From 111a4a7e117059c78bb4e22632a94a042f22bfdf Mon Sep 17 00:00:00 2001
From: florian <fpitance@bunkerity.com>
Date: Mon, 15 Jul 2024 12:21:51 +0200
Subject: [PATCH] update default value of CROWDSEC_APPSEC_URL, update BW tags
 to 1.5.9 and add automatic tests for CS appsec

---
 .github/workflows/tests.yml        |  3 ++
 .tests/crowdsec.sh                 | 50 ++++++++++++++++++++----------
 .tests/crowdsec/appsec.yaml        |  5 +++
 .tests/crowdsec/docker-compose.yml |  4 ++-
 clamav/README.md                   |  4 +--
 crowdsec/README.md                 |  2 +-
 crowdsec/plugin.json               |  2 +-
 discord/README.md                  |  4 +--
 slack/README.md                    |  4 +--
 virustotal/README.md               |  4 +--
 webhook/README.md                  |  4 +--
 11 files changed, 57 insertions(+), 29 deletions(-)
 create mode 100644 .tests/crowdsec/appsec.yaml

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 95963fc..7c82153 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -47,6 +47,9 @@ jobs:
 
       - name: Run CrowdSec stream tests
         run: ./.tests/crowdsec.sh stream
+      
+      - name: Run CrowdSec appsec tests
+        run: ./.tests/crowdsec.sh appsec
 
       - name: Run VirusTotal tests
         run: ./.tests/virustotal.sh
diff --git a/.tests/crowdsec.sh b/.tests/crowdsec.sh
index 3993578..7bca007 100755
--- a/.tests/crowdsec.sh
+++ b/.tests/crowdsec.sh
@@ -19,7 +19,13 @@ do_and_check_cmd cp .tests/crowdsec/docker-compose.yml /tmp/bunkerweb-plugins/cr
 # Edit compose
 do_and_check_cmd sed -i "s@bunkerity/bunkerweb:.*\$@bunkerweb:tests@g" /tmp/bunkerweb-plugins/crowdsec/docker-compose.yml
 do_and_check_cmd sed -i "s@bunkerity/bunkerweb-scheduler:.*\$@bunkerweb-scheduler:tests@g" /tmp/bunkerweb-plugins/crowdsec/docker-compose.yml
-do_and_check_cmd sed -i "s@CROWDSEC_MODE=.*\$@CROWDSEC_MODE=$1@g" /tmp/bunkerweb-plugins/crowdsec/docker-compose.yml
+if [ $1 == "appsec" ] ; then
+	do_and_check_cmd sed -i "s@CROWDSEC_MODE=.*\$@CROWDSEC_MODE=live@g" /tmp/bunkerweb-plugins/crowdsec/docker-compose.yml
+	do_and_check_cmd sed -i "s@CROWDSEC_APPSEC_URL=.*\$@CROWDSEC_APPSEC_URL=http://crowdsec:7422@g" /tmp/bunkerweb-plugins/crowdsec/docker-compose.yml
+else
+	do_and_check_cmd sed -i "s@CROWDSEC_MODE=.*\$@CROWDSEC_MODE=$1@g" /tmp/bunkerweb-plugins/crowdsec/docker-compose.yml
+	
+fi
 
 # Copy configs
 do_and_check_cmd cp .tests/crowdsec/acquis.yaml /tmp/bunkerweb-plugins/crowdsec
@@ -58,23 +64,35 @@ if [ "$success" == "ko" ] ; then
 	exit 1
 fi
 
-# Run basic attack with dirb
-echo "ℹ️ Executing dirb ..."
-do_and_check_cmd sudo apt install -y dirb
-dirb http://localhost -H "Host: www.example.com" -H "User-Agent: LegitOne" -f > /dev/null 2>&1
 
-# Wait if are in stream mode
-if [ "$1" == "stream" ] ; then
-	sleep 20
-fi
+if [ "$1" != "appsec" ] ; then
+	# Run basic attack with dirb
+	echo "ℹ️ Executing dirb ..."
+	do_and_check_cmd sudo apt install -y dirb
+	dirb http://localhost -H "Host: www.example.com" -H "User-Agent: LegitOne" -f > /dev/null 2>&1
 
