288 lines
8.7 KiB
Perl
288 lines
8.7 KiB
Perl
#!/usr/bin/perl
|
|
|
|
# (C) Andrei Belov
|
|
|
|
# Tests for ModSecurity over the http proxy module (HTTP/2).
|
|
|
|
###############################################################################
|
|
|
|
use warnings;
|
|
use strict;
|
|
|
|
use Test::More;
|
|
|
|
BEGIN { use FindBin; chdir($FindBin::Bin); }
|
|
|
|
use lib 'lib';
|
|
use Test::Nginx;
|
|
use Test::Nginx::HTTP2;
|
|
|
|
###############################################################################
|
|
|
|
select STDERR; $| = 1;
|
|
select STDOUT; $| = 1;
|
|
|
|
my $t = Test::Nginx->new()->has(qw/http http_v2 proxy/)->plan(23);
|
|
|
|
$t->write_file_expand('nginx.conf', <<'EOF');
|
|
|
|
%%TEST_GLOBALS%%
|
|
|
|
daemon off;
|
|
|
|
events {
|
|
}
|
|
|
|
http {
|
|
%%TEST_GLOBALS_HTTP%%
|
|
|
|
server {
|
|
listen 127.0.0.1:8080 http2;
|
|
server_name localhost;
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:8081;
|
|
proxy_read_timeout 1s;
|
|
}
|
|
|
|
location /phase1 {
|
|
modsecurity on;
|
|
modsecurity_rules '
|
|
SecRuleEngine On
|
|
SecDefaultAction "phase:1,log,deny,status:403"
|
|
SecRule ARGS "@streq redirect301" "id:1,phase:1,status:301,redirect:http://www.modsecurity.org"
|
|
SecRule ARGS "@streq redirect302" "id:2,phase:1,status:302,redirect:http://www.modsecurity.org"
|
|
SecRule ARGS "@streq block401" "id:3,phase:1,status:401,block"
|
|
SecRule ARGS "@streq block403" "id:4,phase:1,status:403,block"
|
|
';
|
|
proxy_pass http://127.0.0.1:8081;
|
|
proxy_read_timeout 1s;
|
|
}
|
|
location /phase2 {
|
|
modsecurity on;
|
|
modsecurity_rules '
|
|
SecRuleEngine On
|
|
SecDefaultAction "phase:2,log,deny,status:403"
|
|
SecRule ARGS "@streq redirect301" "id:1,phase:2,status:301,redirect:http://www.modsecurity.org"
|
|
SecRule ARGS "@streq redirect302" "id:2,phase:2,status:302,redirect:http://www.modsecurity.org"
|
|
SecRule ARGS "@streq block401" "id:3,phase:2,status:401,block"
|
|
SecRule ARGS "@streq block403" "id:4,phase:2,status:403,block"
|
|
';
|
|
proxy_pass http://127.0.0.1:8081;
|
|
proxy_read_timeout 1s;
|
|
}
|
|
location /phase3 {
|
|
modsecurity on;
|
|
modsecurity_rules '
|
|
SecRuleEngine On
|
|
SecDefaultAction "phase:3,log,deny,status:403"
|
|
SecRule ARGS "@streq redirect301" "id:1,phase:3,status:301,redirect:http://www.modsecurity.org"
|
|
SecRule ARGS "@streq redirect302" "id:2,phase:3,status:302,redirect:http://www.modsecurity.org"
|
|
SecRule ARGS "@streq block401" "id:3,phase:3,status:401,block"
|
|
SecRule ARGS "@streq block403" "id:4,phase:3,status:403,block"
|
|
';
|
|
proxy_pass http://127.0.0.1:8081;
|
|
proxy_read_timeout 1s;
|
|
}
|
|
location /phase4 {
|
|
modsecurity on;
|
|
modsecurity_rules '
|
|
SecRuleEngine On
|
|
SecResponseBodyAccess On
|
|
SecDefaultAction "phase:4,log,deny,status:403"
|
|
SecRule ARGS "@streq redirect301" "id:1,phase:4,status:301,redirect:http://www.modsecurity.org"
|
|
SecRule ARGS "@streq redirect302" "id:2,phase:4,status:302,redirect:http://www.modsecurity.org"
|
|
SecRule ARGS "@streq block401" "id:3,phase:4,status:401,block"
