v3.3.0

Another year, another version 🎉 !

Version 3.3.0 comes with some nice new features, extended compatibility with ModSecurity SecLang, and some quick performance improvements.

The minimum required Go version is 1.22.

New features:

• The coraza.rule.no_regex_multiline build tag has been added. It disables enabling by default regexes multiline modifiers in @rx operator. It aligns with CRS expected behavior, reduces false positives and might improve performances. Mind that it is planned to become the default behavior starting from the next major version. Check details and review available build tags here.
• Added support to OCSF (v1.2.0) audit log format by @durg78. Reference: #1089
• Improved compatibility with Windows by @jabdr. Reference: #1132 & #1133 & #1136 & #1137 & #1138
• Added MULTIPART_STRICT_ERROR variable. It is set when mutipart fails to parse by @fzipi, @M4tteoP. Reference: #1098 & #1166
• Added SecRuleUpdateActionById directive support by @fzipi. Reference: #1071
• Added TIME variables support by @geoolekom and @jcchavezs for the sake of compatibility with modsec and existing rulesets e.g. Imunify360. Some use cases are described in #1223 (comment). Reference: #1223 & #1242
• Allow square brackets in variables during macro expansion by @geoolekom as a query parameter can be a slice and hence its name contains square brackets. Reference: #1226
• Added base64 encode transformation by @tty2 as it wasn't supported. Reference: #1257

Fixes:

• Fixed incorrect parsing of regex in SecRule with multiple ARGS specifiers by @geekeryy. Reference: #1087
• Fixed default deny action status code to 403 by @M4tteoP. Reference: #1097
• Fixed setvar action to allow values to start with - or + by @soujanyanmbri. Reference: #1125
• Fixed macro parsing to handle additional border cases by @fzipi. Reference: #1180
• Fixed default redirect action status code by @fzipi. Reference: #1183
• Improved noisy warn level debug logging when the body limit action is ProcessPartial. Reference: #1187
• Added empty glob error when no files match by @gantony as we don't want to accidentally miss rules to be loaded because an incorrect glob. Reference: #1259
• Go version was pinned to 1.22.0 as coraza is a library and we should not target patch versions. Reference: #1246

Performance improvements

• Improvements on GetField by reducing heap allocations by @M4tteoP. Reference: #1195
• Improvements on transformArg by reducing heap allocations by @M4tteoP. Reference: #1198
• Improvements on collections by reducing heap allocations by @soujanyanmbri. Reference: #1202

