Nextcloud 20 false-positives #1975
Conversation
The official nextcloud docker container doesn't contain index.php in the URI. Adapt patterns to allow those URIs too.
Allow to set a url into the Personal info website field.
|
Wow, that's an impressive contribution. Thank you very much. You are also rewriting several of the existing rule exclusions. Could you explain why you are doing that and is this rewriting of existing rules essential to your PR? |
|
I rewrite those rules, because with the official container, which implements the pretty url configuration, the |
|
Any chance this gets accepted in next release, or is it waiting on a more extensive review process of some kind? |
|
This is very likely accepted into the next release and it is now waiting for a review that was self-assigned to @azurit. Maybe we get an update if we ping him. :) |
|
@azurit: Any news here? We'd like to merge this. So where is your review standing? |
|
Meeting decision April 5th (#2051 (comment)): Keep it assigned to @azurit and @dune73 tries to get in touch with @emphazer. |
|
Status on the PR: We have a hard time with the review as we do not have an active CRS developer running NextCloud / OwnCloud with enough time at hand to this this. |
|
So, with the current ruleset for Nextcloud, it doesn't work, period. |
|
@Magicrafter13 that depends on your setup. There are setups where the CRS works (if you don't use pretty urls) and this MR will mostly just fix this behaviour. It will not affect other platforms than Nextcloud / Owncloud (if the flag isn't set). |
|
@Magicrafter13 : Part of the review is to prove your assumption is correct. Other than that a review also makes sure the whole thing fits into our policy, follows our conventions more or less. I totally see your concerns of course and there is a real need for this to be merged. But I have a gatekeeping role here and there are other PRs (and issues) we are looking at in parallel. So it's unfortunate, our go to reviewer does not have time for it. Now with that being said: Have you tried out the PR @Magicrafter13? Since if it works for you and for @keachi, then I could do a visual review of the rules, provide some feedback if any, @keachi fixes it and we're ready to fly. |
|
Meeting decision May (#2053 (comment)): |
I tried it, and the keachi nextcloud_20 branch doesn't seem to work for me, but perhaps I have another issue contributing? The modsec audit log is rather abstract, but I think this is relevant: If there's anything else I can look into to help, please let me know. There's a lot of moving parts here... Oh yeah, for the record, a lot of Nextcloud does work, but like, my to-do list and calendar for example, those don't load. Also my files and contacts. |
|
I'm just wondering if the regex in rule 9003130 of this pull request isn't a little generic?
This does at least render rule 9003140 obsolete, right?. It also seems for me equivalent to allowing all these HTTP methods right from the beginning and could be implemented by a SecAction as proposed in crs-setup.conf.example action id:900200, which would hit performance less than a rule, right? |
|
There are also several regex in this pull request of the form |
|
I've already submitted fixes for all of the above mentioned except the Webauthn FP which I'm using in my installation but somehow forgot to add. The fixes were already merged. I'm using pretty URLs, which I think is almost every NextCloud installation uses now-a-days. |
|
That's very good news. So if you address Webauthn we can then close this PR? |
|
Yeah, will submit the fix tomorrow. |
|
I just checked and there are several FPs for the Webauthn part and some of them are at PL2. I think I'll have to do some retesting tomorrow before opening a PR. |
|
Actually, the WebAuthn implemented by this PR is based upon an extension which does not ship by default with Nextcloud. The WebAuthn I was talking about is quite different from this one. |
|
@Xhoenix Ok, so, is everything fixed except that 3rd party plugin? Can this be closed? |
|
btw: @Xhoenix which Nextcloud version do you have? I test against NC26.. which is the latest one. |
|
Got a ton of FPs from "Text" application. |
|
@prghix Are you using newest version of Netxcloud plugin? |
|
Yes @azurit, this can be closed. Also, I just looked into the what @prghix is saying and found that there is still a few problems with the Nextcloud Plugin, more specifically the phase values for some rules need to be revised. Also, about the "Text" application @prghix is suggesting, it's about the "autosave" issue I created earlier. Fixing that will make the Nextcloud plugin completely PL 1 ready. |
|
Thanks, closing! |
With Nextcloud 20.0.4 there are multiple false-positives. This PR will fix some of the false-positives.
The following setup is used to reproduce the false-positives:
Fixes:
Nextcloud Apps: