fix: text editor in public share and token related FPs (#59)

plugins/nextcloud-rule-exclusions-before.conf

@@ -244,7 +244,7 @@ SecRule REQUEST_METHOD "@streq REPORT" \
 
 # FP when NextCloud default app "Text" detects text files in file manager.
 # PUT - When the "Text" app tries to create a session in file manager.
-SecRule REQUEST_FILENAME "@endsWith /apps/text/session/create" \
+SecRule REQUEST_FILENAME "@rx /apps/text/(?:public/)?session/create$" \
     "id:9508122,\
     phase:1,\
     pass,\
@@ -277,16 +277,16 @@ SecRule REQUEST_FILENAME "@endsWith /apps/recommendations/settings/enabled" \
     setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT'"
 
 # Text app autosave sync feature doesn't work
-# ARGS:json.documentState FP was introduced in Nextcloud 26, it's triggered when selecting different note entries.
 SecRule REQUEST_URI "@rx /apps/text/(?:public/)?session/sync$" \
     "id:9508126,\
     phase:1,\
     pass,\
     t:none,\
     nolog,\
     ver:'nextcloud-rule-exclusions-plugin/1.0.0',\
+    ctl:ruleRemoveTargetById=920272;REQUEST_BODY,\
+    ctl:ruleRemoveTargetById=920273;REQUEST_BODY,\
     ctl:ruleRemoveTargetById=921110;REQUEST_BODY,\
-    ctl:ruleRemoveTargetById=941100;ARGS:json.documentState,\
     ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.autosaveContent,\
     ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:autosaveContent"
 
@@ -537,6 +537,90 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/files_texteditor/" \
     ctl:ruleRemoveTargetById=932150;ARGS:filename,\
     ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:filecontents"
 
+# Keeping track of client session within a text editor
+# Matches:
+# /apps/text/session/sync
+# /apps/text/session/close
+# /apps/text/session/push
+# /apps/text/public/session/sync
+# /apps/text/public/session/close
+# /apps/text/public/session/push
+# /apps/text/attachments
+SecRule REQUEST_FILENAME "@rx /apps/text/(?:public/)?(?:session/(?:sync|close|push)|attachments)$" \
+    "id:9508311,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ver:'nextcloud-rule-exclusions-plugin/1.0.0',\
+    chain"
+    SecRule ARGS:json.sessionToken "@rx ^(?i)[a-z0-9+/]+$" \
+        "t:none,\
+        ctl:ruleRemoveTargetById=920273;ARGS:json.sessionToken,\
+        ctl:ruleRemoveTargetById=932236;ARGS:json.sessionToken,\
+        ctl:ruleRemoveTargetById=942432;ARGS:json.sessionToken,\
+        ctl:ruleRemoveTargetById=942450;ARGS:json.sessionToken"
+
+# Syncing client side document state
+SecRule REQUEST_FILENAME "@rx /apps/text/(?:public/)?session/(?:sync|close|push)$" \
+    "id:9508312,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    ver:'nextcloud-rule-exclusions-plugin/1.0.0',\
+    ctl:ruleRemoveTargetById=932236;ARGS:json.documentState,\
+    ctl:ruleRemoveTargetById=941100;ARGS:json.documentState,\
+    ctl:ruleRemoveTargetById=942210;ARGS:json.documentState,\
+    ctl:ruleRemoveTargetById=942432;ARGS:json.documentState,\
+    ctl:ruleRemoveTargetById=942450;ARGS:json.documentState"
+
+# Guest Token
+# This value is null for non public shares, so only remove the target for public ones
+SecRule REQUEST_FILENAME "@rx /apps/text/public/session(?:sync|close|push)$" \
+    "id:9508313,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ver:'nextcloud-rule-exclusions-plugin/1.0.0',\
+    chain"
+    SecRule ARGS:token "@rx ^(?i)[a-z0-9]+$" \
+        "t:none,\
+        ctl:ruleRemoveTargetById=932236;ARGS:json.token,\
+        ctl:ruleRemoveTargetById=942450;ARGS:json.token"
+
+# Sending awareness messages
+# This is used for document collaboration
+SecRule REQUEST_FILENAME "@rx /apps/text/(?:public/)?session/push$" \
+    "id:9508314,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ver:'nextcloud-rule-exclusions-plugin/1.0.0',\
+    chain"
+    SecRule ARGS:awareness "@rx ^(?i)[a-z0-9=+/]+$" \
+        "t:none,\
+        ctl:ruleRemoveTargetById=920273;ARGS:json.awareness,\
+        ctl:ruleRemoveTargetById=932236;ARGS:json.awareness,\
+        ctl:ruleRemoveTargetById=942432;ARGS:json.awareness,\
+        ctl:ruleRemoveTargetById=942450;ARGS:json.awareness"
+
+# Checking for attachemnts on public shares
+SecRule REQUEST_FILENAME "@endsWith /apps/text/attachments" \
+    "id:9508315,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ver:'nextcloud-rule-exclusions-plugin/1.0.0',\
+    chain"
+    SecRule ARGS:json.shareToken "@rx ^(?i)[a-z0-9]+$" \
+        "t:none,\
+        ctl:ruleRemoveTargetById=932236;ARGS:json.shareToken,\
+        ctl:ruleRemoveTargetById=942450;ARGS:json.shareToken"
+
 #
 # [ Address Book ]
 #

