStore=SOME%2B-%2BPREMILHAT%7C%5B%7B%22closingTime2%22%3A%2219%3A00%22%2C%22weekDay%22%3A%22lundi%22%2C%22closed%22%3Afalse%2C%22closingTime1%22%3A%2212%3A00%22%2C%22openingTime2%22%3A%2214%3A00%22%2C%22openingTime1%22%3A%2209%3A30%22%7D%2C%7B%22closingTime2%22%3A%2219%3A00%22%2C%22weekDay%22%3A%22mardi%22%2C%22closed%22%3Afalse%2C%22closingTime1%22%3A%2212%3A00%22%2C%22openingTime2%22%3A%2214%3A00%22%2C%22openingTime1%22%3A%2209%3A30%22%7D%2C%7B%22closingTime2%22%3A%2219%3A00%22%2C%22weekDay%22%3A%22mercredi%22%2C%22closed%22%3Afalse%2C%22closingTime1%22%3A%2212%3A00%22%2C%22openingTime2%22%3A%2214%3A00%22%2C%22openingTime1%22%3A%2209%3A30%22%7D%2C%7B%22closingTime2%22%3A%2219%3A00%22%2C%22weekDay%22%3A%22jeudi%22%2C%22closed%22%3Afalse%2C%22closingTime1%22%3A%2212%3A00%22%2C%22openingTime2%22%3A%2214%3A00%22%2C%22openingTime1%22%3A%2209%3A30%22%7D%2C%7B%22closingTime2%22%3A%2219%3A00%22%2C%22weekDay%22%3A%22vendredi%22%2C%22closed%22%3Afalse%2C%22closingTime1%22%3A%2212%3A00%22%2C%22openingTime2%22%3A%2214%3A00%22%2C%22openingTime1%22%3A%2209%3A30%22%7D%2C%7B%22weekDay%22%3A%22samedi%22%2C%22closed%22%3Afalse%2C%22closingTime1%22%3A%2219%3A00%22%2C%22openingTime1%22%3A%2209%3A30%22%7D%2C%7B%22closingTime2%22%3A%22%22%2C%22weekDay%22%3A%22dimanche%22%2C%22closed%22%3Atrue%2C%22closingTime1%22%3A%22%22%2C%22openingTime2%22%3A%22%22%2C%22openingTime1%22%3A%22%22%7D%5D%7C%2FAllier-03%2FAAAAAA%C3%87ON-Pr%C3%A9milhat-03410%2FSOME-PREMILHAT%2F00574_000%2F; isFidelity=false; CLICKANDCOLLECT-customerInformations=c29vb29vb29vb0BhYWFhYWEuY29t|Test+Test%2CTest|MTExMTExMTExMTExMQ==|; isNewCustomer=true; t2s-rank=rank1; _dc_gtm_UA-52322712-6=1; _uetsid=d060e34028b811eb8d3ef174562c91c3; _uetvid=d060d20028b811eb98dc9b58b7dbeb20\r
+\r
+title=mr&firstName=Test+Test&lastName=Test&phoneNumber=1111111111&phoneCountry.isocode=FR&email=sooooooooo%40aaaaaa.com&addresses%5B0%5D.id=9189547245591&addresses%5B0%5D.defaultAddress=true&addresses%5B0%5D.lastName=Test&addresses%5B0%5D.firstName=Test+Test&addresses%5B0%5D.postalCode=75013&addresses%5B0%5D.town=PARIS&addresses%5B0%5D.line1=6+ALLEE+PARIS+IVRY&addresses%5B0%5D.country.isocode=FR&addresses%5B0%5D.addressPhoneCountry.isocode=FR&addresses%5B0%5D.phone=0755911324&addresses%5B0%5D.billingAddress=true&child-count=0&sportActivities%5B0%5D.name=Course+%C3%A0+pied&sportActivities%5B0%5D.code=4&sportActivities%5B0%5D.id=&sportActivities%5B0%5D.me=&sportActivities%5B0%5D.myChildren=&sportActivities%5B1%5D.name=Cycles+(V%C3%A9lo%2C+VTT%2C+%E2%80%A6)&sportActivities%5B1%5D.code=1&sportActivities%5B1%5D.id=&sportActivities%5B1%5D.me=&sportActivities%5B1%5D.myChildren=&sportActivities%5B2%5D.name=Danse%2C+gymnastique%2C+fitness&sportActivities%5B2%5D.code=3&sportActivities%5B2%5D.id=&sportActivities%5B2%5D.me=&sportActivities%5B2%5D.myChildren=&sportActivities%5B3%5D.name=Musculation&sportActivities%5B3%5D.code=5&sportActivities%5B3%5D.id=&sportActivities%5B3%5D.me=&sportActivities%5B3%5D.myChildren=&sportActivities%5B4%5D.name=Randonn%C3%A9es&sportActivities%5B4%5D.code=10&sportActivities%5B4%5D.id=&sportActivities%5B4%5D.me=&sportActivities%5B4%5D.myChildren=&sportActivities%5B5%5D.name=Roller&sportActivities%5B5%5D.code=2&sportActivities%5B5%5D.id=&sportActivities%5B5%5D.me=&sportActivities%5B5%5D.myChildren=&sportActivities%5B6%5D.name=Ski&sportActivities%5B6%5D.code=14&sportActivities%5B6%5D.id=&sportActivities%5B6%5D.me=&sportActivities%5B6%5D.myChildren=&sportActivities%5B7%5D.name=Sport+d'eau+(Natation%2C+surf%2C+voile%2C+%E2%80%A6)&sportActivities%5B7%5D.code=12&sportActivities%5B7%5D.id=&sportActivities%5B7%5D.me=&sportActivities%5B7%5D.myChildren=&sportActivities%5B8%5D.name=Sports+collectifs+(Foot%2C+rugby%2C+basket%2C+%E2%80%A6)&sportActivities%5B8%5D.code=7&sportActivities%5B8%5D.id=&sportActivities%5B8%5D.me=&sportActivities%5B8%5D.myChildren=&sportActivities%5B9%5D.name=Sports+de+combat+(Judo%2C+karat%C3%A9%2C+aikido%2C+%E2%80%A6)&sportActivities%5B9%5D.code=13&sportActivities%5B9%5D.id=&sportActivities%5B9%5D.me=&sportActivities%5B9%5D.myChildren=&sportActivities%5B10%5D.name=Sports+de+raquette&sportActivities%5B10%5D.code=8&sportActivities%5B10%5D.id=&sportActivities%5B10%5D.me=&sportActivities%5B10%5D.myChildren=&sportActivities%5B11%5D.name=Autres&sportActivities%5B11%5D.code=6&sportActivities%5B11%5D.id=&sportActivities%5B11%5D.me=&sportActivities%5B11%5D.myChildren=&birthdate=12%2F11%2F1999&isWebNewsletterSubscribed=false&isSmsNewsletterSubscribed=false&CSRFToken=e87a083d-9743-4d47-8d60-d25e5f00e15e\r
+"
+--- error_code: 200
+