v3.0.0

What's Changed

Coraza's latest v3.0.0 release brings a highly refactored engine that offers more flexibility and major improvements.

Notable changes include:

• Performance improvement: Performance has been improved by up to 100 times due to several key enhancements such as:
  • New debug logs system based on Zerolog for a fast and with low to zero allocations.
  • Cache transformation logic across the same transaction.
  • Optimized variable collection types.
• Refactored API: Coraza now relies on a more straightforward and user-friendly API.
• New Plugin Package: The new package simplifies the extension of Coraza's functionalities.
• Full CRS v4 Support: Coraza fully supports the CRS v4 branch, always making CRS compatibility of top priority. The CI now includes a CRS testing suite to guarantee a regression-free development.
• Cross-platform support: Both Go and TinyGo for WASM builds are now supported.
• New experimental Multiphase feature: Introducing a new way for early data evaluation and blocking.
• Dataset support: designed for in-config .data files emulation.

Contributors

Many thanks to all the contributors and users that made this release possible:

• @anuraaga
• @Bxlxx
• @codefromthecrypt
• @fzipi
• @Hayak3
• @jcchavezs
• @jptosso
• @M4tteoP
• @manojgop
• @nacx
• @ns-sundar
• @piyushroshan
• @ShiMing-Q
• @sts
• @y05h1k1ng
• @zc2638

v3.0.0-rc.3

What's Changed

• registers pmFromDataset, fixes Dataset propagation, adds tests by @M4tteoP in #777
• docs: update README and SECURITY by @fzipi in #780
• Validate audit log parts by @Hayak3 in #779
• Remove intermediate string allocation when writing match details log by @anuraaga in #781
• fix: aligns multimatch to modsec behavior by @M4tteoP in #778
• chore: increases rule.go test coverage by @M4tteoP in #786
• remove wrong loop in matchData by @Hayak3 in #785
• hotfix: fixes rule_test after merge by @M4tteoP in #788
• chore(deps): bump github.com/magefile/mage from 1.14.0 to 1.15.0 by @dependabot in #791
• chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 by @dependabot in #789
• feat(ci): stale only awaiting for feedback's issue by @M4tteoP in #793
• Multiphase: chains further support, ARGS split, CRS like tests by @M4tteoP in #719
• feat: adds auditlog plugins API by @jcchavezs in #787
• fix/feat: Macro expansions, error logs redundancy, support msg/logdata in inner rules by @M4tteoP in #792
• remove alpha disclosure from README by @jptosso in #796
• breaking: removes code parameter from ErrorLog and AuditLog by @M4tteoP in #800

New Contributors

• @Hayak3 made their first contribution in #779

Full Changelog: v3.0.0-rc.2...v3.0.0-rc.3

v3.0.0-rc.2

What's Changed

• Use bitset for inferred phases by @anuraaga in #727
• Document test failures due to regex matching arbitrary bytes by @anuraaga in #730
• Enable multiline mode for rx by @anuraaga in #732
• Use binaryregexp for rx operator by @anuraaga in #731
• Add rx test case confirming case-insensitive rules will work by @anuraaga in #733
• fix(ci): remove sonarcloud by @fzipi in #738
• fix(bodyprocessors): fix forcerequestbodyvariable overriding processor by @jptosso in #740
• fix(bodyprocessors): force response body overrides mime requirements by @jptosso in #741
• chore: create plugins package. by @jcchavezs in #734
• chore: drops unused methods in TransactionState by @jcchavezs in #739
• chore: describes currently excluded CRS excluded rules by @M4tteoP in #744
• fix: fixes fuzz target. by @jcchavezs in #745
• Update tool versions by @anuraaga in #710
• fix(action): Add many validations for setvar by @jptosso in #747
• fix: adds full support for ruleRemoveById. by @jcchavezs in #749
• Small simplification to macro readability by @anuraaga in #751
• Remove Single.Set from API for now by @anuraaga in #750
• chore: updates tests to latest CRS, updates go-ftw by @M4tteoP in #752
• transform expireVar to noop by @jptosso in #755
• Move remaining plugin-related logic to experimental by @anuraaga in #753
• Small simplification to cmd_line code by @anuraaga in #761
• Use standard library for base64 decode by @anuraaga in #758
• Small simpflication to css_decode by @anuraaga in #762
• Delegate to normalisePath from normalisePathWin by @anuraaga in #763
• Append into output buffer for removecommentschar by @anuraaga in #764
• chore(deps): bump golang.org/x/net from 0.8.0 to 0.9.0 by @dependabot in #766
• fix: synthesizes Transfer-Encoding header inside the transaction by @M4tteoP in #768
• Include key size in ARGS_COMBINED_SIZE by @anuraaga in #756