|
|
SecRule ARGS "@streq block403" "id:4,phase:4,status:403,block"
|
|
';
|
|
proxy_pass http://127.0.0.1:8081;
|
|
proxy_read_timeout 1s;
|
|
}
|
|
}
|
|
}
|
|
|
|
EOF
|
|
|
|
$t->run_daemon(\&http_daemon);
|
|
$t->run()->waitforsocket('127.0.0.1:' . port(8081));
|
|
|
|
###############################################################################
|
|
|
|
my ($phase, $s, $sid, $frames, $frame);
|
|
|
|
$s = Test::Nginx::HTTP2->new();
|
|
$sid = $s->new_stream({ path => '/' });
|
|
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
|
|
($frame) = grep { $_->{type} eq "DATA" } @$frames;
|
|
like($frame->{data}, qr/SEE-THIS/, "proxy request");
|
|
|
|
$s = Test::Nginx::HTTP2->new();
|
|
$sid = $s->new_stream({ path => '/multi' });
|
|
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
|
|
($frame) = grep { $_->{type} eq "DATA" } @$frames;
|
|
like($frame->{data}, qr/AND-THIS/, "proxy request with multiple packets");
|
|
|
|
$s = Test::Nginx::HTTP2->new();
|
|
$sid = $s->new_stream({ path => '/', method => 'HEAD' });
|
|
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
|
|
($frame) = grep { $_->{type} eq "DATA" } @$frames;
|
|
unlike($frame->{data}, qr/SEE-THIS/, "proxy head request");
|
|
|
|
# Redirect (302)
|
|
|
|
for $phase (1 .. 3) {
|
|
$s = Test::Nginx::HTTP2->new();
|
|
$sid = $s->new_stream({ path => "/phase${phase}?what=redirect302" });
|
|
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
|
|
($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
|
|
is($frame->{headers}->{':status'}, 302, "redirect 302 - phase ${phase}");
|
|
}
|
|
|
|
SKIP: {
|
|
skip 'long test', 1 unless $ENV{TEST_NGINX_UNSAFE};
|
|
|
|
$s = Test::Nginx::HTTP2->new();
|
|
$sid = $s->new_stream({ path => '/phase4?what=redirect302' });
|
|
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
|
|
($frame) = grep { $_->{type} eq "DATA" } @$frames;
|
|
is($frame, undef, 'redirect 302 - phase 4');
|
|
}
|
|
|
|
# Redirect (301)
|
|
|
|
for $phase (1 .. 3) {
|
|
$s = Test::Nginx::HTTP2->new();
|
|
$sid = $s->new_stream({ path => "/phase${phase}?what=redirect301" });
|
|
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
|
|
($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
|
|
is($frame->{headers}->{':status'}, 301, "redirect 301 - phase ${phase}");
|
|
}
|
|
|
|
SKIP: {
|
|
skip 'long test', 1 unless $ENV{TEST_NGINX_UNSAFE};
|
|
|
|
$s = Test::Nginx::HTTP2->new();
|
|
$sid = $s->new_stream({ path => '/phase4?what=redirect301' });
|
|
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
|
|
($frame) = grep { $_->{type} eq "DATA" } @$frames;
|
|
is($frame, undef, 'redirect 301 - phase 4');
|
|
}
|
|
|
|
# Block (401)
|
|
|
|
for $phase (1 .. 3) {
|
|
$s = Test::Nginx::HTTP2->new();
|
|
$sid = $s->new_stream({ path => "/phase${phase}?what=block401" });
|
|
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
|
|
($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
|
|
is($frame->{headers}->{':status'}, 401, "block 401 - phase ${phase}");
|
|
}
|
|
|
|
SKIP: {
|
|
skip 'long test', 1 unless $ENV{TEST_NGINX_UNSAFE};
