Coraza 3.2.1

This is a quick patch release to fix a potential data race that was noticed right after v3.2.0 (Thanks @MarcWort for reporting it!) and a minor fix about logging.

What's Changed

• fix: race condition on StrID by @M4tteoP in #1084
• fix: makes max size log message CRS correlation rule friendly by @M4tteoP in #1085

Full Changelog: v3.2.0...v3.2.1

Version 3.2.0

Coraza v3.2.0 comes with:

• Support for SecRuleUpdateTargetByTag, Base64DecodeExt, extended support for ranges of IDs with SecRuleUpdateTargetByID.
• Support for case-sensitive matching for ARGS keys. It currently comes under the coraza.rule.case_sensitive_args_keys. Mind that, in compliance with RFC 3986 specification, it is planned to become the default behavior starting from the next major version.
• Support for auditlog formatters for tinygo builds.
• Various bug fixes, among other things, around log generation and Coraza middleware.
• Performance implements and reduced memory allocation mostly thanks to @noboruma.
• Updated CRS support to the latest CRS v4.3.0 version.

What's Changed

• fix(deps): update module github.com/tidwall/gjson to v1.17.1 by @renovate in #1004
• fix(deps): update module golang.org/x/net to v0.22.0 by @renovate in #1011
• feat: expose expected directives for e2e test by @fionera in #1012
• avoid executing costly With if noop logger by @noboruma in #1015
• tests: covers eq operator. by @jcchavezs in #1002
• fix: RegisterWriter/RegisterFormatter case insensitive by @M4tteoP in #1026
• feat: Implements SecRuleUpdateTargetByTag, extends ByID with ranges by @M4tteoP in #1020
• tests: covers zero case in eq operator. by @jcchavezs in #1029
• feat: registers RegisterFormatters for tinygo by @M4tteoP in #1027
• fix(deps): update module golang.org/x/net to v0.23.0 by @renovate in #1033
• Fix: audit logs RelevantOnly match if interruption happens by @M4tteoP in #1025
• tests: adds logs for unexpected status code. by @jcchavezs in #1037
• fix(deps): update module golang.org/x/net to v0.24.0 by @renovate in #1035
• cache Rule ID string version by @noboruma in #1039
• chore: adds fs access check at startup time by @M4tteoP in #1030
• Add support for Base64DecodeExt by @soujanyanmbri in #1046
• fix: FuzzB64Decode regexp match for fuzzing by @fzipi in #1054
• chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 in /testing/coreruleset in the go_modules group across 1 directory by @dependabot in #1043
• fix(deps): update module github.com/mccutchen/go-httpbin/v2 to v2.13.4 by @renovate in #1001
• fix(deps): update module github.com/petar-dambovaliev/aho-corasick to v0.0.0-20240411101913-e07a1f0e8eb4 by @renovate in #1057
• feat: add new maps with case sensitive keys by @fzipi in #1055
• fix: http parameter pollution test cases by @fzipi in #1058
• fix(deps): update module golang.org/x/sync to v0.7.0 by @renovate in #1034
• fix(deps): update module golang.org/x/net to v0.25.0 by @renovate in #1060
• fix: RemoveTargetById Args in multiphase mode by @M4tteoP in #1061
• fix: headers leaked during interruptions at phase 3/4 by @M4tteoP in #1062
• chore: deletes content temporary file on close. by @jcchavezs in #924
• chore: upgrades to CRS 4.1. by @jcchavezs in #1032
• chore: updates CRS tests to CRS4.2 by @M4tteoP in #1066
• fix(deps): update module github.com/mccutchen/go-httpbin/v2 to v2.14.0 by @renovate in #1067
• feat: add support for case sensitive args by @fzipi in #1059
• fix: logs multiple vars matched by same rule by @M4tteoP in #1074
• fix(deps): update module github.com/corazawaf/libinjection-go to v0.2.0 by @renovate in #1076
• fix(deps): update module github.com/corazawaf/libinjection-go to v0.2.1 by @renovate in #1079
• fix(deps): update module golang.org/x/net to v0.26.0 by @renovate in #1075
• fix: setters of INBOUND_DATA_ERROR and OUTBOUND_DATA_ERROR by @M4tteoP in #1078
• fix(deps): update module github.com/rs/zerolog to v1.33.0 by @renovate in #1073
• chore: updates CRS tests to CRS4.3 by @M4tteoP in #1081

New Contributors (thanks a lot!)

