From 080db7db9ee1a4ca75cd61c597abb1df6028df30 Mon Sep 17 00:00:00 2001 From: Esad Cetiner <104706115+EsadCetiner@users.noreply.github.com> Date: Mon, 17 Jun 2024 10:58:42 +1000 Subject: [PATCH] fix: fp with creating/uploading shares and files (#77) --- plugins/nextcloud-rule-exclusions-before.conf | 50 ++++++++++----- .../9508172.yaml | 64 +++++++++++++++++++ 2 files changed, 99 insertions(+), 15 deletions(-) create mode 100644 tests/regression/nextcloud-rule-exclusions-plugin/9508172.yaml diff --git a/plugins/nextcloud-rule-exclusions-before.conf b/plugins/nextcloud-rule-exclusions-before.conf index bb194d1..806fb76 100644 --- a/plugins/nextcloud-rule-exclusions-before.conf +++ b/plugins/nextcloud-rule-exclusions-before.conf @@ -341,15 +341,18 @@ SecRule REQUEST_FILENAME "@rx /s/[^/]+/authenticate/showShare$" \ # Sharing a file/folder # Fix FP when creating a share with a password -SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]\.php/apps/files_sharing/api/v[0-9]/shares/[0-9]+$" \ +SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]\.php/apps/files_sharing/api/v[0-9]/shares(?:/[0-9]+)?$" \ "id:9508172,\ phase:1,\ pass,\ t:none,\ nolog,\ + ctl:ruleRemoveTargetById=930120;ARGS:json.path,\ + ctl:ruleRemoveTargetById=930120;ARGS:path,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\ ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.password,\ - ver:'nextcloud-rule-exclusions-plugin/1.2.0'" + ver:'nextcloud-rule-exclusions-plugin/1.2.0',\ + setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'" # Syncing files with Nextcloud desktop app # Matches: @@ -421,6 +424,35 @@ SecRule REQUEST_FILENAME "@rx /remote\.php/dav/uploads/[^/]+/[0-9]+/\.file$" \ "t:none,\ ctl:ruleRemoveById=920450" +# 200002 will trigger if a request with a content type is sent with an empty request body. +# This typically happens when creating a file/folder in a public share. +SecRule REQUEST_FILENAME "@contains /public.php/dav/files/" \ + "id:9508177,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ver:'nextcloud-rule-exclusions-plugin/1.2.0',\ + chain" + SecRule REQUEST_HEADERS:Content-Type "@beginsWith text/plain" \ + "t:none,\ + chain" + SecRule REQUEST_BODY_LENGTH "@eq 0" \ + "t:none,\ + ctl:ruleRemoveById=200002" + +# When uploading files via public shares, the content type header will be set to whatever file type is being uploaded. +# This rule allows all content types for public shares since it could be anything. +# Rules 920420, 920480, and 920530 should catch any injection attacks on the content-type header. +SecRule REQUEST_FILENAME "@contains /public.php/dav/files/" \ + "id:9508178,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ver:'nextcloud-rule-exclusions-plugin/1.2.0',\ + ctl:ruleRemoveById=920420" + # # [ Searchengine ] # @@ -487,18 +519,6 @@ SecRule REQUEST_FILENAME "@streq /" \ ctl:ruleRemoveTargetById=921110;REQUEST_BODY,\ setvar:'tx.allowed_methods=%{tx.allowed_methods} PROPFIND'" -# We need to allow DAV methods for sharing files, and removing shares -# DELETE - when the share is removed -# PUT - when setting a password / expiration time -SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]+\.php/apps/files_sharing/" \ - "id:9508140,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ver:'nextcloud-rule-exclusions-plugin/1.2.0',\ - setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'" - # # [ Preview and Thumbnails ] # @@ -2237,7 +2257,7 @@ SecRule REQUEST_FILENAME "@rx /apps/photos/api/v[0-9\.]+/config/croppedLayout$" # Fix FP when opening photo # Allow the data type 'text/plain' # Since the content is actually XML, we switch on the XML parser -SecRule REQUEST_FILENAME "@contains /public.php/webdav/" \ +SecRule REQUEST_FILENAME "@rx /public\.php/(?:web)?dav/" \ "id:9508955,\ phase:1,\ pass,\ diff --git a/tests/regression/nextcloud-rule-exclusions-plugin/9508172.yaml b/tests/regression/nextcloud-rule-exclusions-plugin/9508172.yaml new file mode 100644 index 0000000..3279ec0 --- /dev/null +++ b/tests/regression/nextcloud-rule-exclusions-plugin/9508172.yaml @@ -0,0 +1,64 @@ +--- +meta: + author: "Esad Cetiner" + description: "Nextcloud Rule Exclusions Plugin" + enabled: true + name: 9508172.yaml +tests: + - test_title: 9508172-1 + desc: Creating a new share for a file/folder + stages: + - stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: OWASP CRS test agent + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + content-type: application/json + port: 80 + method: POST + uri: /ocs/v2.php/apps/files_sharing/api/v1/shares + data: | + {"path":"/path/to/tmp/example/","shareType":3,"password":"