-# Expect a 403
-echo "ℹ️ Checking CS ..."
-success="ko"
-ret="$(curl -s -o /dev/null -w "%{http_code}" -H "Host: www.example.com" http://localhost)"
-# shellcheck disable=SC2181
-if [ $? -eq 0 ] && [ "$ret" -eq 403 ] ; then
-	success="ok"
+	# Wait if are in stream mode
+	if [ "$1" == "stream" ] ; then
+		sleep 20
+	fi
+
+	# Expect a 403
+	echo "ℹ️ Checking CS ..."
+	success="ko"
+	ret="$(curl -s -o /dev/null -w "%{http_code}" -H "Host: www.example.com" http://localhost)"
+	# shellcheck disable=SC2181
+	if [ $? -eq 0 ] && [ "$ret" -eq 403 ] ; then
+		success="ok"
+	fi
+else
+	# Send an obvious pattern
+	echo "ℹ️ Sending malicious pattern"
+	success="ko"
+	ret="$(curl -s -o /dev/null -w "%{http_code}" -H "Host: www.example.com" http://localhost/?id=/etc/passwd)"
+	# shellcheck disable=SC2181
+	if [ $? -eq 0 ] && [ "$ret" -eq 403 ] ; then
+		success="ok"
+	fi
 fi
 
 # We're done
diff --git a/.tests/crowdsec/appsec.yaml b/.tests/crowdsec/appsec.yaml
new file mode 100644
index 0000000..f26db7d
--- /dev/null
+++ b/.tests/crowdsec/appsec.yaml
@@ -0,0 +1,5 @@
+appsec_config: crowdsecurity/appsec-default
+labels:
+  type: appsec
+listen_addr: 127.0.0.1:7422
+source: appsec
\ No newline at end of file
diff --git a/.tests/crowdsec/docker-compose.yml b/.tests/crowdsec/docker-compose.yml
index 9835ab9..e6a925c 100644
--- a/.tests/crowdsec/docker-compose.yml
+++ b/.tests/crowdsec/docker-compose.yml
@@ -15,6 +15,7 @@ services:
       - CROWDSEC_API=http://crowdsec:8080
       - CROWDSEC_API_KEY=s3cr3tb0unc3rk3y
       - CROWDSEC_MODE=
+      - CROWDSEC_APPSEC_URL=
       - LOG_LEVEL=info
       - USE_MODSECURITY=no
       - USE_BLACKLIST=no
@@ -61,10 +62,11 @@ services:
     volumes:
       - cs-data:/var/lib/crowdsec/data
       - ./acquis.yaml:/etc/crowdsec/acquis.yaml
+      - ./appsec.yaml:/etc/crowdsec/acquis.d/appsec.yaml
       - bw-logs:/var/log:ro
     environment:
       - BOUNCER_KEY_bunkerweb=s3cr3tb0unc3rk3y
-      - COLLECTIONS=crowdsecurity/nginx
+      - COLLECTIONS=crowdsecurity/nginx crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules crowdsecurity/appsec-crs
       - DISABLE_PARSERS=crowdsecurity/whitelists
     networks:
       - bw-universe
diff --git a/clamav/README.md b/clamav/README.md
index 08f4757..6f194a4 100644
--- a/clamav/README.md
+++ b/clamav/README.md
@@ -34,7 +34,7 @@ version: '3'
 services:
 
   bunkerweb:
-    image: bunkerity/bunkerweb:1.5.8
+    image: bunkerity/bunkerweb:1.5.9
     ...
     environment:
       - USE_CLAMAV=yes
@@ -59,7 +59,7 @@ version: '3'
 services:
 