Full Changelog: v3.0.0-rc.1...v3.0.0-rc.2

Release 3.0.0 RC1

What's Changed

• fix: default actions for phase 2 are now hardcoded #191 by @jptosso in #198
• change the URL protocol(git -> https) by @y05h1k1ng in #214
• fix(actions): Remove branch patterns from action scope by @jptosso in #217
• fix(tx): Force Request Body now works by @jptosso in #219
• fix(@rx): add @rx captured data into Tx variable by @Bxlxx in #215
• Rule matches optimization: Fix for #183 by @piyushroshan in #220
• fix: remove unused code by @Bxlxx in #228
• fix(rx): support non utf-8 format data matching by @Bxlxx in #231
• feat(directive): Implement include directive by @jptosso in #232
• simplified iota definition by @zc2638 in #236
• Fix Include Directive by @piyushroshan in #240
• Enhance github actions for sonarcloud and regression by @jptosso in #248
• update pre-commit, dependencies and fix linters by @jptosso in #250
• fix issue #241 (replaces #242) by @jptosso in #249
• fix: sonar checks on forks. by @jcchavezs in #256
• chore: move all linters to golangci-lint by @jcchavezs in #258
• Updating README & CONTRIBUTING guidelines and adding an initial CHANGELOG by @sts in #255
• Update README.md by @sts in #259
• Fix 209: Case sensitive evaluation by @piyushroshan in #260
• fix(multipart processor): capture original file name without using reflection by @jcchavezs in #229
• fix: fixes RBL leaks. by @jcchavezs in #243
• Remove wasm example file by @jptosso in #261
• Allow passthrough of variable Negations if not present by @piyushroshan in #265
• new variables engine for v3 by @jptosso in #277
• feat(operator): New RESTPATH operator support by @jptosso in #282
• chore: turns http server into an own module. by @jcchavezs in #281
• Turn utils into internal by @jcchavezs in #285
• V3/dev fixes by @jptosso in #288
• Adding support for the redirect action. closes #144 by @sts in #290
• chore: drops Transaction.ProcessRequest into an own package. by @jcchavezs in #296
• V3/dev fixes by @jptosso in #292
• remove tests by @jptosso in #300
• Migrate engine test profiles from yaml to go by @anuraaga in #306
• Move resetCaptures defer out of loop by @anuraaga in #304
• Use struct instead of slice for byte range validation by @anuraaga in #305
• Make sure temp files in tests are removed by using t.TempDir by @anuraaga in #310
• Reduce include recursion limit by @anuraaga in #307
• Fix flaky TestCollectionProxy by @anuraaga in #312
• Don't copy to bytes when validating byte range by @anuraaga in #309
• upgrade go version by @jptosso in #323
• Small optimizations to urlencode by @anuraaga in #320
• Small optimizations to base64decode by @anuraaga in #319
• Use go run instead of install for go-ftw by @anuraaga in #316
• Add more benchmarks by @jptosso in #301
• Separate out bodyprocessor implementations for TinyGo by @anuraaga in #311
• V3/url processor by @jptosso in #326
• V3/core fixes by @jptosso in #327
• feat: adds tinygo support. by @jcchavezs in #254
• Add benchmarks using ModSecurity for comparison by @anuraaga in #329
• Add magefile for running development commands by @anuraaga in #315
• Separate out bodybuffer implementation for tinygo that doesn't access… by @anuraaga in #332
• Run addlicense when formatting by @anuraaga in #333
• Add an interface for DebugLogger to be able to replace the logging me… by @anuraaga in #337
• Change license formatting to mention contributors and use SPDX by @anuraaga in #334
• Add command for installing precommit hook by @anuraaga in #339
• [v3] Bump required go version to 1.18 by @anuraaga in #343
• Remove usages of deprecated ioutil by @anuraaga in #342
• Case sensitive evaluation Fix for v3 by @piyushroshan in #346
• Remove usage of system /tmp from tests. by @anuraaga in #353
• [v3] Optimization for validate_nid operator by @Bxlxx in #348
• Reduce some data copies in modsecurity bridge by @anuraaga in #359
• Run lint before formatting by @anuraaga in #358
• [v3] Use mage commands in CI instead of pre-commit by @anuraaga in #356
• add dataset support by @jptosso in #361
• Implements ipMatchFromDataset, parsing for ipMatchFromFile by @M4tteoP in #363
• chore: reallocate testdata. by @jcchavezs in #364
• chore: loads file inside operator when using FromFile. by @jcchavezs in #366
• chore: improves errors on tinygo. by @jcchavezs in #369
• Remove err return from NewParser by @anuraaga in #375
• chore: improves tx.Clean by @jcchavezs in #370
• chore: improves from file tests. by @jcchavezs in #367
• Use io.Discard instead of /dev/null for discarding output by @anuraaga in #354
• chore: removes unneeded code in operators. by @jcchavezs in #376
• v3: Remove unused mutex in RuleGroup by @nacx in #384
• add pre-alpha notice by @jptosso in #383
• Remove legacy pre-commit config by @anuraaga in #365
• codecov tests by @jptosso in #386
• chore(deps): bump github.com/tidwall/gjson from 1.14.2 to 1.14.3 by @dependabot in #382
• fix coverage by @jptosso in #387
• Rename Waf to WAF by @anuraaga in #390
• clean up unnecessary error judgments by @zc2638 in #389
• [v3] Display contributors in README by @anuraaga in #392
• tests: improves coverage. by @jcchavezs in #385
• chore: organize imports in 3 blocks: stdlib, 3rd party, coraza by @nacx in #394
• Optimize random string generation by @anuraaga in #403
• Document that RandomString is pseudorandom by @anuraaga in #405
• Allow setting a root fs.FS in a parser. by @anuraaga in #393
• fix: improves mage lint user experience. by @jcchavezs in #413
• tests: uses testing.TB interface for helper to avoid nil check. by @jcchavezs in #418
• chore: avoids too many open files error when running CRS. by @jcchavezs in #414
• chore: fixes example by not reusing the transaction. by @jcchavezs in #420
• chore: improves loggers by adding closer. by @jcchavezs in #415
• Update libinjection-go by @anuraaga in #421
• Register native auditlogformatter in TinyGo by @anuraaga in #402
• V3/improves parser performance by @jcchavezs in #412
• Don't write files during multipart processing in TinyGo by @anuraaga in #399
• fix audit filesizes audit bug by @jptosso in https://github.com/coraz...

