corazawaf/coraza v3.0.0-rc.1

Release 3.0.0 RC1

on GitHub

What's Changed

• fix: default actions for phase 2 are now hardcoded #191 by @jptosso in #198
• change the URL protocol(git -> https) by @y05h1k1ng in #214
• fix(actions): Remove branch patterns from action scope by @jptosso in #217
• fix(tx): Force Request Body now works by @jptosso in #219
• fix(@rx): add @rx captured data into Tx variable by @bxlxx in #215
• Rule matches optimization: Fix for #183 by @piyushroshan in #220
• fix: remove unused code by @bxlxx in #228
• fix(rx): support non utf-8 format data matching by @bxlxx in #231
• feat(directive): Implement include directive by @jptosso in #232
• simplified iota definition by @zc2638 in #236
• Fix Include Directive by @piyushroshan in #240
• Enhance github actions for sonarcloud and regression by @jptosso in #248
• update pre-commit, dependencies and fix linters by @jptosso in #250
• fix issue #241 (replaces #242) by @jptosso in #249
• fix: sonar checks on forks. by @jcchavezs in #256
• chore: move all linters to golangci-lint by @jcchavezs in #258
• Updating README & CONTRIBUTING guidelines and adding an initial CHANGELOG by @sts in #255
• Update README.md by @sts in #259
• Fix 209: Case sensitive evaluation by @piyushroshan in #260
• fix(multipart processor): capture original file name without using reflection by @jcchavezs in #229
• fix: fixes RBL leaks. by @jcchavezs in #243
• Remove wasm example file by @jptosso in #261
• Allow passthrough of variable Negations if not present by @piyushroshan in #265
• new variables engine for v3 by @jptosso in #277
• feat(operator): New RESTPATH operator support by @jptosso in #282
• chore: turns http server into an own module. by @jcchavezs in #281
• Turn utils into internal by @jcchavezs in #285
• V3/dev fixes by @jptosso in #288
• Adding support for the redirect action. closes #144 by @sts in #290
• chore: drops Transaction.ProcessRequest into an own package. by @jcchavezs in #296
• V3/dev fixes by @jptosso in #292
• remove tests by @jptosso in #300
• Migrate engine test profiles from yaml to go by @anuraaga in #306
• Move resetCaptures defer out of loop by @anuraaga in #304
• Use struct instead of slice for byte range validation by @anuraaga in #305
• Make sure temp files in tests are removed by using t.TempDir by @anuraaga in #310
• Reduce include recursion limit by @anuraaga in #307
• Fix flaky TestCollectionProxy by @anuraaga in #312
• Don't copy to bytes when validating byte range by @anuraaga in #309
• upgrade go version by @jptosso in #323
• Small optimizations to urlencode by @anuraaga in #320
• Small optimizations to base64decode by @anuraaga in #319
• Use go run instead of install for go-ftw by @anuraaga in #316
• Add more benchmarks by @jptosso in #301
• Separate out bodyprocessor implementations for TinyGo by @anuraaga in #311
• V3/url processor by @jptosso in #326
• V3/core fixes by @jptosso in #327
• feat: adds tinygo support. by @jcchavezs in #254
• Add benchmarks using ModSecurity for comparison by @anuraaga in #329
• Add magefile for running development commands by @anuraaga in #315
• Separate out bodybuffer implementation for tinygo that doesn't access… by @anuraaga in #332
• Run addlicense when formatting by @anuraaga in #333
• Add an interface for DebugLogger to be able to replace the logging me… by @anuraaga in #337
• Change license formatting to mention contributors and use SPDX by @anuraaga in #334
• Add command for installing precommit hook by @anuraaga in #339
• [v3] Bump required go version to 1.18 by @anuraaga in #343
• Remove usages of deprecated ioutil by @anuraaga in #342
• Case sensitive evaluation Fix for v3 by @piyushroshan in #346
• Remove usage of system /tmp from tests. by @anuraaga in #353
• [v3] Optimization for validate_nid operator by @bxlxx in #348
• Reduce some data copies in modsecurity bridge by @anuraaga in #359
