Skip to content

Commit c577c68

Browse files
defanatorvictorhora
defanator
authored and
victorhora
committed
Extend request body tests with ARGS_POST case
See the following issues for details: owasp-modsecurity/ModSecurity#1531 owasp-modsecurity/ModSecurity#1886
1 parent 4b50399 commit c577c68

File tree

1 file changed

+24
-1
lines changed

1 file changed

+24
-1
lines changed

tests/modsecurity-request-body.t

Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,7 @@ http {
5656
SecRuleEngine On
5757
SecRequestBodyAccess Off
5858
SecRule REQUEST_BODY "@rx BAD BODY" "id:21,phase:request,deny,log,status:403"
59+
SecRule ARGS_POST|ARGS_POST_NAMES "@rx BAD ARG" "id:22,phase:request,deny,log,status:403"
5960
';
6061
proxy_pass http://127.0.0.1:8081;
6162
}
@@ -88,14 +89,15 @@ EOF
8889
$t->run_daemon(\&http_daemon);
8990
$t->run()->waitforsocket('127.0.0.1:' . port(8081));
9091

91-
$t->plan(28);
92+
$t->plan(32);
9293

9394
###############################################################################
9495

9596
foreach my $method (('GET', 'POST', 'PUT', 'DELETE')) {
9697
like(http_req_body($method, '/bodyaccess', 'GOOD BODY'), qr/TEST-OK-IF-YOU-SEE-THIS/, "$method request body access on, pass");
9798
like(http_req_body($method, '/bodyaccess', 'VERY BAD BODY'), qr/403 Forbidden/, "$method request body access on, block");
9899
like(http_req_body($method, '/nobodyaccess', 'VERY BAD BODY'), qr/TEST-OK-IF-YOU-SEE-THIS/, "$method request body access off, pass");
100+
like(http_req_body_postargs($method, '/nobodyaccess', 'BAD ARG'), qr/TEST-OK-IF-YOU-SEE-THIS/, "$method request body access off (ARGS_POST), pass");
99101
like(http_req_body($method, '/bodylimitreject', 'BODY' x 32), qr/TEST-OK-IF-YOU-SEE-THIS/, "$method request body limit reject, pass");
100102
like(http_req_body($method, '/bodylimitreject', 'BODY' x 33), qr/403 Forbidden/, "$method request body limit reject, block");
101103
like(http_req_body($method, '/bodylimitprocesspartial', 'BODY' x 32 . 'BAD BODY'), qr/TEST-OK-IF-YOU-SEE-THIS/, "$method request body limit process partial, pass");
@@ -159,4 +161,25 @@ sub http_req_body {
159161
);
160162
}
161163

164+
sub http_req_body_postargs {
165+
my $method = shift;
166+
my $uri = shift;
167+
my $last = pop;
168+
return http( join '', (map {
169+
my $body = $_;
170+
"$method $uri HTTP/1.1" . CRLF
171+
. "Host: localhost" . CRLF
172+
. "Content-Type: application/x-www-form-urlencoded" . CRLF
173+
. "Content-Length: " . (length "test=" . $body) . CRLF . CRLF
174+
. "test=" . $body
175+
} @_),
176+
"$method $uri HTTP/1.1" . CRLF
177+
. "Host: localhost" . CRLF
178+
. "Connection: close" . CRLF
179+
. "Content-Type: application/x-www-form-urlencoded" . CRLF
180+
. "Content-Length: " . (length "test=" . $last) . CRLF . CRLF
181+
. "test=" . $last
182+
);
183+
}
184+
162185
###############################################################################

0 commit comments

Comments
 (0)