Merge branch 'dev' into staging

bunkerity · Jul 24, 2024 · 24e7609 · 24e7609
2 parents eddab39 + 86cfd7d
commit 24e7609
Show file tree

Hide file tree

Showing 66 changed files with 863 additions and 796 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -35,12 +35,12 @@ jobs:
           python -m pip install --no-cache-dir --require-hashes -r src/common/db/requirements.txt
           echo "CODEQL_PYTHON=$(which python)" >> $GITHUB_ENV
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
+        uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql.yml
           setup-python-dependencies: false
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
+        uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml
@@ -63,22 +63,22 @@ jobs:
           SSH_IP: ${{ secrets.ARM_SSH_IP }}
           SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
       - name: Setup Buildx
-        uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
+        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
         if: inputs.CACHE_SUFFIX != 'arm'
       - name: Setup Buildx (ARM)
-        uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
+        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
         if: inputs.CACHE_SUFFIX == 'arm'
         with:
           endpoint: ssh://root@arm
           platforms: linux/arm64,linux/arm/v7,linux/arm/v6
       - name: Login to Docker Hub
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
       - name: Login to ghcr
         if: inputs.PUSH == true
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -92,7 +92,7 @@ jobs:
       # Build cached image
       - name: Build image
         if: inputs.CACHE == true
-        uses: docker/build-push-action@a254f8ca60a858f3136a2f1f23a60969f2c402dd # v6.4.0
+        uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
         with:
           context: .
           file: ${{ inputs.DOCKERFILE }}
@@ -105,7 +105,7 @@ jobs:
       # Build non-cached image
       - name: Build image
         if: inputs.CACHE != true
-        uses: docker/build-push-action@a254f8ca60a858f3136a2f1f23a60969f2c402dd # v6.4.0
+        uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
         with:
           context: .
           file: ${{ inputs.DOCKERFILE }}

diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml
@@ -151,12 +151,12 @@ jobs:
       packages: write
     steps:
       - name: Login to Docker Hub
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
       - name: Login to ghcr
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

diff --git a/.github/workflows/linux-build.yml b/.github/workflows/linux-build.yml
@@ -72,29 +72,29 @@ jobs:
           SSH_IP: ${{ secrets.ARM_SSH_IP }}
           SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
       - name: Setup Buildx
-        uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
+        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
         if: startsWith(env.ARCH, 'arm') == false
       - name: Setup Buildx (ARM)
-        uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
+        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
         if: startsWith(env.ARCH, 'arm') == true
         with:
           endpoint: ssh://root@arm
           platforms: linux/arm64,linux/arm/v7,linux/arm/v6
       - name: Login to Docker Hub
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
       - name: Login to ghcr
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       # Build testing package image
       - name: Build package image
         if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui'
-        uses: docker/build-push-action@a254f8ca60a858f3136a2f1f23a60969f2c402dd # v6.4.0
+        uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
         with:
           context: .
           load: true
@@ -106,7 +106,7 @@ jobs:
       # Build non-testing package image
       - name: Build package image
         if: inputs.RELEASE != 'testing' && inputs.RELEASE != 'dev'
-        uses: docker/build-push-action@a254f8ca60a858f3136a2f1f23a60969f2c402dd # v6.4.0
+        uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
         with:
           context: .
           load: true
@@ -142,7 +142,7 @@ jobs:
           images: ghcr.io/bunkerity/${{ inputs.LINUX }}-tests:${{ inputs.RELEASE }}
       - name: Build test image
         if: inputs.TEST == true
-        uses: docker/build-push-action@a254f8ca60a858f3136a2f1f23a60969f2c402dd # v6.4.0
+        uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
         with:
           context: .
           file: tests/linux/Dockerfile-${{ inputs.LINUX }}

diff --git a/.github/workflows/push-docker.yml b/.github/workflows/push-docker.yml
@@ -35,12 +35,12 @@ jobs:
       - name: Check out repository code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Login to Docker Hub
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
       - name: Login to ghcr
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -58,7 +58,7 @@ jobs:
           SSH_IP: ${{ secrets.ARM_SSH_IP }}
           SSH_CONFIG: ${{ secrets.ARM_SSH_CONFIG }}
       - name: Setup Buildx (ARM)
-        uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
+        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
         with:
           endpoint: ssh://root@arm
           platforms: linux/arm64,linux/arm/v7,linux/arm/v6
@@ -70,7 +70,7 @@ jobs:
           images: bunkerity/${{ inputs.IMAGE }}
       # Build and push
       - name: Build and push
-        uses: docker/build-push-action@a254f8ca60a858f3136a2f1f23a60969f2c402dd # v6.4.0
+        uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
         with:
           context: .
           file: ${{ inputs.DOCKERFILE }}