• Run lint before formatting by @anuraaga in #358
• [v3] Use mage commands in CI instead of pre-commit by @anuraaga in #356
• add dataset support by @jptosso in #361
• Implements ipMatchFromDataset, parsing for ipMatchFromFile by @M4tteoP in #363
• chore: reallocate testdata. by @jcchavezs in #364
• chore: loads file inside operator when using FromFile. by @jcchavezs in #366
• chore: improves errors on tinygo. by @jcchavezs in #369
• Remove err return from NewParser by @anuraaga in #375
• chore: improves tx.Clean by @jcchavezs in #370
• chore: improves from file tests. by @jcchavezs in #367
• Use io.Discard instead of /dev/null for discarding output by @anuraaga in #354
• chore: removes unneeded code in operators. by @jcchavezs in #376
• v3: Remove unused mutex in RuleGroup by @nacx in #384
• add pre-alpha notice by @jptosso in #383
• Remove legacy pre-commit config by @anuraaga in #365
• codecov tests by @jptosso in #386
• chore(deps): bump github.com/tidwall/gjson from 1.14.2 to 1.14.3 by @dependabot in #382
• fix coverage by @jptosso in #387
• Rename Waf to WAF by @anuraaga in #390
• clean up unnecessary error judgments by @zc2638 in #389
• [v3] Display contributors in README by @anuraaga in #392
• tests: improves coverage. by @jcchavezs in #385
• chore: organize imports in 3 blocks: stdlib, 3rd party, coraza by @nacx in #394
• Optimize random string generation by @anuraaga in #403
• Document that RandomString is pseudorandom by @anuraaga in #405
• Allow setting a root fs.FS in a parser. by @anuraaga in #393
• fix: improves mage lint user experience. by @jcchavezs in #413
• tests: uses testing.TB interface for helper to avoid nil check. by @jcchavezs in #418
• chore: avoids too many open files error when running CRS. by @jcchavezs in #414
• chore: fixes example by not reusing the transaction. by @jcchavezs in #420
• chore: improves loggers by adding closer. by @jcchavezs in #415
• Update libinjection-go by @anuraaga in #421
• Register native auditlogformatter in TinyGo by @anuraaga in #402
• V3/improves parser performance by @jcchavezs in #412
• Don't write files during multipart processing in TinyGo by @anuraaga in #399
• fix audit filesizes audit bug by @jptosso in #411
• Use iter for pm operator instead of always finding all when capturing by @anuraaga in #424
• chore: improves logic in the operators. by @jcchavezs in #423
• Chore: buildExamples command, CI, http-server example tests by @M4tteoP in #422
• Make RandomString concurrent-safe by @anuraaga in #430
• Fix handling of unicode in regex by @anuraaga in #425
• Fix parser backticks by @M4tteoP in #433
• tests: enrich backticks test. by @jcchavezs in #435
• Remove unescaping in string handling and use proper unicode regex syntax. by @anuraaga in #434
• Fix caddy CRS test config missing trailing quote by @anuraaga in #437
• Convert library entrypoints to immutable interfaces by @anuraaga in #397
• Improves ctl by @jcchavezs in #440
• chore: adds support for HTTP middleware. by @jcchavezs in #442
• Don't explicitly initialize empty slices by @anuraaga in #446
• Set debug logger implementation before parsing directives by @anuraaga in #444
• Add fast path for macro with single token by @anuraaga in #448
• chore(deps): bump github.com/magefile/mage from 1.13.0 to 1.14.0 by @dependabot in #428
• add support for MULTIPART_PART_HEADERS by @jptosso in #452
• chore: keeps clean method private. by @jcchavezs in #454
• chore: minor tweaks. by @jcchavezs in #450
• Add CODEOWNERS by @anuraaga in #400
• feat: adds support for stdout. by @jcchavezs in #449
• add waf.NewTransactionWithID by @jptosso in #455
• Fix validateUtf8Encoding by @anuraaga in #458
• Reads the request protocol instead of hacks by @codefromthecrypt in #459
• Add test using ftw and crs by @anuraaga in #457
• chore: drops context first param. by @jcchavezs in #462
