8000 Missing isolated tests for Status Page · Issue #3351 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
B1D8
Missing isolated tests for Status Page #3351
New issue
New issue
Closed
Closed
Missing isolated tests for Status Page#3351
Assignees
RedXanadu
@dune73

Description

@dune73
dune73
opened on Nov 6, 2023

Definition "Isolated Test": An isolated test is a test that triggers exactly the rule it is meant to test and no additional rule.

For the CRS Status Page (see https://github.com/coreruleset/coreruleset/wiki/DevRetreat21StatusPage) we need isolated tests to determine whether individual tests are active on the target platform (that does not give us the logs). We defined that we want 80% coverage with isolated tests for PL4.

OK/NOK Percentage
NOK 38
ok 112
Total 150

In order to get 80% coverage, we need to have 120 isolated tests for the 150 PL1 rules in CRSv4.

Here is the list of tests, where isolated tests are missing:

Rule Test candidate Remarks / Plan
920290 no positive test #3370
920260 920260-1 : 1 extra alert ❗ Impossible? Cannot trigger 920260 with a Microsoft Unicode character like %uFF48 without triggering one of the PL 1 rules that detect encoding abuse (detecting the presence of a % and then performing validateUrlEncoding which will fail on this weird %u… encoding.)
920310 920310-1 : 1 extra alert ❗ Impossible? Cannot trigger this rule, which requires an empty Accept header, without also triggering PL 1 rule 920600, which requires having an Accept header containing a valid charset parameter (which an empty header cannot have).
920311 920311-1 : 1 extra alert ❗ Impossible? Cannot trigger this rule, which requires an empty Accept header, without also triggering PL 1 rule 920600, which requires having an Accept header containing a valid charset parameter (which an empty header cannot have).
920360 920360-1 : 1 extra alert ❓ Untestable? Optional rule that is off by default: Block request if the length of any argument name is too high. Default: unlimited
920370 920370-1 : 1 extra alert ❓ Untestable? Optional rule that is off by default: Block request if the length of any argument value is too high. Default: unlimited
920380 920380-1 : 1 extra alert ❓ Untestable? Optional rule that is off by default: Block request if number of arguments is too high. Default: unlimited
920390 920390-1 : 1 extra alert ❓ Untestable? Optional rule that is off by default: Block request if the length of any argument value is too high. Default: unlimited
920400 920400-1 : 1 extra alert ❓ Untestable? Optional rule that is off by default: Block request if the file size of any individual uploaded file is too high. Default: unlimited
920410 920410-1 : 2 extra alert ❓ Untestable? Optional rule that is off by default: Block request if the total size of all combined uploaded files is too high. Default: unlimited
921110 921110-1 : 1 extra alert ❗ Impossible? Cannot trigger this rule, which requires a match of \s+http/\d, without also triggering PL 1 rule 921130 which matches against \bhttp/\d.
921160 921160-6 : 1 extra alert #3366
921421 921421-1 : 1 extra alert
922120 922120-1 : 1 extra alert
930100 930100-1 : 1 extra alert ✅ prio 1 - #3352
932175 932175-1 : 1 extra alert ✅ prio 1 - #3356
934150 934150-1 : 1 extra alert ✅ prio 1 - #3357
934170 934170-1 : 3 extra alert ✅ prio 1 - #3358
941100 941100-6 : 3 extra alert ✅ prio 3 - #3362
941110 941110-4 : 1 extra alert prio 3
❗ Minimal string <script> triggers 941160 as well. Same target list used in 941110, looks impossible
941130 941130-1 : 1 extra alert ✅ prio 3 - #3365
941190 941190-4 : 2 extra alert prio 3
❗ Impossible: Minimal string of 941190 <styletest>@i will always also match rule 941160 and libinjection rule 941100
941230 941230-1 : 2 extra alert prio 3
❗ Impossible: Minimal string of 941230 <embed src= will always also match rule 941160 and libinjection rule 941100
941250 941250-1 : 3 extra alert prio 3
❗ Impossible: Minimal string of 941250 <meta http-equiv= will always also match rule 921130, 941160 and libinjection rule 941100
941260 941260-1 : 3 extra alert prio 3
❗ Impossible: Minimal string of 941260 <meta+charset= will always also match rule 921130, 941160 and libinjection rule 941100
941270 941270-1 : 2 extra alert prio 3
❗ Impossible: First part of 941270 <link+ will always also match rule 941160 and libinjection rule 941100
941280 941280-1 : 2 extra alert prio 3
❗ Impossible: First part of 941280 <base+ will always also match rule 941160 and libinjection rule 941100
941290 941290-1 : 2 extra alert prio 3
❗ Impossible: Minimal string of 941290 <applet/ will always also match rule 941160 and libinjection rule 941100
941300 941300-1 : 2 extra alert prio 3
❗ Impossible: First part of 941300 <OBJECT/ will always also match rule 941160 and libinjection rule 941100
942500 942500-1 : 1 extra alert prio 2
❗ Impossible to trigger without also triggering 942100 PL1 (libinjection)
942560 942560-1 : 2 extra alert ✅ prio 2 - #3361
944100 944100-1 : 2 extra alert prio 2
❗ Impossible: The minimal string uri: "/?arg=java.lang.Runtime" will always also match rule 944110 and 944130

The 92xxxx test groups are probably impossible to do. So we concentrate on 93xxxx and 94xxxx. 93xxxx is priority, because there are only 4 missing and if we cover those, the entire group is covered. Afterwards 942xxx, then 944xxx and then 941xxx.

The list was created with the help of baseline-test.sh from https://github.com/coreruleset/status-page/. Here is the full report:
test-coverage.txt

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    0