What's Changed

• fix: variable parsing error by @geekeryy in #1087
• fix: deny action with default status 403 by @M4tteoP in #1097
• chore(goversion): upgrade minimum version to 1.21 by @jptosso in #1099
• feat: set MULTIPART_STRICT_ERROR value when mutipart fails to parse by @fzipi in #1098
• chore: finalizes go 1.21 bump, point to local version for crs tests, minor docs by @M4tteoP in #1102
• chore: config renovate to update up to our supported go version by @fzipi in #1105
• fix: broken renovatebot config by @fzipi in #1107
• chore(deps): pin dependencies by @renovate in #1108
• chore(deps): update github/codeql-action digest to 5cf07d8 by @renovate in #1113
• chore(README): removes mention to EOL of Modsec by @M4tteoP in #1115
• chore(deps): update github/codeql-action digest to afb54ba by @renovate in #1114
• chore(deps): update github/codeql-action digest to eb055d7 by @renovate in #1126
• fix(deps): update module golang.org/x/net to v0.28.0 by @renovate in #1127
• chore(deps): update github/codeql-action digest to 29d86d2 by @renovate in #1129
• chore(deps): update github/codeql-action digest to 429e197 by @renovate in #1130
• fix(deps): update module golang.org/x/sync to v0.8.0 by @renovate in #1124
• fix: broken TestInspectFile on windows by @jabdr in #1133
• fix: broken multipart processor on windows by @jabdr in #1137
• fix: broken TestDirectives SecUploadDir on windows by @jabdr in #1132
• fix: broken TestConcurrentWriterSuccess on windows by @jabdr in #1138
• chore(goversion): upgrade minimum version to 1.22 by @M4tteoP in #1145
• chore: update tinygo to 0.33.0 by @fzipi in #1148
• fix(deps): update module github.com/tidwall/gjson to v1.17.3 by @renovate in #1116
• feat: ocsf audit logging by @durg78 in #1089
• fix: update auditlog test names by @jcchavezs in #1152
• fix: broken TestHardcodedIncludeDirectiveDDOS2 on windows by @jabdr in #1136
• updates tests to CRS 4.5, albedo by @M4tteoP in #1122
• fix(deps): update github.com/coreruleset/go-ftw digest to 8474a93 by @renovate in #1155
• fix(deps): update module github.com/mccutchen/go-httpbin/v2 to v2.15.0 by @renovate in #1142
• chore: ports interceptor correction by @M4tteoP in #1123
• Bug Fix: The value in the setvar should be able to start with - or +. by @soujanyanmbri in #1125
• fix(deps): update module github.com/coreruleset/albedo to v0.0.16 by @renovate in #1158
• tests: unknown key. by @jcchavezs in #1156
• chore(deps): update codecov/codecov-action digest to b9fd7d1 by @renovate in #1160
• fix(deps): update module github.com/tidwall/gjson to v1.18.0 by @renovate in #1161
• refactor: replace reflect.StringHeader with unsafe.StringData by @Juneezee in #1162
• chore(deps): update github/codeql-action digest to 2c779ab by @renovate in #1131
• fix(deps): update module golang.org/x/net to v0.30.0 by @renovate in #1165
• chore(deps): update github/codeql-action digest to 6db8d63 by @renovate in #1164
• fix: MULTIPART_STRICT_ERROR, updates CRS tests to v4.6.0 by @M4tteoP in #1166
• docs: SecAuditLogDir, removes mention of SecAuditLogStorageDir by @M4tteoP in #1167
• fix(deps): update module github.com/corazawaf/libinjection-go to v0.2.2 by @renovate in #1172
• fix: actions comment by @fzipi in #1173
• chore(deps): update actions/setup-go digest to 41dfa10 by @renovate in #1179
• fix: apply mage format by @fzipi in #1181
• fix: handle additional broken macro definitions by @fzipi in #1180
• fix: redirect action status codes by @fzipi in #1183
• feat: add SecRuleUpdateActionById directive by @fzipi in #1071
• chore(deps): update github/codeql-action digest to 6624720 by @renovate in #1169
• fix(deps): update module github.com/bmatcuk/doublestar/v4 to v4.7.1 by @renovate in #1171
• chore(deps): update actions/checkout digest to 11bd719 by @renovate in #1168
• nits: SecRuleUpdateActionById doc by @M4tteoP in #1185
• chore: update renovate config to use common by @fzipi in #1184
• fix(deps): update module github.com/coreruleset/go-ftw to v1.1.0 in testing/coreruleset/go.mod by @renovate in #1188
• chore(deps): update actions/cache action to v4 in .github/workflows/tinygo.yml by @renovate in #1189
• Revert "fix(deps): update module github.com/coreruleset/go-ftw to v1.1.0 in testing/coreruleset/go.mod" by @fzipi in #1190
• fix: toolchain version in go.mod by @fzipi in #1192
• chore: refactor process body related logs and doc by @M4tteoP in #1187
• fix(deps): update module github.com/coreruleset/go-ftw to v1.1.1 in testing/coreruleset/go.mod by @renovate in #1191
• perf: GetField reduce allocations by @M4tteoP in #1195
• docs: nits and avoids mentioning not existing resources by @M4tteoP in #1203
• fix(deps): update module golang.org/x/s...

Coraza 3.2.1

This is a quick patch release to fix a potential data race that was noticed right after v3.2.0 (Thanks @MarcWort for reporting it!) and a minor fix about logging.

What's Changed

• fix: race condition on StrID by @M4tteoP in #1084
• fix: makes max size log message CRS correlation rule friendly by @M4tteoP in #1085

Full Changelog: v3.2.0...v3.2.1

Version 3.2.0

Coraza v3.2.0 comes with:

• Support for SecRuleUpdateTargetByTag, Base64DecodeExt, extended support for ranges of IDs with SecRuleUpdateTargetByID.
• Support for case-sensitive matching for ARGS keys. It currently comes under the coraza.rule.case_sensitive_args_keys. Mind that, in compliance with RFC 3986 specification, it is planned to become the default behavior starting from the next major version.
• Support for auditlog formatters for tinygo builds.
• Various bug fixes, among other things, around log generation and Coraza middleware.
• Performance implements and reduced memory allocation mostly thanks to @noboruma.
• Updated CRS support to the latest CRS v4.3.0 version.

What's Changed

• fix(deps): update module github.com/tidwall/gjson to v1.17.1 by @renovate in #1004
• fix(deps): update module golang.org/x/net to v0.22.0 by @renovate in #1011
• feat: expose expected directives for e2e test by @fionera in #1012
• avoid executing costly With if noop logger by @noboruma in #1015
• tests: covers eq operator. by @jcchavezs in #1002
• fix: RegisterWriter/RegisterFormatter case insensitive by @M4tteoP in #1026
• feat: Implements SecRuleUpdateTargetByTag, extends ByID with ranges by @M4tteoP in #1020
• tests: covers zero case in eq operator. by @jcchavezs in #1029
• feat: registers RegisterFormatters for tinygo by @M4tteoP in #1027
• fix(deps): update module golang.org/x/net to v0.23.0 by @renovate in #1033
• Fix: audit logs RelevantOnly match if interruption happens by @M4tteoP in #1025
• tests: adds logs for unexpected status code. by @jcchavezs in #1037
• fix(deps): update module golang.org/x/net to v0.24.0 by @renovate in #1035
• cache Rule ID string version by @noboruma in #1039
• chore: adds fs access check at startup time by @M4tteoP in #1030
• Add support for Base64DecodeExt by @soujanyanmbri in #1046
• fix: FuzzB64Decode regexp match for fuzzing by @fzipi in #1054
• chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 in /testing/coreruleset in the go_modules group across 1 directory by @dependabot in #1043
• fix(deps): update module github.com/mccutchen/go-httpbin/v2 to v2.13.4 by @renovate in #1001
• fix(deps): update module github.com/petar-dambovaliev/aho-corasick to v0.0.0-20240411101913-e07a1f0e8eb4 by @renovate in #1057
• feat: add new maps with case sensitive keys by @fzipi in #1055
• fix: http parameter pollution test cases by @fzipi in #1058
• fix(deps): update module golang.org/x/sync to v0.7.0 by @renovate in #1034
• fix(deps): update module golang.org/x/net to v0.25.0 by @renovate in #1060
• fix: RemoveTargetById Args in multiphase mode by @M4tteoP in #1061
• fix: headers leaked during interruptions at phase 3/4 by @M4tteoP in #1062
• chore: deletes content temporary file on close. by @jcchavezs in #924
• chore: upgrades to CRS 4.1. by @jcchavezs in #1032
• chore: updates CRS tests to CRS4.2 by @M4tteoP in #1066
• fix(deps): update module github.com/mccutchen/go-httpbin/v2 to v2.14.0 by @renovate in #1067
• feat: add support for case sensitive args by @fzipi in #1059
• fix: logs multiple vars matched by same rule by @M4tteoP in #1074
• fix(deps): update module github.com/corazawaf/libinjection-go to v0.2.0 by @renovate in #1076
• fix(deps): update module github.com/corazawaf/libinjection-go to v0.2.1 by @renovate in #1079
• fix(deps): update module golang.org/x/net to v0.26.0 by @renovate in #1075
• fix: setters of INBOUND_DATA_ERROR and OUTBOUND_DATA_ERROR by @M4tteoP in #1078
• fix(deps): update module github.com/rs/zerolog to v1.33.0 by @renovate in #1073
• chore: updates CRS tests to CRS4.3 by @M4tteoP in #1081

New Contributors (thanks a lot!)

• @fionera made their first contribution in #1012
• @noboruma made their first contribution in #1015
• @soujanyanmbri made their first contribution in #1046

Full Changelog: v3.1.0...v3.2.0

Version 3.1.0

This is a new minor version release with emphasis in improving the overall logging experience, fixes for interoperability of the http middleware with other middlewares, better defaults, various fixes and a few new features like the uppercase transformation, the raw body processor (both thanks to @blotus) and a way to pass a context into a transaction to be later retrieved the error log callback.

What's Changed

• chore: improve GetField logic by @jptosso in #897
• chore: setvar minor fix, tests, added warning when missing variable, deprecates usage of tx.LogData by @M4tteoP in #892
• chore: fixes audit log. by @jcchavezs in #889
• fix http.Flusher and io.ReaderFrom implementation by @romainmenke in #923
• fix: stack overflow in ReadFrom by @romainmenke in #925
• fix: Disables implicit Cookies url decoding by @M4tteoP in #928
• feat: add uppercase transformation by @blotus in #935
• fix: parse multiple cookies with spaces by @fzipi in #943
• fix: more forgiving base64 transformation [custom implementation] by @M4tteoP in #944
• fix: filling variables struct to complete audit info by @CArellanoOrbik in #968
• feat: adds context to transaction. by @jcchavezs in #963
• feat: improves logging. by @jcchavezs in #971
• feat: add raw body processor by @blotus in #983
• chore: updates CRS tests to CRS 4.0.0-rc2 by @M4tteoP in #899
• fix(seclang): merge chained raw rules by @jptosso in #985
• fix: BodyLimit related documented default values, default RequestBodyLimitAction, adds some tests by @M4tteoP in #895
• chore: Go 1.20 as minimum supported version by @jcchavezs in #996
• chore: upgrades go-ftw to 0.6.4. by @jcchavezs in #998

New Contributors (thanks a lot!)