diff --git a/.github/workflows/push-github.yml b/.github/workflows/push-github.yml
@@ -51,7 +51,7 @@ jobs:
       # Create release
       - name: Create release
         if: inputs.VERSION != 'testing'
-        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
         with:
           body: |
             Documentation : https://docs.bunkerweb.io/${{ inputs.VERSION }}/
@@ -75,7 +75,7 @@ jobs:
       # Create release
       - name: Create release
         if: inputs.VERSION == 'testing'
-        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
         with:
           body: |
             **The testing version of BunkerWeb should not be used in production, please use the latest stable version instead.**

diff --git a/.github/workflows/push-packagecloud.yml b/.github/workflows/push-packagecloud.yml
@@ -42,7 +42,7 @@ jobs:
       - name: Check out repository code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Install ruby
-        uses: ruby/setup-ruby@161cd54b698f1fb3ea539faab2e036d409550e3c # v1.187.0
+        uses: ruby/setup-ruby@50ba3386b050ad5b97a41fcb81240cbee1d1821f # v1.188.0
         with:
           ruby-version: "3.0"
       - name: Install packagecloud

diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml
@@ -25,6 +25,6 @@ jobs:
           results_format: sarif
           publish_results: true
       - name: "Upload SARIF results to code scanning"
-        uses: github/codeql-action/upload-sarif@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
+        uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/staging-tests.yml b/.github/workflows/staging-tests.yml
@@ -27,7 +27,7 @@ jobs:
       - name: Checkout source code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Login to ghcr
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

diff --git a/.github/workflows/staging.yml b/.github/workflows/staging.yml
@@ -199,12 +199,12 @@ jobs:
       packages: write
     steps:
       - name: Login to Docker Hub
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
       - name: Login to ghcr
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

diff --git a/.github/workflows/test-core-linux.yml b/.github/workflows/test-core-linux.yml
@@ -49,7 +49,7 @@ jobs:
             sudo chmod +x /usr/local/bin/geckodriver
             rm -f geckodriver.tar.gz
       - name: Login to ghcr
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

diff --git a/.github/workflows/test-core.yml b/.github/workflows/test-core.yml
@@ -18,7 +18,7 @@ jobs:
       - name: Checkout source code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Login to ghcr
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

diff --git a/.github/workflows/tests-ui-linux.yml b/.github/workflows/tests-ui-linux.yml
@@ -49,7 +49,7 @@ jobs:
             sudo chmod +x /usr/local/bin/geckodriver
             rm -f geckodriver.tar.gz
       - name: Login to ghcr
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

diff --git a/.github/workflows/tests-ui.yml b/.github/workflows/tests-ui.yml
@@ -17,7 +17,7 @@ jobs:
       - name: Checkout source code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Login to ghcr
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

diff --git a/src/bw/Dockerfile b/src/bw/Dockerfile
@@ -1,4 +1,4 @@
-FROM nginx:1.26.1-alpine-slim@sha256:ce01dacf330fdcbc3c93926291ab027396e7e9680a4180318b06e86525d1aa9f AS builder
+FROM nginx:1.26.1-alpine-slim@sha256:6bbbdaddc6cfe8ca4185019f554f73ac37a5b270bdd49fae5b3b482f903ef46f AS builder
 
 # Install temporary requirements for the dependencies
 RUN apk add --no-cache bash autoconf libtool automake geoip-dev g++ gcc curl-dev libxml2-dev pcre-dev make linux-headers musl-dev gd-dev gnupg brotli-dev openssl-dev patch readline-dev yajl yajl-dev yajl-tools py3-pip
@@ -42,7 +42,7 @@ COPY src/common/utils utils
 COPY src/VERSION VERSION
 COPY misc/*.ascii misc/
 
-FROM nginx:1.26.1-alpine-slim@sha256:ce01dacf330fdcbc3c93926291ab027396e7e9680a4180318b06e86525d1aa9f
+FROM nginx:1.26.1-alpine-slim@sha256:6bbbdaddc6cfe8ca4185019f554f73ac37a5b270bdd49fae5b3b482f903ef46f
 
 # Set default umask to prevent huge recursive chmod increasing the final image size
 RUN umask 027

diff --git a/src/bw/lua/bunkerweb/helpers.lua b/src/bw/lua/bunkerweb/helpers.lua
@@ -263,18 +263,21 @@ function helpers.load_variables(all_variables, plugins)
 		end
 	end
 	for setting, data in pairs(all_settings) do
+		local escaped_setting = setting:gsub("([^%w])", "%%%1")
 		if all_variables[setting] then
 			variables["global"][setting] = all_variables[setting]
 		end
 		if data.multiple then
 			for variable, value in pairs(all_variables) do
-				local multiple_setting = variable:match("^(" .. setting .. "_%d+)$")
+				local multiple_setting = variable:match("^(" .. escaped_setting .. "_%d+)$")
 				if multiple_setting then
 					variables["global"][multiple_setting] = value
 				end
 				if multisite then
 					for _, server_name in ipairs(server_names) do
-						multiple_setting = variable:match("^" .. server_name .. "_(" .. setting .. "_%d+)$")
+						local escaped_server_name = server_name:gsub("([^%w])", "%%%1")
+						multiple_setting =
+							variable:match("^" .. escaped_server_name .. "_(" .. escaped_setting .. "_%d+)$")
 						if multiple_setting then
 							variables[server_name][multiple_setting] = value
 						end

