Editing an existing Nextcloud Cookbook app recipe triggers 911100 rule false positive #88
Comments
|
@jessebot Thanks for the report, but right now the plugin doesn't support Nextcloud cookbook. I'll have to do some testing before support can be added. Although I can give you this rule exclusion just to get you going for now: |
|
That's totally fine and thanks so much as always for your help! Perhaps we could have a list of supported Nextcloud apps in the README.md? |
|
@jessebot I agree, but right now nothing is set in stone. I'll have to see what makes sense to support and what doesn't, it'll be impossible to cover every single Nextcloud app out there with reasonable quality. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Here's the ModSecurity transaction log:
{ "transaction": { "client_ip": "192.168.1.1", "time_stamp": "Sun Jul 21 17:59:16 2024", "server_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "client_port": 11306, "host_ip": "xxx.xxx.xxx.xxx", "host_port": 443, "unique_id": "xxxxxxxxxxxx.xxxxxx", "request": { "method": "PUT", "http_version": 2.0, "uri": "/apps/cookbook/webapp/recipes/108316", "body": "{\"id\":\"108316\",\"name\":\"white cashew sauce for gnochi?\",\"description\":\"\",\"url\":\"\",\"image\":\"\",\"prepTime\":null,\"cookTime\":null,\"totalTime\":null,\"recipeCategory\":\"\",\"keywords\":\"\",\"recipeYield\":1,\"tool\":[],\"recipeIngredient\":[\"200 g cashews\",\"1 enough boiling water to completely cover the cashews\",\"1 bay leaf\"],\"recipeInstructions\":[\"Soak the cashews in boiling water for an hour\"],\"nutrition\":{\"@type\":\"NutritionInformation\"},\"valueInit\":{\"id\":\"108316\",\"name\":\"white cashew sauce for gnochi?\",\"description\":\"\",\"url\":\"\",\"image\":\"\",\"prepTime\":null,\"cookTime\":null,\"totalTime\":null,\"recipeCategory\":\"\",\"keywords\":\"\",\"recipeYield\":1,\"tool\":[],\"recipeIngredient\":[\"200 gcashews\",\"1 enough boiling water to completely cover the cashews\"],\"recipeInstructions\":[\"Soak the cashews in boiling water for an hour\"],\"nutrition\":{\"@type\":\"NutritionInformation\"},\"valueInit\":{\"id\":0,\"name\":\"\",\"description\":\"\",\"url\":\"\",\"image\":\"\",\"prepTime\":\"\",\"cookTime\":\"\",\"totalTime\":\"\",\"recipeCategory\":\"\",\"keywords\":\"\",\"recipeYield\":\"\",\"tool\":[],\"recipeIngredient\":[],\"recipeInstructions\":[],\"nutrition\":[]},\"@context\":\"http://schema.org\",\"@type\":\"Recipe\",\"dateCreated\":\"2024-07-21T14:25:24+00:00\",\"dateModified\":\"2024-07-21T14:25:24+00:00\",\"datePublished\":null,\"printImage\":true,\"imageUrl\":\"/apps/cookbook/webapp/recipes/108316/image?size=full\"},\"@context\":\"http://schema.org\",\"@type\":\"Recipe\",\"dateCreated\":\"2024-07-21T14:25:24+00:00\",\"dateModified\":\"2024-07-21T14:25:24+00:00\",\"datePublished\":null,\"printImage\":true,\"imageUrl\":\"/apps/cookbook/webapp/recipes/108316/image?size=full\"}", "headers": { "origin": "https://cloud.example.com", "dnt": "1", "requesttoken": "U+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=", "x-requested-with": "XMLHttpRequest, XMLHttpRequest", "content-type": "application/json", "accept-encoding": "gzip, deflate, br", "cookie": "__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc_sessionPassphrase=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; ocrkhwrly2jb=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "content-length": "1557", "accept-language": "en-US,en;q=0.5", "te": "trailers", "accept": "application/json, text/plain, */*", "user-agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0", "sec-fetch-site": "same-origin", "host": "cloud.example.com", "sec-fetch-dest": "empty", "sec-fetch-mode": "cors" } }, "response": { "http_code": 403, "headers": { "Server": "", "Date": "Sun, 21 Jul 2024 15:59:16 GMT", "Content-Length": "146", "Content-Type": "text/html", "Connection": "close", "Strict-Transport-Security": "max-age=31536000; includeSubDomains" } }, "producer": { "modsecurity": "ModSecurity v3.0.12 (Linux)", "connector": "ModSecurity-nginx v1.0.3", "secrules_engine": "Enabled", "components": [ "OWASP_CRS/4.4.0\"" ] }, "messages": [ { "message": "Method is not allowed by policy", "details": { "match": "Matched \"Operator `Within' with parameter `GET HEAD POST OPTIONS' against variable `REQUEST_METHOD' (Value: `PUT' )", "reference": "v0,3", "ruleId": "911100", "file": "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf", "lineNumber": "28", "data": "PUT", "severity": "2", "ver": "OWASP_CRS/4.4.0", "rev": "", "tags": [ "application-multi", "language-multi", "platform-multi", "attack-generic", "paranoia-level/1", "OWASP_CRS", "capec/1000/210/272/220/274", "PCI/12.1" ], "maturity": "0", "accuracy": "0" } }, { "message": "Inbound Anomaly Score Exceeded (Total Score: 5)", "details": { "match": "Matched \"Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' )", "reference": "", "ruleId": "949110", "file": "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf", "lineNumber": "222", "data": "", "severity": "0", "ver": "OWASP_CRS/4.4.0", "rev": "", "tags": [ "anomaly-evaluation", "OWASP_CRS" ], "maturity": "0", "accuracy": "0" } } ] } }If it's helpful, I'm running Nextcloud version
29.0.3and Cookbook version0.11.1. Thank you for all your help! 🙏The text was updated successfully, but these errors were encountered: