projects / libapache-mod-security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Imported Upstream version 2.5.11
[libapache-mod-security.git] / apache2 / t / regression / action / 00-disruptive-actions.t
1 ### Tests all of the actions in each phase
2
3 # Pass
4 {
5         type => "action",
6         comment => "pass in phase:1",
7         conf => qq(
8                 SecRuleEngine On
9                 SecRequestBodyAccess On
10                 SecResponseBodyAccess On
11                 SecResponseBodyMimeType null
12                 SecAction "phase:1,pass"
13                 SecAction "phase:1,deny"
14         ),
15         match_log => {
16                 error => [ qr/ModSecurity: Warning. Unconditional match in SecAction/, 1 ],
17         },
18         match_response => {
19                 status => qr/^403$/,
20         },
21         request => new HTTP::Request(
22                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
23         ),
24 },
25 {
26         type => "action",
27         comment => "pass in phase:2",
28         conf => qq(
29                 SecRuleEngine On
30                 SecRequestBodyAccess On
31                 SecResponseBodyAccess On
32                 SecResponseBodyMimeType null
33                 SecAction "phase:2,pass"
34                 SecAction "phase:2,deny"
35         ),
36         match_log => {
37                 error => [ qr/ModSecurity: Warning. Unconditional match in SecAction/, 1 ],
38         },
39         match_response => {
40                 status => qr/^403$/,
41         },
42         request => new HTTP::Request(
43                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
44         ),
45 },
46 {
47         type => "action",
48         comment => "pass in phase:3",
49         conf => qq(
50                 SecRuleEngine On
51                 SecRequestBodyAccess On
52                 SecResponseBodyAccess On
53                 SecResponseBodyMimeType null
54                 SecDebugLog "$ENV{DEBUG_LOG}"
55                 SecDebugLogLevel 4
56                 SecAction "phase:3,pass"
57                 SecAction "phase:3,deny"
58         ),
59         match_log => {
60                 error => [ qr/ModSecurity: Warning. Unconditional match in SecAction/, 1 ],
61         },
62         match_response => {
63                 status => qr/^403$/,
64         },
65         request => new HTTP::Request(
66                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
67         ),
68 },
69 {
70         type => "action",
71         comment => "pass in phase:4",
72         conf => qq(
73                 SecRuleEngine On
74                 SecRequestBodyAccess On
75                 SecResponseBodyAccess On
76                 SecResponseBodyMimeType null
77                 SecDebugLog "$ENV{DEBUG_LOG}"
78                 SecDebugLogLevel 4
79                 SecAction "phase:4,pass"
80                 SecAction "phase:4,deny"
81         ),
82         match_log => {
83                 error => [ qr/ModSecurity: Warning. Unconditional match in SecAction/, 1 ],
84         },
85         match_response => {
86                 status => qr/^403$/,
87         },
88         request => new HTTP::Request(
89                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
90         ),
91 },
92
93 # Allow
94 {
95         type => "action",
96         comment => "allow in phase:1",
97         conf => qq(
98                 SecRuleEngine On
99                 SecRequestBodyAccess On
100                 SecResponseBodyAccess On
101                 SecResponseBodyMimeType null
102                 SecAction "phase:1,allow"
103                 SecAction "phase:1,deny"
104         ),
105         match_log => {
106                 error => [ qr/ModSecurity: Access allowed \(phase 1\). Unconditional match in SecAction/, 1 ],
107         },
108         match_response => {
109                 status => qr/^200$/,
110         },
111         request => new HTTP::Request(
112                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
113         ),
114 },
115 {
116         type => "action",
117         comment => "allow in phase:2",
118         conf => qq(
119                 SecRuleEngine On
120                 SecRequestBodyAccess On
121                 SecResponseBodyAccess On
122                 SecResponseBodyMimeType null
123                 SecAction "phase:2,allow"
124                 SecAction "phase:2,deny"
125         ),
126         match_log => {
127                 error => [ qr/ModSecurity: Access allowed \(phase 2\). Unconditional match in SecAction/, 1 ],
128         },
129         match_response => {
130                 status => qr/^200$/,
131         },
132         request => new HTTP::Request(
133                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
134         ),
135 },
136 {
137         type => "action",
138         comment => "allow in phase:3",
139         conf => qq(
140                 SecRuleEngine On
141                 SecRequestBodyAccess On
142                 SecResponseBodyAccess On
143                 SecResponseBodyMimeType null
144                 SecDebugLog "$ENV{DEBUG_LOG}"
145                 SecDebugLogLevel 4
146                 SecAction "phase:3,allow"
147                 SecAction "phase:3,deny"
148         ),
149         match_log => {
150                 error => [ qr/ModSecurity: Access allowed \(phase 3\). Unconditional match in SecAction/, 1 ],
151         },
152         match_response => {
153                 status => qr/^200$/,
154         },
155         request => new HTTP::Request(
156                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
157         ),
158 },
159 {
160         type => "action",
161         comment => "allow in phase:4",
162         conf => qq(
163                 SecRuleEngine On
164                 SecRequestBodyAccess On
165                 SecResponseBodyAccess On
166                 SecResponseBodyMimeType null
167                 SecDebugLog "$ENV{DEBUG_LOG}"
168                 SecDebugLogLevel 4
169                 SecAction "phase:4,allow"
170                 SecAction "phase:4,deny"
171         ),
172         match_log => {
173                 error => [ qr/ModSecurity: Access allowed \(phase 4\). Unconditional match in SecAction/, 1 ],
174         },
175         match_response => {
176                 status => qr/^200$/,
177         },
178         request => new HTTP::Request(
179                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
180         ),
181 },
182
183 # Deny
184 {
185         type => "action",
186         comment => "deny in phase:1",
187         conf => qq(
188                 SecRuleEngine On
189                 SecRequestBodyAccess On
190                 SecResponseBodyAccess On
191                 SecResponseBodyMimeType null
192                 SecAction "phase:1,deny"
193         ),
194         match_log => {
195                 error => [ qr/Access denied with code 403 \(phase 1\). Unconditional match in SecAction./, 1 ],
196         },
197         match_response => {
198                 status => qr/^403$/,
199         },
200         request => new HTTP::Request(
201                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
202         ),
203 },
204 {
205         type => "action",
206         comment => "deny in phase:2",
207         conf => qq(
208                 SecRuleEngine On
209                 SecRequestBodyAccess On
210                 SecResponseBodyAccess On
211                 SecResponseBodyMimeType null
212                 SecAction "phase:2,deny"
213         ),
214         match_log => {
215                 error => [ qr/Access denied with code 403 \(phase 2\). Unconditional match in SecAction./, 1 ],
216         },
217         match_response => {
218                 status => qr/^403$/,
219         },
220         request => new HTTP::Request(
221                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
222         ),
223 },
224 {
225         type => "action",
226         comment => "deny in phase:3",
227         conf => qq(
228                 SecRuleEngine On
229                 SecRequestBodyAccess On
230                 SecResponseBodyAccess On
231                 SecResponseBodyMimeType null
232                 SecDebugLog "$ENV{DEBUG_LOG}"
233                 SecDebugLogLevel 4
234                 SecAction "phase:3,deny"
235         ),
236         match_log => {
237                 error => [ qr/Access denied with code 403 \(phase 3\). Unconditional match in SecAction./, 1 ],
238         },
239         match_response => {
240                 status => qr/^403$/,
241         },
242         request => new HTTP::Request(
243                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
244         ),
245 },
246 {
247         type => "action",
248         comment => "deny in phase:4",
249         conf => qq(
250                 SecRuleEngine On
251                 SecRequestBodyAccess On
252                 SecResponseBodyAccess On
253                 SecResponseBodyMimeType null
254                 SecDebugLog "$ENV{DEBUG_LOG}"
255                 SecDebugLogLevel 4
256                 SecAction "phase:4,deny"
257         ),
258         match_log => {
259                 error => [ qr/Access denied with code 403 \(phase 4\). Unconditional match in SecAction./, 1 ],
260         },
261         match_response => {
262                 status => qr/^403$/,
263         },
264         request => new HTTP::Request(
265                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
266         ),
267 },
268
269 # Drop
270 {
271         type => "action",
272         comment => "drop in phase:1",
273         conf => qq(
274                 SecRuleEngine On
275                 SecRequestBodyAccess On
276                 SecResponseBodyAccess On
277                 SecResponseBodyMimeType null
278                 SecAction "phase:1,drop"
279         ),
280         match_log => {
281                 error => [ qr/Access denied with connection close \(phase 1\). Unconditional match in SecAction./, 1 ],
282         },
283         match_response => {
284                 status => qr/^500$/,
285         },
286         request => new HTTP::Request(
287                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
288         ),
289 },
290 {
291         type => "action",
292         comment => "drop in phase:2",
293         conf => qq(
294                 SecRuleEngine On
295                 SecRequestBodyAccess On
296                 SecResponseBodyAccess On
297                 SecResponseBodyMimeType null
298                 SecAction "phase:2,drop"
299         ),
300         match_log => {
301                 error => [ qr/Access denied with connection close \(phase 2\). Unconditional match in SecAction./, 1 ],
302         },
303         match_response => {
304                 status => qr/^500$/,
305         },
306         request => new HTTP::Request(
307                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
308         ),
309 },
310 {
311         type => "action",
312         comment => "drop in phase:3",
313         conf => qq(
314                 SecRuleEngine On
315                 SecRequestBodyAccess On
316                 SecResponseBodyAccess On
317                 SecResponseBodyMimeType null
318                 SecDebugLog "$ENV{DEBUG_LOG}"
319                 SecDebugLogLevel 4
320                 SecAction "phase:3,drop"
321         ),
322         match_log => {
323                 error => [ qr/Access denied with connection close \(phase 3\). Unconditional match in SecAction./, 1 ],
324         },
325         match_response => {
326                 status => qr/^500$/,
327         },
328         request => new HTTP::Request(
329                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
330         ),
331 },
332 {
333         type => "action",
334         comment => "drop in phase:4",
335         conf => qq(
336                 SecRuleEngine On
337                 SecRequestBodyAccess On
338                 SecResponseBodyAccess On
339                 SecResponseBodyMimeType null
340                 SecDebugLog "$ENV{DEBUG_LOG}"
341                 SecDebugLogLevel 4
342                 SecAction "phase:4,drop"
343         ),
344         match_log => {
345                 error => [ qr/Access denied with connection close \(phase 4\). Unconditional match in SecAction./, 1 ],
346         },
347         match_response => {
348                 status => qr/^500$/,
349         },
350         request => new HTTP::Request(
351                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
352         ),
353 },
354
355 # Redirect
356 {
357         type => "action",
358         comment => "redirect in phase:1 (get)",
359         conf => qq(
360                 SecRuleEngine On
361                 SecRequestBodyAccess On
362                 SecResponseBodyAccess On
363                 SecResponseBodyMimeType null
364                 SecRule REQUEST_URI "\@streq /test2.txt" "phase:1,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'"
365         ),
366         match_log => {
367                 error => [ qr/ModSecurity: Access denied with redirection to .* using status 302 \(phase 1\)/, 1 ],
368         },
369         match_response => {
370                 status => qr/^200$/,
371                 content => qr/^TEST$/,
372         },
373         request => new HTTP::Request(
374                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test2.txt",
375         ),
376 },
377 {
378         type => "action",
379         comment => "redirect in phase:2 (get)",
380         conf => qq(
381                 SecRuleEngine On
382                 SecRequestBodyAccess On
383                 SecResponseBodyAccess On
384                 SecResponseBodyMimeType null
385                 SecRule REQUEST_URI "\@streq /test2.txt" "phase:2,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'"
386         ),
387         match_log => {
388                 error => [ qr/ModSecurity: Access denied with redirection to .* using status 302 \(phase 2\)/, 1 ],
389         },
390         match_response => {
391                 status => qr/^200$/,
392                 content => qr/^TEST$/,
393         },
394         request => new HTTP::Request(
395                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test2.txt",
396         ),
397 },
398 {
399         type => "action",
400         comment => "redirect in phase:3 (get)",
401         conf => qq(
402                 SecRuleEngine On
403                 SecRequestBodyAccess On
404                 SecResponseBodyAccess On
405                 SecResponseBodyMimeType null
406                 SecDebugLog "$ENV{DEBUG_LOG}"
407                 SecDebugLogLevel 4
408                 SecRule REQUEST_URI "\@streq /test2.txt" "phase:3,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'"
409         ),
410         match_log => {