   mybunker:
-    image: bunkerity/bunkerweb:1.5.8
+    image: bunkerity/bunkerweb:1.5.9
     ...
     environment:
       - USE_CLAMAV=yes
diff --git a/crowdsec/README.md b/crowdsec/README.md
index e34c182..206cebb 100644
--- a/crowdsec/README.md
+++ b/crowdsec/README.md
@@ -273,7 +273,7 @@ metadata:
 | `CROWDSEC_EXCLUDE_LOCATION`       |                        | global    | no       | The locations to exclude while bouncing. It is a list of location, separated by commas.                    |
 | `CROWDSEC_CACHE_EXPIRATION`       | `1`                    | global    | no       | The cache expiration, in second, for IPs that the bouncer store in cache in live mode.                     |
 | `CROWDSEC_UPDATE_FREQUENCY`       | `10`                   | global    | no       | The frequency of update, in second, to pull new/old IPs from the CrowdSec local API.                       |
-| `CROWDSEC_APPSEC_URL`             | `http://crowdsec:7422` | global    | no       | URL of the Application Security Component.                                                                 |
+| `CROWDSEC_APPSEC_URL`             |  | global    | no       | URL of the Application Security Component.                                                                 |
 | `CROWDSEC_APPSEC_FAILURE_ACTION`  | `passthrough`          | global    | no       | Behavior when the AppSec Component return a 500. Can let the request passthrough or deny it.               |
 | `CROWDSEC_APPSEC_CONNECT_TIMEOUT` | `100`                  | global    | no       | The timeout in milliseconds of the connection between the remediation component and AppSec Component.      |
 | `CROWDSEC_APPSEC_SEND_TIMEOUT`    | `100`                  | global    | no       | The timeout in milliseconds to send data from the remediation component to the AppSec Component.           |
diff --git a/crowdsec/plugin.json b/crowdsec/plugin.json
index c691cba..e4d413f 100644
--- a/crowdsec/plugin.json
+++ b/crowdsec/plugin.json
@@ -80,7 +80,7 @@
     },
     "CROWDSEC_APPSEC_URL": {
       "context": "global",
-      "default": "http://crowdsec:7422",
+      "default": "",
       "help": "URL of the Application Security Component.",
       "id": "crowdsec-appsec-url",
       "label": "AppSec URL",
diff --git a/discord/README.md b/discord/README.md
index 1105fbc..14637fc 100644
--- a/discord/README.md
+++ b/discord/README.md
@@ -38,7 +38,7 @@ version: '3'
 services:
 
   bunkerweb:
-    image: bunkerity/bunkerweb:1.5.8
+    image: bunkerity/bunkerweb:1.5.9
     ...
     environment:
       - USE_DISCORD=yes
@@ -54,7 +54,7 @@ version: '3.5'
 services:
 
   mybunker:
-    image: bunkerity/bunkerweb:1.5.8
+    image: bunkerity/bunkerweb:1.5.9
     ...
     environment:
       - USE_DISCORD=yes
diff --git a/slack/README.md b/slack/README.md
index 70a2c68..8dfe60e 100644
--- a/slack/README.md
+++ b/slack/README.md
@@ -38,7 +38,7 @@ version: '3'
 services:
 
   bunkerweb:
-    image: bunkerity/bunkerweb:1.5.8
+    image: bunkerity/bunkerweb:1.5.9
     ...
     environment:
       - USE_SLACK=yes
@@ -54,7 +54,7 @@ version: '3.5'
 services:
 
   mybunker:
-    image: bunkerity/bunkerweb:1.5.8
+    image: bunkerity/bunkerweb:1.5.9
     ...
     environment:
       - USE_SLACK=yes
diff --git a/virustotal/README.md b/virustotal/README.md
index 18528d8..ea3a7e1 100644
--- a/virustotal/README.md
+++ b/virustotal/README.md
@@ -37,7 +37,7 @@ version: '3'
 services:
 
   bunkerweb:
-    image: bunkerity/bunkerweb:1.5.8
+    image: bunkerity/bunkerweb:1.5.9
     ...
     environment:
       - USE_VIRUSTOTAL=yes
@@ -53,7 +53,7 @@ version: '3'
 services:
 
   mybunker:
-    image: bunkerity/bunkerweb:1.5.8
+    image: bunkerity/bunkerweb:1.5.9
     ...
     environment:
       - USE_VIRUSTOTAL=yes
diff --git a/webhook/README.md b/webhook/README.md
index bad49d9..96285a8 100644
--- a/webhook/README.md
+++ b/webhook/README.md
@@ -36,7 +36,7 @@ version: '3'
 services:
 
   bunkerweb:
-    image: bunkerity/bunkerweb:1.5.8
+    image: bunkerity/bunkerweb:1.5.9
     ...
     environment:
       - USE_WEBHOOK=yes
@@ -52,7 +52,7 @@ version: '3'
 services:
 
   mybunker:
-    image: bunkerity/bunkerweb:1.5.8
+    image: bunkerity/bunkerweb:1.5.9
     ..
     environment:
       - USE_WEBHOOK=yes