From d482424e68aaa5eeac5929e43c3189db0b3e5d0c Mon Sep 17 00:00:00 2001
From: Max Leske <>
Date: Sat, 15 Feb 2025 13:38:51 +0100
Subject: [PATCH] feat: deprecate `Headers` for `OrderedHeaders`
spec/v2.3.0/ | 2281 +++++++++++++++++
.../waf-platform-overrides-schema-v2.3.0.json | 1 +
spec/v2.3.0/waf-tests-schema-v2.3.0.json | 1 +
types/examples.go | 6 +
types/types.go | 17 +
5 files changed, 2306 insertions(+)
create mode 100644 spec/v2.3.0/
create mode 100755 spec/v2.3.0/waf-platform-overrides-schema-v2.3.0.json
create mode 100755 spec/v2.3.0/waf-tests-schema-v2.3.0.json
diff --git a/spec/v2.3.0/ b/spec/v2.3.0/
new file mode 100644
index 0000000..1d1dfd5
--- /dev/null
+++ b/spec/v2.3.0/
@@ -0,0 +1,2281 @@
+## FTWTest
+Welcome to the FTW YAMLFormat documentation.
+ In this document we will explain all the possible options that can be used within the YAML format.
+ Generally this is the preferred format for writing tests in as they don't require any programming skills
+ in order to understand and change. If you find a bug in this format please open an issue.
+ FTWTest is the base type used when unmarshaling YAML tests files
+Meta describes the metadata information of this yaml test file
+RuleId is the ID of the rule this test targets.
+# RuleId
+rule_id: 123456
+Tests is a list of FTW tests
+ - test_title: 123456-1
+ ruleid: 0
+ test_id: 0
+ desc: Unix RCE using `time`
+ stages:
+ - description: Get cookie from server
+ input:
+ dest_addr:
+ port: 8080
+ protocol: http
+ uri: /test
+ version: HTTP/1.1
+ method: REPORT
+ headers:
+ Accept: '*/*'
+ Host: localhost
+ User-Agent: CRS Tests
+ save_cookie: false
+ stop_magic: true
+ autocomplete_headers: false
+ encoded_request: TXkgRGF0YQo=
+ output:
+ status: 200
+ response_contains: HTTP/1.1
+ log_contains: nothing
+ no_log_contains: everything
+ log:
+ expect_ids:
+ - 123456
+ no_expect_ids:
+ - 123456
+ match_regex: id[:\s"]*123456
+ no_match_regex: id[:\s"]*123456
+ expect_error: true
+## FTWTestMeta
+Appears in:
+- FTWTest.meta
+Author is the list of authors that added content to this file
+# Author
+author: Felipe Zipitria
+Enabled indicates if the tests are enabled to be run by the engine or not.
+# Enabled
+enabled: false
+Name is the name of the tests contained in this file.
+# Name
+name: test01
+Description is a textual description of the tests contained in this file.
+# Description
+description: The tests here target SQL injection.
+Version is the version of the YAML Schema.
+# Version
+version: v1
+description: |
+ Tags is list of strings that can be used for arbitrary grouping of tests.
+ examples:
+ - name: Tags
+ value: ["PHP", "bug-123"]
+## Test
+Appears in:
+- FTWTest.tests
+- test_title: 123456-1
+ ruleid: 0
+ test_id: 0
+ desc: Unix RCE using `time`
+ stages:
+ - description: Get cookie from server
+ input:
+ dest_addr:
+ port: 8080
+ protocol: http
+ uri: /test
+ version: HTTP/1.1
+ method: REPORT
+ headers:
+ Accept: '*/*'
+ Host: localhost
+ User-Agent: CRS Tests
+ save_cookie: false
+ stop_magic: true
+ autocomplete_headers: false
+ encoded_request: TXkgRGF0YQo=
+ output:
+ status: 200
+ response_contains: HTTP/1.1
+ log_contains: nothing
+ no_log_contains: everything
+ log:
+ expect_ids:
+ - 123456
+ no_expect_ids:
+ - 123456
+ match_regex: id[:\s"]*123456
+ no_match_regex: id[:\s"]*123456
+ expect_error: true
+TestTitle is the title of this particular types. It is used for inclusion/exclusion of each run by the tool.
+test_title: 123456-1
+TestId is the ID of the test, in relation to `rule_id`.
