github corazawaf/coraza v3.3.0
on GitHub

latest release: v3.3.1
5 days ago

Another year, another version 🎉 !

Version 3.3.0 comes with some nice new features, extended compatibility with ModSecurity SecLang, and some quick performance improvements.

The minimum required Go version is 1.22.

New features:

  • The coraza.rule.no_regex_multiline build tag has been added. It disables enabling by default regexes multiline modifiers in @rx operator. It aligns with CRS expected behavior, reduces false positives and might improve performances. Mind that it is planned to become the default behavior starting from the next major version. Check details and review available build tags here.
  • Added support to OCSF (v1.2.0) audit log format by @durg78. Reference: #1089
  • Improved compatibility with Windows by @jabdr. Reference: #1132 & #1133 & #1136 & #1137 & #1138
  • Added MULTIPART_STRICT_ERROR variable. It is set when mutipart fails to parse by @fzipi, @M4tteoP. Reference: #1098 & #1166
  • Added SecRuleUpdateActionById directive support by @fzipi. Reference: #1071
  • Added TIME variables support by @geoolekom and @jcchavezs for the sake of compatibility with modsec and existing rulesets e.g. Imunify360. Some use cases are described in #1223 (comment). Reference: #1223 & #1242
  • Allow square brackets in variables during macro expansion by @geoolekom as a query parameter can be a slice and hence its name contains square brackets. Reference: #1226
  • Added base64 encode transformation by @tty2 as it wasn't supported. Reference: #1257

Fixes:

  • Fixed incorrect parsing of regex in SecRule with multiple ARGS specifiers by @geekeryy. Reference: #1087
  • Fixed default deny action status code to 403 by @M4tteoP. Reference: #1097
  • Fixed setvar action to allow values to start with - or + by @soujanyanmbri. Reference: #1125
  • Fixed macro parsing to handle additional border cases by @fzipi. Reference: #1180
  • Fixed default redirect action status code by @fzipi. Reference: #1183
  • Improved noisy warn level debug logging when the body limit action is ProcessPartial. Reference: #1187
  • Added empty glob error when no files match by @gantony as we don't want to accidentally miss rules to be loaded because an incorrect glob. Reference: #1259
  • Go version was pinned to 1.22.0 as coraza is a library and we should not target patch versions. Reference: #1246

Performance improvements

  • Improvements on GetField by reducing heap allocations by @M4tteoP. Reference: #1195
  • Improvements on transformArg by reducing heap allocations by @M4tteoP. Reference: #1198
  • Improvements on collections by reducing heap allocations by @soujanyanmbri. Reference: #1202