• @fionera made their first contribution in #1012
• @noboruma made their first contribution in #1015
• @soujanyanmbri made their first contribution in #1046

Full Changelog: v3.1.0...v3.2.0

Version 3.1.0

This is a new minor version release with emphasis in improving the overall logging experience, fixes for interoperability of the http middleware with other middlewares, better defaults, various fixes and a few new features like the uppercase transformation, the raw body processor (both thanks to @blotus) and a way to pass a context into a transaction to be later retrieved the error log callback.

What's Changed

• chore: improve GetField logic by @jptosso in #897
• chore: setvar minor fix, tests, added warning when missing variable, deprecates usage of tx.LogData by @M4tteoP in #892
• chore: fixes audit log. by @jcchavezs in #889
• fix http.Flusher and io.ReaderFrom implementation by @romainmenke in #923
• fix: stack overflow in ReadFrom by @romainmenke in #925
• fix: Disables implicit Cookies url decoding by @M4tteoP in #928
• feat: add uppercase transformation by @blotus in #935
• fix: parse multiple cookies with spaces by @fzipi in #943
• fix: more forgiving base64 transformation [custom implementation] by @M4tteoP in #944
• fix: filling variables struct to complete audit info by @CArellanoOrbik in #968
• feat: adds context to transaction. by @jcchavezs in #963
• feat: improves logging. by @jcchavezs in #971
• feat: add raw body processor by @blotus in #983
• chore: updates CRS tests to CRS 4.0.0-rc2 by @M4tteoP in #899
• fix(seclang): merge chained raw rules by @jptosso in #985
• fix: BodyLimit related documented default values, default RequestBodyLimitAction, adds some tests by @M4tteoP in #895
• chore: Go 1.20 as minimum supported version by @jcchavezs in #996
• chore: upgrades go-ftw to 0.6.4. by @jcchavezs in #998

New Contributors (thanks a lot!)

• @testwill made their first contribution in #894
• @renovate made their first contribution in #903
• @romainmenke made their first contribution in #923
• @blotus made their first contribution in #935
• @CArellanoOrbik made their first contribution in #968

Full Changelog: v3.0.4...v3.1.0

Version 3.0.4

What's Changed

• chore(deps): bump golang.org/x/sync from 0.1.0 to 0.3.0 by @dependabot in #862
• chore: upgrades coraza to latest aho-corasick. by @jcchavezs in #867
• fix: Logs print different messages for each the disruptive actions by @M4tteoP in #827
• chore(deps): bump github.com/tidwall/gjson from 1.14.4 to 1.17.0 by @dependabot in #878

Full Changelog: v3.0.3...v3.0.4

Version 3.0.3

What's Changed

• chore(readme): explicits CRS supported version by @M4tteoP in #834
• chore: adds go mod tidy and go work sync for all modules. by @jcchavezs in #835
• adds more verbosity on go mod tidy errors by @jcchavezs in #837
• add https audit log support by @jptosso in #826
• chore: fixes e2e pkg. by @jcchavezs in #841
• chore: updates e2e standalone command by @M4tteoP in #845
• Adds Log() to MatchedRule, fixes audit log without log by @M4tteoP in #848
• chore(e2e): check response body read error only if a body is expected by @M4tteoP in #852
• chore: drops benchmark CI. by @jcchavezs in #857
• implement https mime by @jptosso in #850
• chore: adds memoize implementation for regexes and ahocorasick by @jcchavezs in #836

Full Changelog: v3.0.2...v3.0.3

Version 3.0.2

What's Changed

• fix: blocks body buffer reader once the body buffer has been reset. by @jcchavezs in #825
• fix: benchmark and propagate the status to not to swallow the failure by @jcchavezs in #808

Full Changelog: v3.0.1...v3.0.2

v3.0.1

Important

This tag fixes a high-severity vulnerability. See GHSA-c2pj-v37r-2p6h

Full Changelog: v3.0.0...v3.0.1

v3.0.0

What's Changed

Coraza's latest v3.0.0 release brings a highly refactored engine that offers more flexibility and major improvements.