• chore: makes sure body payload has a limit in tinygo. by @jcchavezs in #463
• Reuse body buffers and collections across transactions by @anuraaga in #464
• Implement a simple sync.Pool for TinyGo by @anuraaga in #465
• chore: adds support for closing logs. by @jcchavezs in #467
• Fix: Adjust parser activation rules in coraza.conf-recommended by @M4tteoP in #470
• chore: do not close future versions work by @fzipi in #471
• Fix collection of content with inner XML nodes. by @anuraaga in #473
• Use slice for collections instead of array by @anuraaga in #472
• docs: general tweaks to readme. by @jcchavezs in #476
• http-server: log error, response headers and readme by @M4tteoP in #460
• Remove many Get prefixes in interfaces by @anuraaga in #475
• Don't git stash when linting by @anuraaga in #479
• Small cleanups in collections by @anuraaga in #482
• Remove Transaction.Collections slice by @anuraaga in #481
• Convert rulematch types to interfaces by @anuraaga in #478
• Switch from operator Init mutator to operator factory by @anuraaga in #484
• Keep CRS in memory instead of writing to tmp in tests by @anuraaga in #485
• Initialize operators in each file and add build tags for excluding them by @anuraaga in #489
• Don't publish overall coverage flag by @anuraaga in #491
• Use lookup table for byte range validation by @anuraaga in #490
• Use gjson for json body processor for non-tinygo as well and use streaming parser by @anuraaga in #488
• Fix: adds http-server and coreruleset tests to coverage command, enabling them in CI by @M4tteoP in #492
• Don't use same output file for different coverage commands by @anuraaga in #493
• Address CRS response body tests by @M4tteoP in #483
• Fix CRS Regression tests - Go 1.18 by @M4tteoP in #495
• Export Request/Response BodyAccess values by @M4tteoP in #499
• Copy rules slice when cloning config by @anuraaga in #501
• feat: optimize body buffering. by @jcchavezs in #505
• feat: changes WAF to accept a slice of rules instead of one rule. by @jcchavezs in #507
• Exports IsRuleEngineOff by @M4tteoP in #504
• chore: updates go-ftw to 0.4.3 by @M4tteoP in #516
• chore: only buffers response body if the mime type is the desired one. by @jcchavezs in #514
• breaking: rename methods for a better description of what they do. by @jcchavezs in #518
• feat: update upstream go-ftw by @fzipi in #523
• Skips Evaluate during ProcessLogging if EngineOff by @M4tteoP in #524
• chore: renames transaction tests with engine off by @M4tteoP in #529
• Simplify CodeQL workflow by @anuraaga in #528
• Updates CRS, fixes some tests by @M4tteoP in #526
• Expose AddArgument on tx interface by @piyushroshan in #508
• optimize rx operator by @jptosso in #536
• Cache transformations within a phase by @anuraaga in #537
• Passthrough string in url decode transformations when no decoding by @anuraaga in #540
• Return number bytes, not runes, in length transformation by @anuraaga in #542
• Have cmdLine operate on bytes and passthrough non-transformed by @anuraaga in #543
• Passthrough non-transformed strings in compressWhitespace by @anuraaga in #544
• Use stdlib for replaceNulls by @anuraaga in #545
• Passthrough non-transformed strings (to some degree) in cssDecode by @anuraaga in #546
• WrapUnsafe in hash transformations by @anuraaga in #549
• Use pointer for arg key in cache key by @anuraaga in #553
• Rework utf8tounicode to match ModSecurity and passthrough non-utf8 by @anuraaga in #541
• chore: adds validation for limits. by @jcchavezs in #535
• Allocate transformation cache value on heap by @anuraaga in #554
• fix: minor cleanup in parseCtl, adds parseCtl test by @M4tteoP in #551
• Passthrough non-transformed strings (to some degree) in jsDecode by @anuraaga in #548
• chore: makes txPool a WAF attribute to avoid globals. by @jcchavezs in #558
