From e0038f82e57e9ab7f379c2710e512e39ae03495f Mon Sep 17 00:00:00 2001
From: Max Leske <250711+theseion@users.noreply.github.com>
Date: Tue, 24 Dec 2024 09:28:57 +0100
Subject: [PATCH] chore: add simple test facility for rule configuration

---
 .github/workflows/configure-rules-for-test.sh | 16 ++++++
 .github/workflows/verifyimage.yml             |  1 +
 src/opt/modsecurity/configure-rules.conf      | 49 ++++++++++---------
 3 files changed, 42 insertions(+), 24 deletions(-)
 create mode 100755 .github/workflows/configure-rules-for-test.sh

diff --git a/.github/workflows/configure-rules-for-test.sh b/.github/workflows/configure-rules-for-test.sh
new file mode 100755
index 0000000..a580608
--- /dev/null
+++ b/.github/workflows/configure-rules-for-test.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+# This script must be sourced in order for the variables
+# to be exported in the calling environemnt.
+
+# The purpose of this script is to test that `configure-rules.sh` will run
+# successfully for all variables that we configure.
+
+set -e
+
+while read -r line; do
+    var_name="$(cut -d'|' -f2 <<< "${line}")"
+    test_value="$(cut -d'|' -f5 <<< "${line}")"
+    echo "Setting ${var_name}=${test_value}"
+    eval "export ${var_name}=${test_value}"
+done < "${1}"
diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml
index e0ffa8e..daba38a 100644
--- a/.github/workflows/verifyimage.yml
+++ b/.github/workflows/verifyimage.yml
@@ -62,6 +62,7 @@ jobs:
 
       - name: Run ${{ matrix.target }}
         run: |
+          . .github/workflows/configure-rules-for-test.sh src/opt/configure-rules.conf
           echo "Starting container ${{ matrix.target }}"
           docker run --pull "never" -d --name ${{ matrix.target }}-test "${REPO}:${{ matrix.target }}"
           sleep 30
diff --git a/src/opt/modsecurity/configure-rules.conf b/src/opt/modsecurity/configure-rules.conf
index 82ed65b..103f59a 100644
--- a/src/opt/modsecurity/configure-rules.conf
+++ b/src/opt/modsecurity/configure-rules.conf
@@ -1,28 +1,29 @@
-# Format: <legacy (0|1)>|<env var>|<rule ID>|<tx var name>
+# Format: <legacy (0|1)>|<env var>|<rule ID>|<tx var name>|<test value>
 # The octothorpe (#) designates a comment, comments are ignored
+# See `.github/workflows/configure-rules-for-test.sh` for how the test value is used.
 
 # Superceded by BLOCKING_PARANOIA
-true|PARANOIA|900000|blocking_paranoia_level
-true|PARANOIA|900001|detection_paranoia_level
-false|BLOCKING_PARANOIA|900000|blocking_paranoia_level
+true|PARANOIA|900000|blocking_paranoia_level|4
+true|PARANOIA|900001|detection_paranoia_level|4
+false|BLOCKING_PARANOIA|900000|blocking_paranoia_level|4
 # Superceded by DETECTION_PARANOIA
-true|EXECUTING_PARANOIA|900001|executing_paranoia_level
-false|DETECTION_PARANOIA|900001|detection_paranoia_level
-false|ENFORCE_BODYPROC_URLENCODED|900010|enforce_bodyproc_urlencoded
-false|INBOUND_ANOMALY|900110|inbound_anomaly_score_threshold
-false|OUTBOUND_ANOMALY|900110|outbound_anomaly_score_threshold
-false|ALLOWED_METHODS|900200|allowed_methods
-false|ALLOWED_REQUEST_CONTENT_TYPE|900220|allowed_request_content_type
-false|ALLOWED_REQUEST_CONTENT_TYPE_CHARSET|900280|allowed_request_content_type_charset
-false|ALLOWED_HTTP_VERSIONS|900230|allowed_http_versions
-false|RESTRICTED_EXTENSIONS|900240|restricted_extensions
-false|RESTRICTED_HEADERS_BASIC|900250|restricted_headers_basic
-false|RESTRICTED_HEADERS_EXTENDED|900255|restricted_headers_extended
-false|MAX_NUM_ARGS|900300|max_num_args
-false|ARG_NAME_LENGTH|900310|arg_name_length
-false|ARG_LENGTH|900230|arg_length
-false|TOTAL_ARG_LENGTH|900330|total_arg_length
-false|MAX_FILE_SIZE|900340|max_file_size
-false|COMBINED_FILE_SIZES|900350|combined_file_sizes
-false|VALIDATE_UTF8_ENCODING|900950|crs_validate_utf8_encoding
-false|REPORTING_LEVEL|900115|reporting_level
+true|EXECUTING_PARANOIA|900001|executing_paranoia_level|4
+false|DETECTION_PARANOIA|900001|detection_paranoia_level|4
+false|ENFORCE_BODYPROC_URLENCODED|900010|enforce_bodyproc_urlencoded|0
+false|INBOUND_ANOMALY|900110|inbound_anomaly_score_threshold|6
+false|OUTBOUND_ANOMALY|900110|outbound_anomaly_score_threshold|6
+false|ALLOWED_METHODS|900200|allowed_methods|GET OPTIONS
+false|ALLOWED_REQUEST_CONTENT_TYPE|900220|allowed_request_content_type|application/json
+false|ALLOWED_REQUEST_CONTENT_TYPE_CHARSET|900280|allowed_request_content_type_charset|utf-8
+false|ALLOWED_HTTP_VERSIONS|900230|allowed_http_versions|1.1
+false|RESTRICTED_EXTENSIONS|900240|restricted_extensions|.exe/
+false|RESTRICTED_HEADERS_BASIC|900250|restricted_headers_basic|/if/
+false|RESTRICTED_HEADERS_EXTENDED|900255|restricted_headers_extended|/x-some-header/
+false|MAX_NUM_ARGS|900300|max_num_args|100
+false|ARG_NAME_LENGTH|900310|arg_name_length|200
+false|ARG_LENGTH|900230|arg_length|300
+false|TOTAL_ARG_LENGTH|900330|total_arg_length|400
+false|MAX_FILE_SIZE|900340|max_file_size|500
+false|COMBINED_FILE_SIZES|900350|combined_file_sizes|600
+false|VALIDATE_UTF8_ENCODING|900950|crs_validate_utf8_encoding|0
+false|REPORTING_LEVEL|900115|reporting_level|5