chore: add simple test facility for rule configuration

coreruleset · Dec 24, 2024 · 66fe56e · 66fe56e
1 parent 7adda10
commit 66fe56e
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 24 deletions.
diff --git a/.github/workflows/configure-rules-for-test.sh b/.github/workflows/configure-rules-for-test.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+# This script must be sourced in order for the variables
+# to be exported in the calling environemnt.
+
+# The purpose of this script is to test that `configure-rules.sh` will run
+# successfully for all variables that we configure.
+
+set -ex
+
+while read -r line; do
+  if [ -z "${line}" ] || echo "${line}" | grep -Eq "^#"; then
+    continue
+  fi
+
+  var_name="$(cut -d'|' -f2 <<< "${line}")"
+  test_value="$(cut -d'|' -f5 <<< "${line}")"
+  echo "Setting ${var_name}=${test_value}"
+  export "${var_name}=${test_value}"
+done < "${1}"
diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml
@@ -62,6 +62,8 @@ jobs:
 
       - name: Run ${{ matrix.target }}
         run: |
+          . .github/workflows/configure-rules-for-test.sh src/opt/modsecurity/configure-rules.conf
+          env
           echo "Starting container ${{ matrix.target }}"
           docker run --pull "never" -d --name ${{ matrix.target }}-test "${REPO}:${{ matrix.target }}"
           sleep 30

diff --git a/src/opt/modsecurity/configure-rules.conf b/src/opt/modsecurity/configure-rules.conf
@@ -1,28 +1,29 @@
-# Format: <legacy (0|1)>|<env var>|<rule ID>|<tx var name>
+# Format: <legacy (0|1)>|<env var>|<rule ID>|<tx var name>|<test value>
 # The octothorpe (#) designates a comment, comments are ignored
+# See `.github/workflows/configure-rules-for-test.sh` for how the test value is used.
 
 # Superceded by BLOCKING_PARANOIA
-true|PARANOIA|900000|blocking_paranoia_level
-true|PARANOIA|900001|detection_paranoia_level
-false|BLOCKING_PARANOIA|900000|blocking_paranoia_level
+true|PARANOIA|900000|blocking_paranoia_level|4
+true|PARANOIA|900001|detection_paranoia_level|4
+false|BLOCKING_PARANOIA|900000|blocking_paranoia_level|4
 # Superceded by DETECTION_PARANOIA
-true|EXECUTING_PARANOIA|900001|executing_paranoia_level
-false|DETECTION_PARANOIA|900001|detection_paranoia_level
-false|ENFORCE_BODYPROC_URLENCODED|900010|enforce_bodyproc_urlencoded
-false|INBOUND_ANOMALY|900110|inbound_anomaly_score_threshold
-false|OUTBOUND_ANOMALY|900110|outbound_anomaly_score_threshold
-false|ALLOWED_METHODS|900200|allowed_methods
-false|ALLOWED_REQUEST_CONTENT_TYPE|900220|allowed_request_content_type
-false|ALLOWED_REQUEST_CONTENT_TYPE_CHARSET|900280|allowed_request_content_type_charset
-false|ALLOWED_HTTP_VERSIONS|900230|allowed_http_versions
-false|RESTRICTED_EXTENSIONS|900240|restricted_extensions
-false|RESTRICTED_HEADERS_BASIC|900250|restricted_headers_basic
-false|RESTRICTED_HEADERS_EXTENDED|900255|restricted_headers_extended
-false|MAX_NUM_ARGS|900300|max_num_args
-false|ARG_NAME_LENGTH|900310|arg_name_length
-false|ARG_LENGTH|900230|arg_length
-false|TOTAL_ARG_LENGTH|900330|total_arg_length
-false|MAX_FILE_SIZE|900340|max_file_size
-false|COMBINED_FILE_SIZES|900350|combined_file_sizes
-false|VALIDATE_UTF8_ENCODING|900950|crs_validate_utf8_encoding
-false|REPORTING_LEVEL|900115|reporting_level
+true|EXECUTING_PARANOIA|900001|executing_paranoia_level|4
+false|DETECTION_PARANOIA|900001|detection_paranoia_level|4
+false|ENFORCE_BODYPROC_URLENCODED|900010|enforce_bodyproc_urlencoded|0
+false|INBOUND_ANOMALY|900110|inbound_anomaly_score_threshold|6
+false|OUTBOUND_ANOMALY|900110|outbound_anomaly_score_threshold|6
+false|ALLOWED_METHODS|900200|allowed_methods|GET OPTIONS
+false|ALLOWED_REQUEST_CONTENT_TYPE|900220|allowed_request_content_type|application/json
+false|ALLOWED_REQUEST_CONTENT_TYPE_CHARSET|900280|allowed_request_content_type_charset|utf-8
+false|ALLOWED_HTTP_VERSIONS|900230|allowed_http_versions|1.1
+false|RESTRICTED_EXTENSIONS|900240|restricted_extensions|.exe/
+false|RESTRICTED_HEADERS_BASIC|900250|restricted_headers_basic|/if/
+false|RESTRICTED_HEADERS_EXTENDED|900255|restricted_headers_extended|/x-some-header/
+false|MAX_NUM_ARGS|900300|max_num_args|100
+false|ARG_NAME_LENGTH|900310|arg_name_length|200
+false|ARG_LENGTH|900230|arg_length|300
+false|TOTAL_ARG_LENGTH|900330|total_arg_length|400
+false|MAX_FILE_SIZE|900340|max_file_size|500
+false|COMBINED_FILE_SIZES|900350|combined_file_sizes|600
+false|VALIDATE_UTF8_ENCODING|900950|crs_validate_utf8_encoding|0
+false|REPORTING_LEVEL|900115|reporting_level|5