• Don't seek output file when reading from buffer by @anuraaga in #562
• tests: simplify multipart test. by @jcchavezs in #561
• Passthrough non-transformed strings (to some degree) in escapeSeqDecode by @anuraaga in #547
• chore: dropping internal logger type used in the public API. by @jcchavezs in #559
• chore: Removes unused code by @M4tteoP in #563
• Add infrastructure for and a couple of fuzz tests by @anuraaga in #567
• Remove extraneous conditions from remove_comments by @anuraaga in #568
• missing hostname in logs by @M4tteoP in #517
• chore: implements idempotency for phase calling. by @jcchavezs in #571
• feat: avoids zero limit on request/response body. by @jcchavezs in #573
• chore: idempotency on ProcessX functions by @M4tteoP in #574
• Convert split of two items to cut by @anuraaga in #575
• chore(deps): bump github.com/corazawaf/libinjection-go from 0.1.1 to 0.1.2 by @dependabot in #577
• Add fuzz tests for injection operators by @anuraaga in #576
• Append request body by @jcchavezs in #560
• expose ID by @jptosso in #579
• Support evaluation of rules in multiple phases by @anuraaga in #565
• chore: updates x/net and gjson deps by @M4tteoP in #580
• fix: fixes side effects between calls when a file does not exist in parser by @jcchavezs in #584
• Write Body buffer: adds Limit check, overflow check and limits comments by @M4tteoP in #539
• remove old TODO by @jptosso in #586
• Flatters WAF config API for better flexibility in setting memory limits and enabling BodyAccess by @M4tteoP in #503
• docs: adds documentation for directives. by @jcchavezs in #590
• docs: improves docs for directives. by @jcchavezs in #591
• implements ReadResponseBodyFrom and WriteResponseBody by @M4tteoP in #587
• docs: more tweaks to docs. by @jcchavezs in #592
• docs: fixes doc for Include directive. by @jcchavezs in #596
• chore: Fixes limit check inside BodyBuffer.Write by @M4tteoP in #593
• breaking: drops content injection features. by @jcchavezs in #589
• chore: adds hard limit for body limit. by @jcchavezs in #597
• chore: fixes lint check in generation. by @jcchavezs in #601
• docs: small improvements in the directives docs. by @jcchavezs in #603
• docs: adds code backticks for directives. by @jcchavezs in #604
• Evaluate no return by @jcchavezs in #602
• Populates serverName variable implementing SetServerName by @M4tteoP in #572
• Use unknown instead of nil for macro without variable by @anuraaga in #607
• fix: fixes the superflous header write. by @jcchavezs in #605
• Simplify Map API by @anuraaga in #606
• Corrects SecDebugLogLevel doc, reorders logs levels by @M4tteoP in #519
• chore: updates directives doc about SecDebugLogLevel by @M4tteoP in #609
• Further simplify collections APIs by @anuraaga in #608
• tests: covers the wrapper for nil WAF. by @jcchavezs in #614
• Validate config consistently by @jcchavezs in #612
• Move debug formatting to collections and remove Map.Data by @anuraaga in #615
• Backfills in memory limit by @jcchavezs in #619
• fix: fixes the parser to avoid invalid rules. by @jcchavezs in #624
• add flexible xml body processing by @jptosso in #622
• doc: v3 changelog by @sts in #538
• chore: removes support for SecTmpDir. by @jcchavezs in #625
• Needed change: type AuditLogParts []auditLogPart should be exported #628 by @jptosso in #637
• feat: implement allow disruptive action by @fzipi in #527
• chore: generates variable map and variable count. by @jcchavezs in #641
• feat: move collections to noop by @fzipi in #640
• Remove Collection.Reset from public API by @anuraaga in #644
• chore: avoids mutating the rule during evaluation. by @jcchavezs in #645
• Only expose supported variables in public API by @anuraaga in #642
• chore: avoids tmp dir instantiation when no FS access environment. by @jcchavezs in #626
• Remove VariablesCount and use an iterator instead by @anuraaga in #647