v2.0.1

Huge performance improvements and a lot of bug fixes.

What's Changed

• fix: default actions for phase 2 are now hardcoded #191 by @jptosso in #198
• change the URL protocol(git -> https) by @y05h1k1ng in #214
• fix(actions): Remove branch patterns from action scope by @jptosso in #217
• fix(tx): Force Request Body now works by @jptosso in #219
• fix(@rx): add @rx captured data into Tx variable by @Bxlxx in #215
• Rule matches optimization: Fix for #183 by @piyushroshan in #220
• fix: remove unused code by @Bxlxx in #228
• fix(rx): support non utf-8 format data matching by @Bxlxx in #231
• feat(directive): Implement include directive by @jptosso in #232
• simplified iota definition by @zc2638 in #236
• Fix Include Directive by @piyushroshan in #240
• Update README.md by @jptosso in #238
• Enhance github actions for sonarcloud and regression by @jptosso in #248
• update pre-commit, dependencies and fix linters by @jptosso in #250
• fix issue #241 (replaces #242) by @jptosso in #249
• fix: sonar checks on forks. by @jcchavezs in #256
• chore: move all linters to golangci-lint by @jcchavezs in #258
• Updating README & CONTRIBUTING guidelines and adding an initial CHANGELOG by @sts in #255
• Update README.md by @sts in #259
• Fix 209: Case sensitive evaluation by @piyushroshan in #260
• fix(multipart processor): capture original file name without using reflection by @jcchavezs in #229
• fix: fixes RBL leaks. by @jcchavezs in #243
• Remove wasm example file by @jptosso in #261
• Allow passthrough of variable Negations if not present by @piyushroshan in #265
• fix(rbl): close the channel in the sub goroutine by @Bxlxx in #280
• chore: improves error handling on rule parsing. by @jcchavezs in #278
• Improve performance by @Bxlxx in #293
• replace aho corasick by @jptosso in #302

New Contributors

• @y05h1k1ng made their first contribution in #214
• @piyushroshan made their first contribution in #220
• @zc2638 made their first contribution in #236

Full Changelog: v2.0.0...v2.0.1

V2 Release

V2 is a major rework of OWASP Coraza.

• Better APIs and linting
• Better plugin support
• Better performance
• Better compatibility
• Better logging

