8000 Missing isolated tests for Status Page · Issue #3351 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
8000

Missing isolated tests for Status Page #3351

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dune73 opened this issue Nov 6, 2023 · 2 comments
Closed

Missing isolated tests for Status Page #3351

dune73 opened this issue Nov 6, 2023 · 2 comments
Assignees
@RedXanadu

Comments

@dune73
Copy link
Member
dune73 commented Nov 6, 2023
edited
Loading

Definition "Isolated Test": An isolated test is a test that triggers exactly the rule it is meant to test and no additional rule.

For the CRS Status Page (see https://github.com/coreruleset/coreruleset/wiki/DevRetreat21StatusPage) we need isolated tests to determine whether individual tests are active on the target platform (that does not give us the logs). We defined that we want 80% coverage with isolated tests for PL4.

OK/NOK Percentage
NOK 38
ok 112
Total 150

In order to get 80% coverage, we need to have 120 isolated tests for the 150 PL1 rules in CRSv4.

Here is the list of tests, where isolated tests are missing:

Rule Test candidate Remarks / Plan
920290 no positive test #3370
920260 920260-1 : 1 extra alert ❗ Impossible? Cannot trigger 920260 with a Microsoft Unicode character like %uFF48 without triggering one of the PL 1 rules that detect encoding abuse (detecting the presence of a % and then performing validateUrlEncoding which will fail on this weird %u… encoding.)
920310 920310-1 : 1 extra alert ❗ Impossible? Cannot trigger this rule, which requires an empty Accept header, without also triggering PL 1 rule 920600, which requires having an Accept header containing a valid charset parameter (which an empty header cannot have).
920311 920311-1 : 1 extra alert ❗ Impossible? Cannot trigger this rule, which requires an empty Accept header, without also triggering PL 1 rule 920600, which requires having an Accept header containing a valid charset parameter (which an empty header cannot have).
920360 920360-1 : 1 extra alert ❓ Untestable? Optional rule that is off by default: Block request if the length of any argument name is too high. Default: unlimited
920370 920370-1 : 1 extra alert ❓ Untestable? Optional rule that is off by default: Block request if the length of any argument value is too high. Default: unlimited
920380 920380-1 : 1 extra alert ❓ Untestable? Optional rule that is off by default: Block request if number of arguments is too high. Default: unlimited
920390 920390-1 : 1 extra alert ❓ Untestable? Optional rule that is off by default: Block request if the length of any argument value is too high. Default: unlimited
920400 920400-1 : 1 extra alert ❓ Untestable? Optional rule that is off by default: Block request if the file size of any individual uploaded file is too high. Default: unlimited
920410 920410-1 : 2 extra alert ❓ Untestable? Optional rule that is off by default: Block request if the total size of all combined uploaded files is too high. Default: unlimited
921110 921110-1 : 1 extra alert ❗ Impossible? Cannot trigger this rule, which requires a match of \s+http/\d, without also triggering PL 1 rule 921130 which matches against \bhttp/\d.
921160 921160-6 : 1 extra alert #3366
921421 921421-1 : 1 extra alert
922120 922120-1 : 1 extra alert
930100 930100-1 : 1 extra alert ✅ prio 1 - #3352
932175 932175-1 : 1 extra alert ✅ prio 1 - #3356
934150 934150-1 : 1 extra alert ✅ prio 1 - #3357
934170 934170-1 : 3 extra alert ✅ prio 1 - #3358
941100 941100-6 : 3 extra alert ✅ prio 3 - #3362
941110 941110-4 : 1 extra alert prio 3
❗ Minimal string <script> triggers 941160 as well. Same target list used in 941110, looks impossible
941130 941130-1 : 1 extra alert ✅ prio 3 - #3365
941190 941190-4 : 2 extra alert prio 3
❗ Impossible: Minimal string of 941190 <styletest>@i will always also match rule 941160 and libinjection rule 941100
941230 941230-1 : 2 extra alert prio 3
❗ Impossible: Minimal string of 941230 <embed src= will always also match rule 941160 and libinjection rule 941100
941250 941250-1 : 3 extra alert prio 3
❗ Impossible: Minimal string of 941250 <meta http-equiv= will always also match rule 921130, 941160 and libinjection rule 941100
941260 941260-1 : 3 extra alert prio 3
❗ Impossible: Minimal string of 941260 <meta+charset= will always also match rule 921130, 941160 and libinjection rule 941100
941270 941270-1 : 2 extra alert prio 3
❗ Impossible: First part of 941270 <link+ will always also match rule 941160 and libinjection rule 941100
941280 941280-1 : 2 extra alert prio 3
❗ Impossible: First part of 941280 <base+ will always also match rule 941160 and libinjection rule 941100
941290 941290-1 : 2 extra alert prio 3
❗ Impossible: Minimal string of 941290 <applet/ will always also match rule 941160 and libinjection rule 941100
941300 941300-1 : 2 extra alert prio 3
❗ Impossible: First part of 941300 <OBJECT/ will always also match rule 941160 and libinjection rule 941100
942500 942500-1 : 1 extra alert prio 2
❗ Impossible to trigger without also triggering 942100 PL1 (libinjection)
942560 942560-1 : 2 extra alert ✅ prio 2 - #3361
944100 944100-1 : 2 extra alert prio 2
❗ Impossible: The minimal string uri: "/?arg=java.lang.Runtime" will always also match rule 944110 and 944130

The 92xxxx test groups are probably impossible to do. So we concentrate on 93xxxx and 94xxxx. 93xxxx is priority, because there are only 4 missing and if we cover those, the entire group is covered. Afterwards 942xxx, then 944xxx and then 941xxx.

The list was created with the help of baseline-test.sh from https://github.com/coreruleset/status-page/. Here is the full report:
test-coverage.txt
@RedXanadu RedXanadu self-assigned this Nov 6, 2023
This was referenced Nov 6, 2023
Merged
Closed
Merged
Merged
@RedXanadu
Copy link
Member

Follow up on missing tests that were previously deemed "untestable":

  • 920610 NOK (no suitable log_contains test) ❗ Impossible? Cannot trigger this rule which is looking for a raw, unencoded fragment "#" in the request URI: this will always cause Apache to return a '400 Bad Request'.

This was referenced Nov 8, 2023
Merged
Merged
Merged
Merged
Merged
@dune73
Copy link
Member Author
dune73 commented Dec 12, 2023

I think we're good. Closing this.

@dune73 dune73 closed this as completed Dec 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RedXanadu RedXanadu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dune73 @RedXanadu
0