Coraza v3.2.0 comes with:
- Support for
SecRuleUpdateTargetByTag,Base64DecodeExt, extended support for ranges of IDs withSecRuleUpdateTargetByID. - Support for case-sensitive matching for
ARGSkeys. It currently comes under thecoraza.rule.case_sensitive_args_keys. Mind that, in compliance with RFC 3986 specification, it is planned to become the default behavior starting from the next major version. - Support for auditlog formatters for tinygo builds.
- Various bug fixes, among other things, around log generation and Coraza middleware.
- Performance implements and reduced memory allocation mostly thanks to @noboruma.
- Updated CRS support to the latest CRS v4.3.0 version.
What's Changed
- fix(deps): update module github.com/tidwall/gjson to v1.17.1 by @renovate in #1004
- fix(deps): update module golang.org/x/net to v0.22.0 by @renovate in #1011
- feat: expose expected directives for e2e test by @fionera in #1012
- avoid executing costly With if noop logger by @noboruma in #1015
- tests: covers eq operator. by @jcchavezs in #1002
- fix: RegisterWriter/RegisterFormatter case insensitive by @M4tteoP in #1026
- feat: Implements SecRuleUpdateTargetByTag, extends ByID with ranges by @M4tteoP in #1020
- tests: covers zero case in eq operator. by @jcchavezs in #1029
- feat: registers
RegisterFormatters for tinygo by @M4tteoP in #1027 - fix(deps): update module golang.org/x/net to v0.23.0 by @renovate in #1033
- Fix: audit logs RelevantOnly match if interruption happens by @M4tteoP in #1025
- tests: adds logs for unexpected status code. by @jcchavezs in #1037
- fix(deps): update module golang.org/x/net to v0.24.0 by @renovate in #1035
- cache Rule ID string version by @noboruma in #1039
- chore: adds fs access check at startup time by @M4tteoP in #1030
- Add support for Base64DecodeExt by @soujanyanmbri in #1046
- fix: FuzzB64Decode regexp match for fuzzing by @fzipi in #1054
- chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 in /testing/coreruleset in the go_modules group across 1 directory by @dependabot in #1043
- fix(deps): update module github.com/mccutchen/go-httpbin/v2 to v2.13.4 by @renovate in #1001
- fix(deps): update module github.com/petar-dambovaliev/aho-corasick to v0.0.0-20240411101913-e07a1f0e8eb4 by @renovate in #1057
- feat: add new maps with case sensitive keys by @fzipi in #1055
- fix: http parameter pollution test cases by @fzipi in #1058
- fix(deps): update module golang.org/x/sync to v0.7.0 by @renovate in #1034
- fix(deps): update module golang.org/x/net to v0.25.0 by @renovate in #1060
- fix: RemoveTargetById Args in multiphase mode by @M4tteoP in #1061
- fix: headers leaked during interruptions at phase 3/4 by @M4tteoP in #1062
- chore: deletes content temporary file on close. by @jcchavezs in #924
- chore: upgrades to CRS 4.1. by @jcchavezs in #1032
- chore: updates CRS tests to CRS4.2 by @M4tteoP in #1066
- fix(deps): update module github.com/mccutchen/go-httpbin/v2 to v2.14.0 by @renovate in #1067
- feat: add support for case sensitive args by @fzipi in #1059
- fix: logs multiple vars matched by same rule by @M4tteoP in #1074
- fix(deps): update module github.com/corazawaf/libinjection-go to v0.2.0 by @renovate in #1076
- fix(deps): update module github.com/corazawaf/libinjection-go to v0.2.1 by @renovate in #1079
- fix(deps): update module golang.org/x/net to v0.26.0 by @renovate in #1075
- fix: setters of INBOUND_DATA_ERROR and OUTBOUND_DATA_ERROR by @M4tteoP in #1078
- fix(deps): update module github.com/rs/zerolog to v1.33.0 by @renovate in #1073
- chore: updates CRS tests to CRS4.3 by @M4tteoP in #1081
New Contributors (thanks a lot!)
- @fionera made their first contribution in #1012
- @noboruma made their first contribution in #1015
- @soujanyanmbri made their first contribution in #1046
Full Changelog: v3.1.0...v3.2.0