What's Changed

• fix(op): move operator to native utf8.ValidString method by @fzipi in #88
• fix(removewhitespace): move to golang funcs by @fzipi in #92
• fix(removenull): move to golang funcs by @fzipi in #91
• fix(utf8toUnicode): change to golang standard funcs by @fzipi in #90
• fix(lint): fixes golang linter errors by @fzipi in #89
• Add error log support by @jptosso in #93
• Add tx tests by @jptosso in #94
• Bump github.com/antchfx/xmlquery from 1.3.6 to 1.3.7 by @dependabot in #95
• Bump github.com/antchfx/xmlquery from 1.3.7 to 1.3.8 by @dependabot in #96
• Bump github.com/antchfx/jsonquery from 1.1.4 to 1.1.5 by @dependabot in #97
• V2/testing rework by @jptosso in #109
• V2/testing rework by @jptosso in #110
• V2/testing rework by @jptosso in #111
• V2/directive plugins by @jptosso in #120
• V2/fix byteranges by @jptosso in #123
• Rules refactor by @jptosso in #125
• V2/crs tests by @jptosso in #128
• V2/parser rework by @jptosso in #131
• V2/audit rework by @jptosso in #133
• V2/rc1 by @jptosso in #135
• V2/tx syncpool by @jptosso in #136
• build(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0 by @dependabot in #139
• fix for auditlog by @ShiMing-Q in #140
• Fix for some config does not work by @ShiMing-Q in #142
• feat: integrate libinjection-go by @jptosso in #149
• V2/master code specification and remove some useless code by @Bxlxx in #157
• V2/rc2 by @jptosso in #158
• fix: chain loop for #159 by @jptosso in #166
• update module name by @Bxlxx in #169
• build(deps): bump go.uber.org/zap from 1.20.0 to 1.21.0 by @dependabot in #155
• fix for #176 by @Bxlxx in #184
• fix MATCHED VARS issues by @jptosso in #189
• fix for #172 by @Bxlxx in #188
• feat(operator): support SecRule "! ^some" as a valid rx negation by @Bxlxx in #197
• fix(test): Update go-ftw action with new org by @jptosso in #201
• README: add owasp status, pre-commit and new org by @jptosso in #202
• fix: support array format for parsing json data in the body processor by @Bxlxx in #205
• feat: use DirectiveOptions instead of waf.Config to share variables across directives by @Bxlxx in #206

New Contributors

• @fzipi
• @ShiMing-Q
• @Bxlxx
• @airween

Full Changelog: v1.2.0...v2.0.0

V2 release candidate 3

What's Changed

• fix: chain loop for #159 by @jptosso in #166
• update module name by @Bxlxx in #169
• build(deps): bump go.uber.org/zap from 1.20.0 to 1.21.0 by @dependabot in #155
• fix for #176 by @Bxlxx in #184
• fix MATCHED VARS issues by @jptosso in #189
• fix for #172 by @Bxlxx in #188
• feat(operator): support SecRule "! ^some" as a valid rx negation by @Bxlxx in #197

Full Changelog: v2.0.0-rc.2...v2.0.0-rc.3

V2 release candidate 2

What's Changed

• Minor low level API changes
• Many performance improvements
• syncpool fix
• A lot of aesthetic improvements
• Added examples
• Added inbound and outbound error support
• Enhance testing and actions
• A few minor bugfixes
• Add official libinjection support, go native without CGO
• Project renamed to OWASP Coraza Web Application Firewall and moved to corazawaf organization

New contributors:

• bxlxx: #157 and https://github.com/corazawaf/libinjection-go

Full Changelog: v2.0.0-rc.1...v2.0.0-rc.2

v2 release candidate 1

First release candidate for Coraza WAF v2

• New tx.Clean function used to free the memory and get the transaction back to the sync pool
• Tons of lot fixes
• Minor low level api changes
• Huge performance improvements
• Remove GEO plugins, now you can share info between operators and directives
• New interface to share information between operators and directives, waf.Config
• Rule parser was refactored
• Lot of audit engine fixes and rework

What's Changed

• fix(op): move operator to native utf8.ValidString method by @fzipi in #88
• fix(removewhitespace): move to golang funcs by @fzipi in #92
• fix(removenull): move to golang funcs by @fzipi in #91
• fix(utf8toUnicode): change to golang standard funcs by @fzipi in #90
• fix(lint): fixes golang linter errors by @fzipi in #89
• Add error log support by @jptosso in #93
• Add tx tests by @jptosso in #94
• Bump github.com/antchfx/xmlquery from 1.3.6 to 1.3.7 by @dependabot in #95
• Bump github.com/antchfx/xmlquery from 1.3.7 to 1.3.8 by @dependabot in #96
• Bump github.com/antchfx/jsonquery from 1.1.4 to 1.1.5 by @dependabot in #97
• V2/testing rework by @jptosso in #109
• V2/testing rework by @jptosso in #110
• V2/testing rework by @jptosso in #111
• V2/directive plugins by @jptosso in #120
• V2/fix byteranges by @jptosso in #123
• Rules refactor by @jptosso in #125
• V2/crs tests by @jptosso in #128
• V2/parser rework by @jptosso in #131
• V2/audit rework by @jptosso in #133
• V2/rc1 by @jptosso in #135
• V2/tx syncpool by @jptosso in #136

New Contributors

• @fzipi made their first contribution in #88

Full Changelog: v1.2.0...v2.0.0-rc.1

Release v2 beta 6

Major release, it fixes tons of issues like:

• @validateByteRange
• @utf8ToUnicode
• issues with log action
• Now rules will match not only once but every variable that matches
• Setvar now supports loops

Next release is v2.0.0 final :)