What's Changed

  • fix: variable parsing error by @geekeryy in #1087
  • fix: deny action with default status 403 by @M4tteoP in #1097
  • chore(goversion): upgrade minimum version to 1.21 by @jptosso in #1099
  • feat: set MULTIPART_STRICT_ERROR value when mutipart fails to parse by @fzipi in #1098
  • chore: finalizes go 1.21 bump, point to local version for crs tests, minor docs by @M4tteoP in #1102
  • chore: config renovate to update up to our supported go version by @fzipi in #1105
  • fix: broken renovatebot config by @fzipi in #1107
  • chore(deps): pin dependencies by @renovate in #1108
  • chore(deps): update github/codeql-action digest to 5cf07d8 by @renovate in #1113
  • chore(README): removes mention to EOL of Modsec by @M4tteoP in #1115
  • chore(deps): update github/codeql-action digest to afb54ba by @renovate in #1114
  • chore(deps): update github/codeql-action digest to eb055d7 by @renovate in #1126
  • fix(deps): update module golang.org/x/net to v0.28.0 by @renovate in #1127
  • chore(deps): update github/codeql-action digest to 29d86d2 by @renovate in #1129
  • chore(deps): update github/codeql-action digest to 429e197 by @renovate in #1130
  • fix(deps): update module golang.org/x/sync to v0.8.0 by @renovate in #1124
  • fix: broken TestInspectFile on windows by @jabdr in #1133
  • fix: broken multipart processor on windows by @jabdr in #1137
  • fix: broken TestDirectives SecUploadDir on windows by @jabdr in #1132
  • fix: broken TestConcurrentWriterSuccess on windows by @jabdr in #1138
  • chore(goversion): upgrade minimum version to 1.22 by @M4tteoP in #1145
  • chore: update tinygo to 0.33.0 by @fzipi in #1148
  • fix(deps): update module github.com/tidwall/gjson to v1.17.3 by @renovate in #1116
  • feat: ocsf audit logging by @durg78 in #1089
  • fix: update auditlog test names by @jcchavezs in #1152
  • fix: broken TestHardcodedIncludeDirectiveDDOS2 on windows by @jabdr in #1136
  • updates tests to CRS 4.5, albedo by @M4tteoP in #1122
  • fix(deps): update github.com/coreruleset/go-ftw digest to 8474a93 by @renovate in #1155
  • fix(deps): update module github.com/mccutchen/go-httpbin/v2 to v2.15.0 by @renovate in #1142
  • chore: ports interceptor correction by @M4tteoP in #1123
  • Bug Fix: The value in the setvar should be able to start with - or +. by @soujanyanmbri in #1125
  • fix(deps): update module github.com/coreruleset/albedo to v0.0.16 by @renovate in #1158
  • tests: unknown key. by @jcchavezs in #1156
  • chore(deps): update codecov/codecov-action digest to b9fd7d1 by @renovate in #1160
  • fix(deps): update module github.com/tidwall/gjson to v1.18.0 by @renovate in #1161
  • refactor: replace reflect.StringHeader with unsafe.StringData by @Juneezee in #1162
  • chore(deps): update github/codeql-action digest to 2c779ab by @renovate in #1131
  • fix(deps): update module golang.org/x/net to v0.30.0 by @renovate in #1165
  • chore(deps): update github/codeql-action digest to 6db8d63 by @renovate in #1164
  • fix: MULTIPART_STRICT_ERROR, updates CRS tests to v4.6.0 by @M4tteoP in #1166
  • docs: SecAuditLogDir, removes mention of SecAuditLogStorageDir by @M4tteoP in #1167
  • fix(deps): update module github.com/corazawaf/libinjection-go to v0.2.2 by @renovate in #1172
  • fix: actions comment by @fzipi in #1173
  • chore(deps): update actions/setup-go digest to 41dfa10 by @renovate in #1179
  • fix: apply mage format by @fzipi in #1181
  • fix: handle additional broken macro definitions by @fzipi in #1180
  • fix: redirect action status codes by @fzipi in #1183
  • feat: add SecRuleUpdateActionById directive by @fzipi in #1071
  • chore(deps): update github/codeql-action digest to 6624720 by @renovate in #1169
  • fix(deps): update module github.com/bmatcuk/doublestar/v4 to v4.7.1 by @renovate in #1171
  • chore(deps): update actions/checkout digest to 11bd719 by @renovate in #1168
  • nits: SecRuleUpdateActionById doc by @M4tteoP in #1185
  • chore: update renovate config to use common by @fzipi in #1184
  • fix(deps): update module github.com/coreruleset/go-ftw to v1.1.0 in testing/coreruleset/go.mod by @renovate in #1188
  • chore(deps): update actions/cache action to v4 in .github/workflows/tinygo.yml by @renovate in #1189
  • Revert "fix(deps): update module github.com/coreruleset/go-ftw to v1.1.0 in testing/coreruleset/go.mod" by @fzipi in #1190
  • fix: toolchain version in go.mod by @fzipi in #1192
  • chore: refactor process body related logs and doc by @M4tteoP in #1187