+When this field is not set, the ID will be inferred from the
+# TestId
+test_id: 4
+TestDescription is the description for this particular test.
+Should be used to describe the internals of the specific things this test is targeting.
+desc: Unix RCE using `time`
+Stages is the list of all the stages to perform this test.
+ - description: Get cookie from server
+ input:
+ dest_addr:
+ port: 8080
+ protocol: http
+ uri: /test
+ version: HTTP/1.1
+ method: REPORT
+ headers:
+ Accept: '*/*'
+ Host: localhost
+ User-Agent: CRS Tests
+ save_cookie: false
+ stop_magic: true
+ autocomplete_headers: false
+ encoded_request: TXkgRGF0YQo=
+ output:
+ status: 200
+ response_contains: HTTP/1.1
+ log_contains: nothing
+ no_log_contains: everything
+ log:
+ expect_ids:
+ - 123456
+ no_expect_ids:
+ - 123456
+ match_regex: id[:\s"]*123456
+ no_match_regex: id[:\s"]*123456
+ expect_error: true
+description: |
+ Tags is list of strings that can be used for arbitrary grouping of tests.
+ examples:
+ - name: Tags
+ value: ["PHP", "bug-123"]
+## Stage
+Appears in:
+- Test.stages
+- description: Get cookie from server
+ input:
+ dest_addr:
+ port: 8080
+ protocol: http
+ uri: /test
+ version: HTTP/1.1
+ method: REPORT
+ headers:
+ Accept: '*/*'
+ Host: localhost
+ User-Agent: CRS Tests
+ save_cookie: false
+ stop_magic: true
+ autocomplete_headers: false
+ encoded_request: TXkgRGF0YQo=
+ output:
+ status: 200
+ response_contains: HTTP/1.1
+ log_contains: nothing
+ no_log_contains: everything
+ log:
+ expect_ids:
+ - 123456
+ no_expect_ids:
+ - 123456
+ match_regex: id[:\s"]*123456
+ no_match_regex: id[:\s"]*123456
+ expect_error: true
+Describes the purpose of this stage.
+description: Get cookie from server
+Input is the data that is passed to the test
+# Input
+ dest_addr:
+ port: 8080
+ protocol: http
+ uri: /test
+ version: HTTP/1.1
+ method: REPORT
+ headers:
+ Accept: '*/*'
+ Host: localhost
+ User-Agent: CRS Tests
+ save_cookie: false
+ stop_magic: true
+ autocomplete_headers: false
+ encoded_request: TXkgRGF0YQo=
+Output is the data that is returned from the test
+# Output
+ status: 200
+ response_contains: HTTP/1.1
+ log_contains: nothing
+ no_log_contains: everything
+ log:
+ expect_ids:
+ - 123456
+ no_expect_ids:
+ - 123456
+ match_regex: id[:\s"]*123456
+ no_match_regex: id[:\s"]*123456
+ expect_error: true
+## Input
+Appears in:
+- Stage.input
+# Input
+port: 8080
+protocol: http
+uri: /test
+version: HTTP/1.1
+method: REPORT
+ Accept: '*/*'
+ Host: localhost
+ User-Agent: CRS Tests
+save_cookie: false
+stop_magic: true
+autocomplete_headers: false
+encoded_request: TXkgRGF0YQo=
+DestAddr is the IP of the destination host that the test will send the message to.
+# DestAddr
+Port allows you to declare which port on the destination host the test should connect to.
+# Port
+port: 80
+Protocol allows you to declare which protocol the test should use when sending the request.
+# Protocol
+protocol: http
+URI allows you to declare the URI the test should use as part of the request line.
+# URI
+uri: /get?hello=world
+FollowRedirect will expect the previous stage of the same test to have received a
+redirect response, it will fail the test otherwise. The redirect location will be used
+to send the request for the current stage and any settings for port, protocol, address,
+or URI will be ignored.
+# follow_redirect
+follow_redirect: true
+Version allows you to declare the HTTP version the test should use as part of the request line.
+# Version
+version: "1.1"
+Method allows you to declare the HTTP method the test should use as part of the request line.
+# Method
+method: GET
+Headers allows you to declare headers that the test should send.
+# Headers
+ Accept: '*/*'
+ Host: localhost
+ User-Agent: CRS Tests
+Headers allows you to declare headers that the test should send.