|
|
|
|
$s = Test::Nginx::HTTP2->new();
|
|
$sid = $s->new_stream({ path => '/phase4?what=block401' });
|
|
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
|
|
($frame) = grep { $_->{type} eq "DATA" } @$frames;
|
|
is($frame, undef, 'block 401 - phase 4');
|
|
}
|
|
|
|
|
|
# Block (403)
|
|
|
|
for $phase (1 .. 3) {
|
|
$s = Test::Nginx::HTTP2->new();
|
|
$sid = $s->new_stream({ path => "/phase${phase}?what=block403" });
|
|
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
|
|
($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
|
|
is($frame->{headers}->{':status'}, 403, "block 403 - phase ${phase}");
|
|
}
|
|
|
|
SKIP: {
|
|
skip 'long test', 1 unless $ENV{TEST_NGINX_UNSAFE};
|
|
|
|
$s = Test::Nginx::HTTP2->new();
|
|
$sid = $s->new_stream({ path => '/phase4?what=block403' });
|
|
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
|
|
($frame) = grep { $_->{type} eq "DATA" } @$frames;
|
|
is($frame, undef, 'block 403 - phase 4');
|
|
}
|
|
|
|
# Nothing to detect
|
|
#like(http_get('/phase1?what=nothing'), qr/phase1\?what=nothing\' not found/, 'nothing phase 1');
|
|
#like(http_get('/phase2?what=nothing'), qr/phase2\?what=nothing\' not found/, 'nothing phase 2');
|
|
#like(http_get('/phase3?what=nothing'), qr/phase3\?what=nothing\' not found/, 'nothing phase 3');
|
|
#like(http_get('/phase4?what=nothing'), qr/phase4\?what=nothing\' not found/, 'nothing phase 4');
|
|
|
|
for $phase (1 .. 4) {
|
|
$s = Test::Nginx::HTTP2->new();
|
|
$sid = $s->new_stream({ path => "/phase${phase}?what=nothing" });
|
|
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
|
|
($frame) = grep { $_->{type} eq "DATA" } @$frames;
|
|
like($frame->{data}, qr/phase${phase}\?what=nothing\' not found/, "nothing phase ${phase}");
|
|
}
|
|
|
|
###############################################################################
|
|
|
|
sub http_daemon {
|
|
my $server = IO::Socket::INET->new(
|
|
Proto => 'tcp',
|
|
LocalHost => '127.0.0.1:' . port(8081),
|
|
Listen => 5,
|
|
Reuse => 1
|
|
)
|
|
or die "Can't create listening socket: $!\n";
|
|
|
|
local $SIG{PIPE} = 'IGNORE';
|
|
|
|
while (my $client = $server->accept()) {
|
|
$client->autoflush(1);
|
|
|
|
my $headers = '';
|
|
my $uri = '';
|
|
|
|
while (<$client>) {
|
|
$headers .= $_;
|
|
last if (/^\x0d?\x0a?$/);
|
|
}
|
|
|
|
$uri = $1 if $headers =~ /^\S+\s+([^ ]+)\s+HTTP/i;
|
|
|
|
if ($uri eq '/') {
|
|
print $client <<'EOF';
|
|
HTTP/1.1 200 OK
|
|
Connection: close
|
|
|
|
EOF
|
|
print $client "TEST-OK-IF-YOU-SEE-THIS"
|
|
unless $headers =~ /^HEAD/i;
|
|
|
|
} elsif ($uri eq '/multi') {
|
|
|
|
print $client <<"EOF";
|
|
HTTP/1.1 200 OK
|
|
Connection: close
|
|
|
|
TEST-OK-IF-YOU-SEE-THIS
|
|
EOF
|
|
|
|
select undef, undef, undef, 0.1;
|
|
print $client 'AND-THIS';
|
|
|
|
} else {
|
|
|
|
print $client <<"EOF";
|
|
HTTP/1.1 404 Not Found
|
|
Connection: close
|
|
|
|
Oops, '$uri' not found
|
|
EOF
|
|
}
|
|
|
|
close $client;
|
|
}
|
|
}
|
|
|
|
###############################################################################
|