  • fix(deps): update module github.com/coreruleset/go-ftw to v1.1.1 in testing/coreruleset/go.mod by @renovate in #1191
  • perf: GetField reduce allocations by @M4tteoP in #1195
  • docs: nits and avoids mentioning not existing resources by @M4tteoP in #1203
  • fix(deps): update module golang.org/x/sync to v0.9.0 in go.mod by @renovate in #1206
  • chore(deps): update github/codeql-action digest to 4f3212b in .github/workflows/codeql-analysis.yml by @renovate in #1209
  • fix(deps): update module golang.org/x/net to v0.31.0 in go.mod by @renovate in #1210
  • Adds a mergefs.Merge test by @M4tteoP in #1211
  • chore(deps): update github/codeql-action digest to 396bb3e in .github/workflows/codeql-analysis.yml by @renovate in #1213
  • chore(regression): improve coverage with testing tag matrix by @jptosso in #1214
  • add codecov token by @jptosso in #1215
  • chore(deps): pin actions/checkout action to 11bd719 in .github/workflows/regression.yml by @renovate in #1216
  • fix(deps): update module github.com/corazawaf/coraza-coreruleset/v4 to v4.7.0 in testing/coreruleset/go.mod by @renovate in #1217
  • perf: reduces transformArg allocation without multimatch by @M4tteoP in #1198
  • fix(deps): update all non-major dependencies in testing/coreruleset/go.mod by @renovate in #1218
  • chore(deps): update codecov/codecov-action action to v5 in .github/workflows/regression.yml by @renovate in #1219
  • Perf: Improve Performance, reduce heap allocations by @soujanyanmbri in #1202
  • chore(deps): update codecov/codecov-action digest to 5c47607 in .github/workflows/regression.yml by @renovate in #1222
  • fix: removes multiline from default regex modifiers by @M4tteoP in #876
  • chore(deps): update codecov/codecov-action digest to 05f5a9c in .github/workflows/regression.yml by @renovate in #1224
  • chore(deps): update codecov/codecov-action digest to 985343d in .github/workflows/regression.yml by @renovate in #1225
  • chore(deps): update all non-major dependencies in .github/workflows/regression.yml by @renovate in #1228
  • chore(deps): update codecov/codecov-action digest to 015f24e in .github/workflows/regression.yml by @renovate in #1229
  • Allow square brackets in variables (macro expansion) by @geoolekom in #1226
  • tests: adds engine tests about args with square brackets by @M4tteoP in #1230
  • fix(deps): update github.com/magefile/mage digest to 32e0107 in go.mod by @renovate in #1234
  • fix(deps): update github.com/magefile/mage digest to bdc92f6 in go.mod by @renovate in #1235
  • fix(deps): update module github.com/coreruleset/go-ftw to v1.1.2 in testing/coreruleset/go.mod by @renovate in #1236
  • chore(deps): update github/codeql-action digest to aa57810 in .github/workflows/codeql-analysis.yml by @renovate in #1237
  • fix(deps): update go modules in go.mod by @renovate in #1240
  • chore(deps): update all non-major dependencies in .github/workflows/tinygo.yml by @renovate in #1241
  • feat: TIME variables support by @geoolekom in #1223
  • chore: optimizes time variables. by @jcchavezs in #1242
  • chore(deps): update github/codeql-action digest to babb554 in .github/workflows/codeql-analysis.yml by @renovate in #1244
  • chore(deps): update actions/setup-go digest to 3041bf5 in .github/workflows/tinygo.yml by @renovate in #1245
  • chore: lint go versions. by @jcchavezs in #1246
  • chore(deps): update module golang.org/x/crypto to v0.31.0 [security] by @renovate in #1247
  • chore(deps): update github/codeql-action digest to df409f7 in .github/workflows/codeql-analysis.yml by @renovate in #1248
  • chore(deps): update codecov/codecov-action digest to 1e68e06 in .github/workflows/regression.yml by @renovate in #1254
  • fix(deps): update module golang.org/x/net to v0.33.0 in go.mod by @renovate in #1255
  • chore(deps): update module golang.org/x/net to v0.33.0 [security] by @renovate in #1256
  • chore(deps): update github/codeql-action digest to 48ab28a in .github/workflows/codeql-analysis.yml by @renovate in #1260
  • feat: add base64 encode transformation by @tty2 in #1257
  • fix: add empty glob error when no files match by @gantony in #1259
  • chore: Replace sync.Mutex with sync.Map by @piyushroshan in #1197
  • Revert "chore: Replace sync.Mutex with sync.Map" by @fzipi in #1262

New Contributors

Full Changelog: v3.2.1...v3.3.0

Check out latest releases or
releases around corazawaf/coraza v3.3.0

Don't miss a new coraza release

NewReleases is sending notifications on new releases.

Get notifications