+The headers will be sent in the exact order specified. It is also possible
+to specify the identical header multiple times.
+# Headers
+ - name: Host
+ value: localhost
+ - name: User-Agent
+ value: CRS Tests
+ - name: Host
+ value: localhost
+ - name: Accept
+ value: '*/*'
+Data allows you to declare the payload that the test should in the request body.
+# Data
+data: Bibitti bopi
+EncodedData allows you to declare the payload as a base64 encoded string, which
+will be decoded into bytes and sent verbatimt to the server. This allows for complex
+payloads that include invisible characters or invalid Unicode byte sequences.
+# encoded_data
+encoded_data: c29tZXRoaW5nIHdpdGgKbmV3bGluZQo=
+SaveCookie allows you to automatically provide cookies if there are multiple stages and save cookie is set
+# SaveCookie
+save_cookie: 80
+StopMagic is deprecated.
+# StopMagic
+stop_magic: false
+AutocompleteHeaders allows the test framework to automatically fill the request with Content-Type and Connection headers.
+Defaults: `true`.
+# StopMagic
+autocomplete_headers: false
+EncodedRequest will take a base64 encoded string that will be decoded and sent through as the request.
+It will override all other settings
+# EncodedRequest
+encoded_request: a
+Response describes a response from the web server that a WAF is expected to analyse.
+Note: This functionality requires a backend that can send the specified request to the
+ reverse proxy. Currently, only Albedo ( is supported.
+VirtualHostMode determines the value of the `Host` header for internal requests (e.g., the
+requests used to insert markers into the web server log). This is useful for running tests
+against a virtual host, as the log entries for all requests must end up in the same log file,
+and often, log files are segregated by virtual host.
+If `true`, internal requests will use the same value for the `Host` header as the test request.
+If `false`, the value for the `Host` header of internal requests will be `localhost`.
+Default: `false`.
+## HeaderTuple
+Appears in:
+- Input.ordered_headers
+# Headers
+- name: Host
+ value: localhost
+- name: User-Agent
+ value: CRS Tests
+- name: Host
+ value: localhost
+- name: Accept
+ value: '*/*'
+## Response
+Appears in:
+- Input.response
+Headers defines the headers the response will carry.
+# Headers
+ Accept: '*/*'
+ Host: localhost
+ User-Agent: CRS Tests
+Status describes the HTTP status code of the response.
+Default: `200` if omitted.
+# Status
+status: 302
+Body defines the body of the response as a plain string.
+# Body
+body: |
+ {"aJsonDocument": ["in the response"]}
+EncodedBody defines the body of the response as a base64 encoded string. This is useful if the response
+needs to contain non-printable characters.
+# EncodedBody
+encoded_body: eyJhSnNvbkRvY3VtZW50IjogWyJpbiB0aGUgcmVzcG9uc2UiXX0=
+LogMessage specifies a message to be printed in the log of the backend server that sends the response.
+This can be helpful when debugging, to match resopnses sent by the backend to test executions.
+# LogMessage
+log_message: Response splitting test 1
+## Output
+Appears in:
+- Stage.output
+# Output
+status: 200
+response_contains: HTTP/1.1
+log_contains: nothing
+no_log_contains: everything
+ expect_ids:
+ - 123456
+ no_expect_ids:
+ - 123456
+ match_regex: id[:\s"]*123456
+ no_match_regex: id[:\s"]*123456
+expect_error: true
+Status describes the HTTP status code expected in the response.
+# Status
+status: 200
+ResponseContains describes the text that should be contained in the HTTP response.
+# ResponseContains
+response_contains: Hello, World
+LogContains describes the text that should be contained in the WAF logs.
+# LogContains
+log_contains: id 920100
+NoLogContains describes the text that should not be contained in the WAF logs.
+# NoLogContains
+no_log_contains: id 920100
+Log is used to configure expectations about the log contents.
+ expect_ids:
+ - 123456
+ no_expect_ids:
+ - 123456
+ match_regex: id[:\s"]*123456
+ no_match_regex: id[:\s"]*123456
+When `ExpectError` is true, we don't expect an answer from the WAF, just an error.
+# ExpectError
+expect_error: false
+When `RetryOnce` is true, the test run will be retried once upon failures. This options
+primary purpose is to work around a race condition in phase 5, where the log entry for
+a phase 5 rule may appear after the end marker of the previous test.