diff --git a/src/common/confs/default-server-http.conf b/src/common/confs/default-server-http.conf
@@ -74,7 +74,7 @@ server {
 						.. nonce_script
 						.. "'; style-src 'nonce-"
 						.. nonce_style
-						.. "'; frame-ancestors 'none'; base-uri 'none'; img-src 'self' data:; font-src 'self' data:; require-trusted-types-for 'script';"
+						.. "'; frame-ancestors 'none'; base-uri 'none'; img-src 'self' data:; font-src 'self' data:; require-trusted-types-for 'script'; block-all-mixed-content; upgrade-insecure-requests;"
 
 				-- Remove server header
 				ngx.header["Server"] = nil
@@ -84,6 +84,12 @@ server {
 					ngx.header["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload"
 				end
 
+				-- Override X-Content-Type-Options header
+				ngx.header["X-Content-Type-Options"] = "nosniff"
+
+				-- Override Referrer-Policy header
+				ngx.header["Referrer-Policy"] = "no-referrer"
+
 				-- Render template
 				render("index.html", {
 					nonce_style = nonce_style,

diff --git a/src/common/core/antibot/antibot.lua b/src/common/core/antibot/antibot.lua
@@ -90,6 +90,7 @@ function antibot:header()
 	for directive, value in pairs(csp_directives) do
 		csp_content = csp_content .. directive .. " " .. value .. "; "
 	end
+	csp_content = csp_content .. "block-all-mixed-content; upgrade-insecure-requests;"
 	ngx.header["Content-Security-Policy"] = csp_content
 	return self:ret(true, "successfully overridden CSP header")
 end

diff --git a/src/common/core/errors/errors.lua b/src/common/core/errors/errors.lua
@@ -96,7 +96,7 @@ function errors:render_template(code)
 		.. "'; style-src 'nonce-"
 		.. nonce_style
 		--luacheck: ignore 631
-		.. "'; frame-ancestors 'none'; base-uri 'none'; img-src 'self' data:; font-src 'self' data:; require-trusted-types-for 'script';"
+		.. "'; frame-ancestors 'none'; base-uri 'none'; img-src 'self' data:; font-src 'self' data:; require-trusted-types-for 'script'; block-all-mixed-content; upgrade-insecure-requests;"
 
 	-- Remove server header
 	ngx.header["Server"] = nil
@@ -114,6 +114,12 @@ function errors:render_template(code)
 		ngx.header["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload"
 	end
 
+	-- Override X-Content-Type-Options header
+	ngx.header["X-Content-Type-Options"] = "nosniff"
+
+	-- Override Referrer-Policy header
+	ngx.header["Referrer-Policy"] = "no-referrer"
+
 	-- Render template
 	render("error.html", {
 		title = code .. " - " .. self.default_errors[code].title,

diff --git a/src/common/core/misc/confs/default-server-http/page.conf b/src/common/core/misc/confs/default-server-http/page.conf
@@ -22,7 +22,7 @@ location / {
 			-- Override CSP header
 			ngx.header["Content-Security-Policy"] = "default-src 'none'; frame-ancestors 'none'; form-action 'self'; img-src 'self' data:; style-src 'self' 'nonce-"
 				.. nonce_style
-				.. "'; font-src 'self' data:; base-uri 'self'; require-trusted-types-for 'script';"
+				.. "'; font-src 'self' data:; base-uri 'self'; require-trusted-types-for 'script'; block-all-mixed-content; upgrade-insecure-requests;"
 
 			-- Remove server header
 			ngx.header["Server"] = nil
@@ -32,6 +32,12 @@ location / {
 				ngx.header["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload"
 			end
 
+			-- Override X-Content-Type-Options header
+			ngx.header["X-Content-Type-Options"] = "nosniff"
+
+			-- Override Referrer-Policy header
+			ngx.header["Referrer-Policy"] = "no-referrer"
+
 			-- Render template
 			render("default.html", {
 				nonce_style = nonce_style,

diff --git a/src/common/core/modsecurity/files/coreruleset-v4/.github/ISSUE_TEMPLATE/config.yml b/src/common/core/modsecurity/files/coreruleset-v4/.github/ISSUE_TEMPLATE/config.yml
@@ -1,8 +1,8 @@
 blank_issues_enabled: false
 contact_links:
   - name: Help and support
-    url:  https://security.stackexchange.com/questions/tagged/owasp-crs
+    url: https://security.stackexchange.com/questions/tagged/owasp-crs
     about: For help and support please go here.
   - name: OWASP Core Rule Set mailing list
-    url:  https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project
+    url: https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project
     about: Ask general usage questions and participate in discussions on the CRS.