411                 error => [ qr/ModSecurity: Access denied with redirection to .* using status 302 \(phase 3\)/, 1 ],
412         },
413         match_response => {
414                 status => qr/^200$/,
415                 content => qr/^TEST$/,
416         },
417         request => new HTTP::Request(
418                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test2.txt",
419         ),
420 },
421 {
422         type => "action",
423         comment => "redirect in phase:4 (get)",
424         conf => qq(
425                 SecRuleEngine On
426                 SecRequestBodyAccess On
427                 SecResponseBodyAccess On
428                 SecResponseBodyMimeType null
429                 SecDebugLog "$ENV{DEBUG_LOG}"
430                 SecDebugLogLevel 4
431                 SecRule REQUEST_URI "\@streq /test2.txt" "phase:4,redirect:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'"
432         ),
433         match_log => {
434                 error => [ qr/ModSecurity: Access denied with redirection to .* using status 302 \(phase 4\)/, 1 ],
435         },
436         match_response => {
437                 status => qr/^200$/,
438                 content => qr/^TEST$/,
439         },
440         request => new HTTP::Request(
441                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test2.txt",
442         ),
443 },
444
445 # Proxy
446 {
447         type => "action",
448         comment => "proxy in phase:1 (get)",
449         conf => qq(
450                 SecRuleEngine On
451                 SecRequestBodyAccess On
452                 SecResponseBodyAccess On
453                 SecResponseBodyMimeType null
454                 SecRule REQUEST_URI "\@streq /test2.txt" "phase:1,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'"
455         ),
456         match_log => {
457                 error => [ qr/ModSecurity: Access denied using proxy to \(phase 1\)/, 1 ],
458         },
459         match_response => {
460                 status => qr/^200$/,
461                 content => qr/^TEST$/,
462         },
463         request => new HTTP::Request(
464                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test2.txt",
465         ),
466 },
467 {
468         type => "action",
469         comment => "proxy in phase:2 (get)",
470         conf => qq(
471                 SecRuleEngine On
472                 SecRequestBodyAccess On
473                 SecResponseBodyAccess On
474                 SecResponseBodyMimeType null
475                 SecRule REQUEST_URI "\@streq /test2.txt" "phase:2,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'"
476         ),
477         match_log => {
478                 error => [ qr/ModSecurity: Access denied using proxy to \(phase 2\)/, 1 ],
479         },
480         match_response => {
481                 status => qr/^200$/,
482                 content => qr/^TEST$/,
483         },
484         request => new HTTP::Request(
485                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test2.txt",
486         ),
487 },
488 {
489         type => "action",
490         comment => "proxy in phase:3 (get)",
491         conf => qq(
492                 SecRuleEngine On
493                 SecRequestBodyAccess On
494                 SecResponseBodyAccess On
495                 SecResponseBodyMimeType null
496                 SecDebugLog "$ENV{DEBUG_LOG}"
497                 SecDebugLogLevel 4
498                 SecRule REQUEST_URI "\@streq /test2.txt" "phase:3,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'"
499         ),
500         match_log => {
501                 error => [ qr/ModSecurity: Access denied with code 500 \(phase 3\) \(Configuration Error: Proxy action requested but it does not work in output phases\)./, 1 ],
502         },
503         match_response => {
504                 status => qr/^500$/,
505         },
506         request => new HTTP::Request(
507                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test2.txt",
508         ),
509 },
510 {
511         type => "action",
512         comment => "proxy in phase:4 (get)",
513         conf => qq(
514                 SecRuleEngine On
515                 SecRequestBodyAccess On
516                 SecResponseBodyAccess On
517                 SecResponseBodyMimeType null
518                 SecDebugLog "$ENV{DEBUG_LOG}"
519                 SecDebugLogLevel 4
520                 SecRule REQUEST_URI "\@streq /test2.txt" "phase:4,proxy:'http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt'"
521         ),
522         match_log => {
523                 error => [ qr/ModSecurity: Access denied with code 500 \(phase 4\) \(Configuration Error: Proxy action requested but it does not work in output phases\)./, 1 ],
524         },
525         match_response => {
526                 status => qr/^500$/,
527         },
528         request => new HTTP::Request(
529                 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test2.txt",
530         ),
531 },
libapache-mod-security