• @testwill made their first contribution in #894
• @renovate made their first contribution in #903
• @romainmenke made their first contribution in #923
• @blotus made their first contribution in #935
• @CArellanoOrbik made their first contribution in #968

Full Changelog: v3.0.4...v3.1.0

Version 3.0.4

What's Changed

• chore(deps): bump golang.org/x/sync from 0.1.0 to 0.3.0 by @dependabot in #862
• chore: upgrades coraza to latest aho-corasick. by @jcchavezs in #867
• fix: Logs print different messages for each the disruptive actions by @M4tteoP in #827
• chore(deps): bump github.com/tidwall/gjson from 1.14.4 to 1.17.0 by @dependabot in #878

Full Changelog: v3.0.3...v3.0.4

Version 3.0.3

What's Changed

• chore(readme): explicits CRS supported version by @M4tteoP in #834
• chore: adds go mod tidy and go work sync for all modules. by @jcchavezs in #835
• adds more verbosity on go mod tidy errors by @jcchavezs in #837
• add https audit log support by @jptosso in #826
• chore: fixes e2e pkg. by @jcchavezs in #841
• chore: updates e2e standalone command by @M4tteoP in #845
• Adds Log() to MatchedRule, fixes audit log without log by @M4tteoP in #848
• chore(e2e): check response body read error only if a body is expected by @M4tteoP in #852
• chore: drops benchmark CI. by @jcchavezs in #857
• implement https mime by @jptosso in #850
• chore: adds memoize implementation for regexes and ahocorasick by @jcchavezs in #836

Full Changelog: v3.0.2...v3.0.3

Version 3.0.2

What's Changed

• fix: blocks body buffer reader once the body buffer has been reset. by @jcchavezs in #825
• fix: benchmark and propagate the status to not to swallow the failure by @jcchavezs in #808

Full Changelog: v3.0.1...v3.0.2

v3.0.1

Important

This tag fixes a high-severity vulnerability. See GHSA-c2pj-v37r-2p6h

Full Changelog: v3.0.0...v3.0.1

v3.0.0

What's Changed

Coraza's latest v3.0.0 release brings a highly refactored engine that offers more flexibility and major improvements.

Notable changes include:

• Performance improvement: Performance has been improved by up to 100 times due to several key enhancements such as:
  • New debug logs system based on Zerolog for a fast and with low to zero allocations.
  • Cache transformation logic across the same transaction.
  • Optimized variable collection types.
• Refactored API: Coraza now relies on a more straightforward and user-friendly API.
• New Plugin Package: The new package simplifies the extension of Coraza's functionalities.
• Full CRS v4 Support: Coraza fully supports the CRS v4 branch, always making CRS compatibility of top priority. The CI now includes a CRS testing suite to guarantee a regression-free development.
• Cross-platform support: Both Go and TinyGo for WASM builds are now supported.
• New experimental Multiphase feature: Introducing a new way for early data evaluation and blocking.
• Dataset support: designed for in-config .data files emulation.

Contributors

Many thanks to all the contributors and users that made this release possible:

• @anuraaga
• @Bxlxx
• @codefromthecrypt
• @fzipi
• @Hayak3
• @jcchavezs
• @jptosso
• @M4tteoP
• @manojgop
• @nacx
• @ns-sundar
• @piyushroshan
• @ShiMing-Q
• @sts
• @y05h1k1ng
• @zc2638

v3.0.0-rc.3

What's Changed

• registers pmFromDataset, fixes Dataset propagation, adds tests by @M4tteoP in #777
• docs: update README and SECURITY by @fzipi in #780
• Validate audit log parts by @Hayak3 in #779
• Remove intermediate string allocation when writing match details log by @anuraaga in #781
• fix: aligns multimatch to modsec behavior by @M4tteoP in #778
• chore: increases rule.go test coverage by @M4tteoP in #786
• remove wrong loop in matchData by @Hayak3 in #785
• hotfix: fixes rule_test after merge by @M4tteoP in #788
• chore(deps): bump github.com/magefile/mage from 1.14.0 to 1.15.0 by @dependabot in #791
• chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 by @dependabot in #789
• feat(ci): stale only awaiting for feedback's issue by @M4tteoP in #793
• Multiphase: chains further support, ARGS split, CRS like tests by @M4tteoP in #719
• feat: adds auditlog plugins API by @jcchavezs in #787
• fix/feat: Macro expansions, error logs redundancy, support msg/logdata in inner rules by @M4tteoP in #792
• remove alpha disclosure from README by @jptosso in #796
• breaking: removes code parameter from ErrorLog and AuditLog by @M4tteoP in #800

New Contributors

• @Hayak3 made their first contribution in #779

Full Changelog: v3.0.0-rc.2...v3.0.0-rc.3