Notable changes include:

• Performance improvement: Performance has been improved by up to 100 times due to several key enhancements such as:
  • New debug logs system based on Zerolog for a fast and with low to zero allocations.
  • Cache transformation logic across the same transaction.
  • Optimized variable collection types.
• Refactored API: Coraza now relies on a more straightforward and user-friendly API.
• New Plugin Package: The new package simplifies the extension of Coraza's functionalities.
• Full CRS v4 Support: Coraza fully supports the CRS v4 branch, always making CRS compatibility of top priority. The CI now includes a CRS testing suite to guarantee a regression-free development.
• Cross-platform support: Both Go and TinyGo for WASM builds are now supported.
• New experimental Multiphase feature: Introducing a new way for early data evaluation and blocking.
• Dataset support: designed for in-config .data files emulation.

Contributors

Many thanks to all the contributors and users that made this release possible:

• @anuraaga
• @Bxlxx
• @codefromthecrypt
• @fzipi
• @Hayak3
• @jcchavezs
• @jptosso
• @M4tteoP
• @manojgop
• @nacx
• @ns-sundar
• @piyushroshan
• @ShiMing-Q
• @sts
• @y05h1k1ng
• @zc2638

v3.0.0-rc.3

What's Changed

• registers pmFromDataset, fixes Dataset propagation, adds tests by @M4tteoP in #777
• docs: update README and SECURITY by @fzipi in #780
• Validate audit log parts by @Hayak3 in #779
• Remove intermediate string allocation when writing match details log by @anuraaga in #781
• fix: aligns multimatch to modsec behavior by @M4tteoP in #778
• chore: increases rule.go test coverage by @M4tteoP in #786
• remove wrong loop in matchData by @Hayak3 in #785
• hotfix: fixes rule_test after merge by @M4tteoP in #788
• chore(deps): bump github.com/magefile/mage from 1.14.0 to 1.15.0 by @dependabot in #791
• chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 by @dependabot in #789
• feat(ci): stale only awaiting for feedback's issue by @M4tteoP in #793
• Multiphase: chains further support, ARGS split, CRS like tests by @M4tteoP in #719
• feat: adds auditlog plugins API by @jcchavezs in #787
• fix/feat: Macro expansions, error logs redundancy, support msg/logdata in inner rules by @M4tteoP in #792
• remove alpha disclosure from README by @jptosso in #796
• breaking: removes code parameter from ErrorLog and AuditLog by @M4tteoP in #800

New Contributors

• @Hayak3 made their first contribution in #779

Full Changelog: v3.0.0-rc.2...v3.0.0-rc.3

v3.0.0-rc.2

What's Changed

• Use bitset for inferred phases by @anuraaga in #727
• Document test failures due to regex matching arbitrary bytes by @anuraaga in #730
• Enable multiline mode for rx by @anuraaga in #732
• Use binaryregexp for rx operator by @anuraaga in #731
• Add rx test case confirming case-insensitive rules will work by @anuraaga in #733
• fix(ci): remove sonarcloud by @fzipi in #738
• fix(bodyprocessors): fix forcerequestbodyvariable overriding processor by @jptosso in #740
• fix(bodyprocessors): force response body overrides mime requirements by @jptosso in #741
• chore: create plugins package. by @jcchavezs in #734
• chore: drops unused methods in TransactionState by @jcchavezs in #739
• chore: describes currently excluded CRS excluded rules by @M4tteoP in #744
• fix: fixes fuzz target. by @jcchavezs in #745
• Update tool versions by @anuraaga in #710
• fix(action): Add many validations for setvar by @jptosso in #747
• fix: adds full support for ruleRemoveById. by @jcchavezs in #749
• Small simplification to macro readability by @anuraaga in #751
• Remove Single.Set from API for now by @anuraaga in #750
• chore: updates tests to latest CRS, updates go-ftw by @M4tteoP in #752
• transform expireVar to noop by @jptosso in #755
• Move remaining plugin-related logic to experimental by @anuraaga in #753
• Small simplification to cmd_line code by @anuraaga in #761
• Use standard library for base64 decode by @anuraaga in #758
• Small simpflication to css_decode by @anuraaga in #762
• Delegate to normalisePath from normalisePathWin by @anuraaga in #763
• Append into output buffer for removecommentschar by @anuraaga in #764
• chore(deps): bump golang.org/x/net from 0.8.0 to 0.9.0 by @dependabot in #766
• fix: synthesizes Transfer-Encoding header inside the transaction by @M4tteoP in #768
• Include key size in ARGS_COMBINED_SIZE by @anuraaga in #756

Full Changelog: v3.0.0-rc.1...v3.0.0-rc.2