tests/regression/nextcloud-rule-exclusions-plugin/9508122.yaml

@@ -0,0 +1,35 @@
+---
+meta:
+  author: "Esad Cetiner"
+  description: "Text Editor: Opening a file"
+  enabled: true
+  name: 9508122.yaml
+tests:
+  - test_title: 9508122-1
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: PUT
+            uri: /apps/text/session/create
+          output:
+            no_log_contains: id "911100"
+  - test_title: 9508122-2
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: PUT
+            uri: /apps/text/public/session/create
+          output:
+            no_log_contains: id "911100"

tests/regression/nextcloud-rule-exclusions-plugin/9508311.yaml

@@ -0,0 +1,231 @@
+---
+meta:
+  author: "Esad Cetiner"
+  description: "Text Editor: Keeping track of client session within a text editor"
+  enabled: true
+  name: 9508311.yaml
+tests:
+  - test_title: 9508311-1
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /apps/text/session/sync
+            data: "json.sessionToken=lsh8u9sd+dfsdaf/89"
+          output:
+            no_log_contains: |
+              id "920273"|id "932236"|id "942432"
+  - test_title: 9508311-2
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /apps/text/session/close
+            data: "json.sessionToken=lsh8u9sd+dfsdaf/89"
+          output:
+            no_log_contains: |
+              id "920273"|id "932236"|id "942432"
+  - test_title: 9508311-3
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /apps/text/session/push
+            data: "json.sessionToken=lsh8u9sd+dfsdaf/89"
+          output:
+            no_log_contains: |
+              id "920273"|id "932236"|id "942432"
+  - test_title: 9508311-4
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /apps/text/public/session/sync
+            data: "json.sessionToken=lsh8u9sd+dfsdaf/89"
+          output:
+            no_log_contains: |
+              id "920273"|id "932236"|id "942432"
+  - test_title: 9508311-5
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /apps/text/public/session/close
+            data: "json.sessionToken=lsh8u9sd+dfsdaf/89"
+          output:
+            no_log_contains: |
+              id "920273"|id "932236"|id "942432"
+  - test_title: 9508311-6
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /apps/text/public/session/push
+            data: "json.sessionToken=lsh8u9sd+dfsdaf/89"
+          output:
+            no_log_contains: |
+              id "920273"|id "932236"|id "942432"
+  - test_title: 9508311-7
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /apps/text/attachments
+            data: "json.sessionToken=lsh8u9sd+dfsdaf/89"
+          output:
+            no_log_contains: |
+              id "920273"|id "932236"|id "942432"
+  - test_title: 9508311-8
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /apps/text/session/sync
+            data: "json.sessionToken=0x0800b7098sdbf+sdfJB76/nsidf878B"
+          output:
+            no_log_contains: |
+              id "920273"|id "942432"|id "942450"
+  - test_title: 9508311-9
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /apps/text/session/close
+            data: "json.sessionToken=0x0800b7098sdbf+sdfJB76/nsidf878B"
+          output:
+            no_log_contains: |
+              id "920273"|id "942432"|id "942450"
+  - test_title: 9508311-10
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /apps/text/session/push
+            data: "json.sessionToken=0x0800b7098sdbf+sdfJB76/nsidf878B"
+          output:
+            no_log_contains: |
+              id "920273"|id "942432"|id "942450"
+  - test_title: 9508311-11
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /apps/text/public/session/sync
+            data: "json.sessionToken=0x0800b7098sdbf+sdfJB76/nsidf878B"
+          output:
+            no_log_contains: |
+              id "920273"|id "942432"|id "942450"
+  - test_title: 9508311-12
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /apps/text/public/session/close
+            data: "json.sessionToken=0x0800b7098sdbf+sdfJB76/nsidf878B"
+          output:
+            no_log_contains: |
+              id "920273"|id "942432"|id "942450"
+  - test_title: 9508311-13
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /apps/text/public/session/push
+            data: "json.sessionToken=0x0800b7098sdbf+sdfJB76/nsidf878B"
+          output:
+            no_log_contains: |
+              id "920273"|id "942432"|id "942450"
+  - test_title: 9508311-14
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            port: 80
+            method: POST
+            uri: /apps/text/attachments
+            data: "json.sessionToken=0x0800b7098sdbf+sdfJB76/nsidf878B"
+          output:
+            no_log_contains: |
+              id "920273"|id "942432"|id "942450"