fix: fp with creating/uploading shares and files (#77)

coreruleset · Jun 17, 2024 · 080db7d · 080db7d
1 parent 75dfd32
commit 080db7d
Show file tree

Hide file tree

Showing 2 changed files with 99 additions and 15 deletions.
diff --git a/plugins/nextcloud-rule-exclusions-before.conf b/plugins/nextcloud-rule-exclusions-before.conf
@@ -341,15 +341,18 @@ SecRule REQUEST_FILENAME "@rx /s/[^/]+/authenticate/showShare$" \
 
 # Sharing a file/folder
 # Fix FP when creating a share with a password
-SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]\.php/apps/files_sharing/api/v[0-9]/shares/[0-9]+$" \
+SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]\.php/apps/files_sharing/api/v[0-9]/shares(?:/[0-9]+)?$" \
     "id:9508172,\
     phase:1,\
     pass,\
     t:none,\
     nolog,\
+    ctl:ruleRemoveTargetById=930120;ARGS:json.path,\
+    ctl:ruleRemoveTargetById=930120;ARGS:path,\
     ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\
     ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.password,\
-    ver:'nextcloud-rule-exclusions-plugin/1.2.0'"
+    ver:'nextcloud-rule-exclusions-plugin/1.2.0',\
+    setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'"
 
 # Syncing files with Nextcloud desktop app
 # Matches:
@@ -421,6 +424,35 @@ SecRule REQUEST_FILENAME "@rx /remote\.php/dav/uploads/[^/]+/[0-9]+/\.file$" \
         "t:none,\
         ctl:ruleRemoveById=920450"
 
+# 200002 will trigger if a request with a content type is sent with an empty request body.
+# This typically happens when creating a file/folder in a public share.
+SecRule REQUEST_FILENAME "@contains /public.php/dav/files/" \
+    "id:9508177,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    ver:'nextcloud-rule-exclusions-plugin/1.2.0',\
+    chain"
+    SecRule REQUEST_HEADERS:Content-Type "@beginsWith text/plain" \
+        "t:none,\
+        chain"
+        SecRule REQUEST_BODY_LENGTH "@eq 0" \
+            "t:none,\
+            ctl:ruleRemoveById=200002"
+
+# When uploading files via public shares, the content type header will be set to whatever file type is being uploaded.
+# This rule allows all content types for public shares since it could be anything.
+# Rules 920420, 920480, and 920530 should catch any injection attacks on the content-type header.
+SecRule REQUEST_FILENAME "@contains /public.php/dav/files/" \
+    "id:9508178,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    ver:'nextcloud-rule-exclusions-plugin/1.2.0',\
+    ctl:ruleRemoveById=920420"
+
 #
 # [ Searchengine ]
 #
@@ -487,18 +519,6 @@ SecRule REQUEST_FILENAME "@streq /" \
     ctl:ruleRemoveTargetById=921110;REQUEST_BODY,\
     setvar:'tx.allowed_methods=%{tx.allowed_methods} PROPFIND'"
 
-# We need to allow DAV methods for sharing files, and removing shares
-# DELETE - when the share is removed
-# PUT - when setting a password / expiration time
-SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]+\.php/apps/files_sharing/" \
-    "id:9508140,\
-    phase:1,\
-    pass,\
-    t:none,\
-    nolog,\
-    ver:'nextcloud-rule-exclusions-plugin/1.2.0',\
-    setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'"
-
 #
 # [ Preview and Thumbnails ]
 #
@@ -2237,7 +2257,7 @@ SecRule REQUEST_FILENAME "@rx /apps/photos/api/v[0-9\.]+/config/croppedLayout$"
 # Fix FP when opening photo
 # Allow the data type 'text/plain'
 # Since the content is actually XML, we switch on the XML parser
-SecRule REQUEST_FILENAME "@contains /public.php/webdav/" \
+SecRule REQUEST_FILENAME "@rx /public\.php/(?:web)?dav/" \
     "id:9508955,\
     phase:1,\
     pass,\

diff --git a/tests/regression/nextcloud-rule-exclusions-plugin/9508172.yaml b/tests/regression/nextcloud-rule-exclusions-plugin/9508172.yaml
@@ -0,0 +1,64 @@
+---
+meta:
+  author: "Esad Cetiner"
+  description: "Nextcloud Rule Exclusions Plugin"
+  enabled: true
+  name: 9508172.yaml
+tests:
+  - test_title: 9508172-1
+    desc: Creating a new share for a file/folder
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS test agent
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              content-type: application/json
+            port: 80
+            method: POST
+            uri: /ocs/v2.php/apps/files_sharing/api/v1/shares
+            data: |
+              {"path":"/path/to/tmp/example/","shareType":3,"password":"<script>","attributes":"[]"}
+            version: HTTP/1.1
+          output:
+            no_log_contains: |
+              id "930120" | id "941110"
+  - test_title: 9508172-2
+    desc: Editing an existing share
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS test agent
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              content-type: application/json
+            port: 80
+            method: PUT
+            uri: /ocs/v2.php/apps/files_sharing/api/v1/shares/1
+            data: |
+              {"permissions":"31","attributes":"[]","note":"","expireDate":"2024-06-23 00:00:00","label":"test","password":"<script>","hideDownload":"false"}
+            version: HTTP/1.1
+          output:
+            no_log_contains: |
+              id "911100" | id "930120" | id "941110"
+  - test_title: 9508172-3
+    desc: Deleting an share
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: OWASP CRS test agent
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              content-type: application/json
+            port: 80
+            method: DELETE
+            uri: /ocs/v2.php/apps/files_sharing/api/v1/shares/1
+            version: HTTP/1.1
+          output:
+            no_log_contains: id "911100"