crowdsecurity · blotus · Jan 21, 2025 · Jan 21, 2025 · Jan 21, 2025 · Jan 21, 2025
diff --git a/.github/workflows/test_appsec_rules.yaml b/.github/workflows/test_appsec_rules.yaml
@@ -25,7 +25,7 @@ concurrency:
 
 jobs:
   run-appsec-rules-tests:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest 
     steps:
     - name: Check out code into the Go module directory
       uses: actions/checkout@v4
@@ -36,6 +36,8 @@ jobs:
       run: |
         sudo apt install libre2-dev
         go install -v github.com/projectdiscovery/nuclei/v3/cmd/[email protected]
+        # yes it's ugly, no I don't care
+        cp $HOME/go/bin/nuclei /usr/local/bin/
     - name: Install CrowdSec
       run: |
         git clone https://github.com/crowdsecurity/crowdsec.git
@@ -51,7 +53,7 @@ jobs:
         docker compose -f docker/appsec/docker-compose.yaml up -d --build
     - name: run tests on last crowdsec tag
       run: |
-        cscli hubtest run --all --appsec --debug --target http://127.0.0.1:7822
+        sudo cscli hubtest run --all --appsec --debug --target http://127.0.0.1:7822
         echo "APPSEC_RULE_COV=$(cscli hubtest coverage --appsec --percent | cut -d '=' -f2)" >> $GITHUB_ENV
         APPSEC_RULE_COV_NUMBER=$(cscli hubtest coverage --appsec --percent | cut -d '=' -f2 | tr -d '%' | tr -d '[[:space:]]')
         echo "APPSEC_RULE_BADGE_COLOR=$(if [ "$APPSEC_RULE_COV_NUMBER" -lt "70" ]; then echo 'red'; else echo 'green'; fi)" >> $GITHUB_ENV

diff --git a/.github/workflows/waf-check.yaml b/.github/workflows/waf-check.yaml
@@ -27,7 +27,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     steps:
     - name: Check out code into the Go module directory
       uses: actions/checkout@v4

diff --git a/.index.json b/.index.json
@@ -2476,14 +2476,18 @@
   },
   "crowdsecurity/vpatch-CVE-2024-38816": {
    "path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-38816.yaml",
-   "version": "0.1",
+   "version": "0.2",
    "versions": {
     "0.1": {
      "digest": "3f0f9436351950cb8c7072ed57f50100ecfd7c4a5fe78951af09c43e52470570",
      "deprecated": false
+    },
+    "0.2": {
+     "digest": "0035d104987f03709616bf5e64c8ec2516be6e5b3e97aaffde78cea7d1ce85b9",
+     "deprecated": false
     }
    },
-   "content": "Cm5hbWU6IGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTM4ODE2CmRlc2NyaXB0aW9uOiAiU3ByaW5nIC0gUGF0aCBUcmF2ZXJzYWwgKENWRS0yMDI0LTM4ODE2KSIKcnVsZXM6CiAgLSBhbmQ6CiAgICAtIHpvbmVzOgogICAgICAtIE1FVEhPRAogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiBlcXVhbHMKICAgICAgICB2YWx1ZTogUE9TVAogICAgLSB6b25lczoKICAgICAgLSBVUkkKICAgICAgdHJhbnNmb3JtOgogICAgICAtIGxvd2VyY2FzZQogICAgICAtIHVybGRlY29kZQogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiBjb250YWlucwogICAgICAgIHZhbHVlOiAiL3N0YXRpYy9saW5rLy4uLyIKbGFiZWxzOgogIHR5cGU6IGV4cGxvaXQKICBzZXJ2aWNlOiBodHRwCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGJlaGF2aW9yOiAiaHR0cDpleHBsb2l0IgogIGxhYmVsOiAiU3ByaW5nIC0gUGF0aCBUcmF2ZXJzYWwiCiAgY2xhc3NpZmljYXRpb246CiAgIC0gY3ZlLkNWRS0yMDI0LTM4ODE2CiAgIC0gYXR0YWNrLlQxNTk1CiAgIC0gYXR0YWNrLlQxMTkwCiAgIC0gY3dlLkNXRS0yMg==",
+   "content": "Cm5hbWU6IGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTM4ODE2CmRlc2NyaXB0aW9uOiAiU3ByaW5nIC0gUGF0aCBUcmF2ZXJzYWwgKENWRS0yMDI0LTM4ODE2KSIKcnVsZXM6CiAgLSBhbmQ6CiAgICAtIHpvbmVzOgogICAgICAtIE1FVEhPRAogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiBlcXVhbHMKICAgICAgICB2YWx1ZTogR0VUCiAgICAtIHpvbmVzOgogICAgICAtIFVSSQogICAgICB0cmFuc2Zvcm06CiAgICAgIC0gbG93ZXJjYXNlCiAgICAgIC0gdXJsZGVjb2RlCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGNvbnRhaW5zCiAgICAgICAgdmFsdWU6ICIvc3RhdGljL2xpbmsvLi4vIgpsYWJlbHM6CiAgdHlwZTogZXhwbG9pdAogIHNlcnZpY2U6IGh0dHAKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgYmVoYXZpb3I6ICJodHRwOmV4cGxvaXQiCiAgbGFiZWw6ICJTcHJpbmcgLSBQYXRoIFRyYXZlcnNhbCIKICBjbGFzc2lmaWNhdGlvbjoKICAgLSBjdmUuQ1ZFLTIwMjQtMzg4MTYKICAgLSBhdHRhY2suVDE1OTUKICAgLSBhdHRhY2suVDExOTAKICAgLSBjd2UuQ1dFLTIy",
    "description": "Spring - Path Traversal (CVE-2024-38816)",
    "author": "crowdsecurity",
    "labels": {

diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-38816.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-38816.yaml
@@ -7,7 +7,7 @@ rules:
       - METHOD
       match:
         type: equals
-        value: POST
+        value: GET
     - zones:
       - URI
       transform:

diff --git a/waf-check/main.go b/waf-check/main.go
@@ -60,7 +60,7 @@ func main() {
 	fmt.Printf("%v to process '%s' dataset\n", timeElapsed.Round(time.Second), config.DatasetFolder)
 
 	if err := GetResult(manager.resultsChan, config.OutputFolder); err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 
 	fmt.Printf("everything went well!\n")

diff --git a/waf-check/request.go b/waf-check/request.go
@@ -27,28 +27,20 @@ func NewHTTPRequest(baseURL string, request *Request) (http.Request, error) {
 	var req *http.Request
 	var err error
 
-	parsedBaseURL, err := url.Parse(baseURL)
-	if err != nil {
-		return *req, fmt.Errorf("error parsing base URL: %w", err)
-	}
-
 	request.URL = fmt.Sprintf("/%s", strings.TrimLeft(request.URL, "/"))
-
-	parsedURI, err := url.Parse(request.URL)
+	request.FullURL, err = url.JoinPath(baseURL, request.URL)
 	if err != nil {
-		return *req, fmt.Errorf("error parsing URI: %w", err)
+		return http.Request{}, fmt.Errorf("error joining URL: %w", err)
 	}
 
-	request.FullURL = parsedBaseURL.ResolveReference(parsedURI).String()
-
 	if request.Method == "POST" || request.Method == "PUT" {
 		req, err = http.NewRequest(request.Method, request.FullURL, bytes.NewBufferString(request.Data))
 	} else {
 		req, err = http.NewRequest(request.Method, request.FullURL, nil)
 	}
 
 	if err != nil {
-		return *req, err
+		return http.Request{}, err
 	}
 
 	for key, value := range request.Headers {