forked from corazawaf/coraza
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathe2e_test.go
69 lines (57 loc) · 2.18 KB
/
e2e_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
// Copyright 2023 Juan Pablo Tosso and the OWASP Coraza contributors
// SPDX-License-Identifier: Apache-2.0
// These benchmarks don't currently compile with TinyGo
//go:build !tinygo
// +build !tinygo
package e2e_test
import (
_ "embed"
"net/http"
"net/http/httptest"
"testing"
"github.com/mccutchen/go-httpbin/v2/httpbin"
"github.com/corazawaf/coraza/v3"
txhttp "github.com/corazawaf/coraza/v3/http"
"github.com/corazawaf/coraza/v3/http/e2e"
)
func TestE2e(t *testing.T) {
conf := coraza.NewWAFConfig()
customE2eDirectives := `
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType application/json
# Custom rule for Coraza config check (ensuring that these configs are used)
SecRule &REQUEST_HEADERS:coraza-e2e "@eq 0" "id:100,phase:1,deny,status:424,log,msg:'Coraza E2E - Missing header'"
# Custom rules for e2e testing
SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,t:lowercase,log,deny"
SecRule REQUEST_BODY "@rx maliciouspayload" "id:102,phase:2,t:lowercase,log,deny"
SecRule RESPONSE_HEADERS:pass "@rx leak" "id:103,phase:3,t:lowercase,log,deny"
SecRule RESPONSE_BODY "@contains responsebodycode" "id:104,phase:4,t:lowercase,log,deny"
# Custom rules mimicking the following CRS rules: 941100, 942100, 913100
SecRule ARGS_NAMES|ARGS "@detectXSS" "id:9411,phase:2,t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,log,deny"
SecRule ARGS_NAMES|ARGS "@detectSQLi" "id:9421,phase:2,t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,multiMatch,log,deny"
SecRule REQUEST_HEADERS:User-Agent "@pm grabber masscan" "id:9131,phase:1,t:none,log,deny"
`
conf = conf.
WithDirectives(customE2eDirectives)
waf, err := coraza.NewWAF(conf)
if err != nil {
t.Fatal(err)
}
httpbin := httpbin.New()
mux := http.NewServeMux()
mux.Handle("/status/200", httpbin) // Health check
mux.Handle("/", txhttp.WrapHandler(waf, httpbin))
// Create the server with the WAF and the reverse proxy.
s := httptest.NewServer(mux)
defer s.Close()
err = e2e.Run(e2e.Config{
NulledBody: false,
ProxiedEntrypoint: s.URL,
HttpbinEntrypoint: s.URL,
})
if err != nil {
t.Fatalf("e2e tests failed: %v", err)
}
}