• chore(deps): bump golang.org/x/net from 0.5.0 to 0.6.0 by @dependabot in #621
• chore: removes CodeQL analysis on the push events by @M4tteoP in #650
• chore(deps): bump golang.org/x/net from 0.6.0 to 0.7.0 by @dependabot in #649
• chore: change readme coverage by @jptosso in #651
• Remove MatchData.VariableName by @anuraaga in #643
• Remove WithRules from config by @anuraaga in #656
• fix: missing response body mime type config by @jptosso in #654
• tests: covers macro coverage. by @jcchavezs in #655
• Improves actions code by @jcchavezs in #646
• chore(deps): bump golang.org/x/net from 0.1.0 to 0.7.0 in /testing/coreruleset by @dependabot in #663
• move actions to plugins by @jptosso in #661
• Revert "move actions to plugins" by @jptosso in #665
• upgrade codecov to v3 by @jptosso in #667
• fix(ci): codecov issues by @jptosso in #668
• refactor tx addargument by @jptosso in #659
• fix(921180): NamedCollection not unique, adds redundancy in MatchData by @M4tteoP in #618
• chore: updates CRS, more tests passing by @M4tteoP in #674
• Remove MatchData.IsNil by @anuraaga in #677
• tests: adds more coverage for CTL action. by @jcchavezs in #679
• Avoid intermediate string when formatting variables for debug by @anuraaga in #675
• Use string builder in parseActions() to optimize memory usage. by @manojgop in #681
• Enable xml processor on TinyGo by @anuraaga in #685
• Rework Logger API by @jcchavezs in #682
• chore(readme): remove roadmap from readme by @jptosso in #686
• chore: reallocate loggers by @jcchavezs in #687
• Use coraza-coreruleset for FTW test by @anuraaga in #689
• chore(deps): bump golang.org/x/net from 0.7.0 to 0.8.0 by @dependabot in #690
• fix: default Event in log levels, adds test by @M4tteoP in #691
• chore: adds phases check before processing body by @M4tteoP in #680
• Fix(980170): Correlation rules, SecAction messages, flow actions with DetectionOnly by @M4tteoP in #684
• chore: runs go work sync on format. by @jcchavezs in #693
• feat: adds support for response args and response body processor. by @jcchavezs in #695
• Small cleanups to parser by @anuraaga in #697
• Replace action/operator tokenization from regex to code by @anuraaga in #700
• breaking: removes INBOUND_ERROR_DATA in favour of INBOUND_DATA_ERROR. by @jcchavezs in #706
• Small cleanups to actions parsing by @anuraaga in #703
• Only log requested parts in native formatter by @anuraaga in #704
• Rework actions parsing by @anuraaga in #709
• Some cleanups to debuglog API by @anuraaga in #708
• Add typesafe auditlog config by @anuraaga in #699
• breaking: removes logger from the WrapHandler function. by @jcchavezs in #714
• chore: improves debug log by adding the status. by @jcchavezs in #715
• fix: allow:phase and allow:request actions, extends related tests by @M4tteoP in #707
• chore: removes CTL regex. by @jcchavezs in #701
• feat(transformation): add trim transformation by @jptosso in #717
• Reduce stuttering in auditlog package by @anuraaga in #722
• Don't remove GET keys in json processor by @anuraaga in #720
• Replace remaining usage of generic config map with internal struct by @anuraaga in #721
• Only log requested parts in audit log by @anuraaga in #705
• fix: skip action within the phase, adds tests by @M4tteoP in #723
• Propagate parsed line for raw rule storage by @anuraaga in #724
• chore: Adds checks for SecDefaultActions and related tests by @M4tteoP in #712
• Cleanup and optimize rulegroup by @anuraaga in #726
• chore: avoids initializing the audit log on every directive. by @jcchavezs in #725

New Contributors

• @y05h1k1ng made their first contribution in #214
• @piyushroshan made their first contribution in #220
• @zc2638 made their first contribution in #236
• @codefromthecrypt made their first contribution in #459
• @manojgop made their first contribution in #681

Full Changelog: v2.0.0...v3.0.0-rc.1