+Isolated specifies that the test is expected to trigger a single rule only.
+If the rule triggers any other rule than the (single) one specified in
+expect_ids, the test fill be considered a failure.
+Default: `false`
+# Isolated
+isolated: true
+## Log
+Appears in:
+- Output.log
+ - 123456
+ - 123456
+match_regex: id[:\s"]*123456
+no_match_regex: id[:\s"]*123456
+description: |
+ Expect the given IDs to be contained in the log output.
+ examples:
+ -value: ExampleLog.ExpectIds
+Expect the given IDs _not_ to be contained in the log output.
+ - 123456
+Expect the regular expression to match log content for the current types.
+match_regex: id[:\s"]*123456
+Expect the regular expression to _not_ match log content for the current types.
+no_match_regex: id[:\s"]*123456
+## FTWOverrides
+FTWOverrides describes platform specific overrides for tests
+The version field designates the version of the schema that validates this file
+version: v0.1.0
+Meta describes the metadata information
+ engine: libmodsecurity3
+ platform: nginx
+ annotations:
+ os: Debian Bullseye
+ purpose: L7ASR test suite
+List of test override specifications
+ - rule_id: 920100
+ test_ids: [4, 6]
+ reason: |-
+ nginx returns 400 when `Content-Length` header is sent in a
+ `Transfer-Encoding: chunked` request.
+ output:
+ status: 200
+ response_contains: HTTP/1.1
+ log_contains: nothing
+ no_log_contains: everything
+ log:
+ expect_ids:
+ - 123456
+ no_expect_ids:
+ - 123456
+ match_regex: id[:\s"]*123456
+ no_match_regex: id[:\s"]*123456
+ expect_error: true
+## FTWOverridesMeta
+Appears in:
+- FTWOverrides.meta
+engine: libmodsecurity3
+platform: nginx
+ os: Debian Bullseye
+ purpose: L7ASR test suite
+The name of the WAF engine the tests are expected to run against
+engine: coraza
+The name of the platform (e.g., web server) the tests are expected to run against
+platform: nginx
+Custom annotations; can be used to add additional meta information
+ os: Debian Bullseye
+ purpose: L7ASR test suite
+## TestOverride
+Appears in:
+- FTWOverrides.test_overrides
+- rule_id: 920100
+ test_ids: [4, 6]
+ reason: |-
+ nginx returns 400 when `Content-Length` header is sent in a
+ `Transfer-Encoding: chunked` request.
+ output:
+ status: 200
+ response_contains: HTTP/1.1
+ log_contains: nothing
+ no_log_contains: everything
+ log:
+ expect_ids:
+ - 123456
+ no_expect_ids:
+ - 123456
+ match_regex: id[:\s"]*123456
+ no_match_regex: id[:\s"]*123456
+ expect_error: true
+ID of the rule this test targets.
+rule_id: 920100
+IDs of the tests for rule_id that overrides should be applied to.
+If this field is not set, the overrides will be applied to all tests of rule_id.
+ - 4
+ - 6
+IDs of the stages to which overrides should be applied.
+Stage IDs listed will be overridden for all test IDs listed in `TestIds`.
+If this field is not set, the overrides will be applied to all stages.
+Describes why this override is necessary.
+reason: |-
+ nginx returns 400 when `Content-Length` header is sent in a
+ `Transfer-Encoding: chunked` request.
+Whether a stage should be retried once in case of failure.
+This option is primarily a workaround for a race condition in phase 5,
+where the log entry of a rule may be flushed after the test end marker.
+retry_once: true
+Specifies overrides on the test output.
+This definition *replaces* the output definition of the test.
+ status: 200
+ response_contains: HTTP/1.1
+ log_contains: nothing
+ no_log_contains: everything
+ log:
+ expect_ids:
+ - 123456
+ no_expect_ids:
+ - 123456
+ match_regex: id[:\s"]*123456
+ no_match_regex: id[:\s"]*123456
+ expect_error: true
+## types.Output
+Output defines the expectations of a test
+Appears in:
+- TestOverride.output
+status: 200
+response_contains: HTTP/1.1
+log_contains: nothing
+no_log_contains: everything
+ expect_ids:
+ - 123456
+ no_expect_ids:
+ - 123456
+ match_regex: id[:\s"]*123456
+ no_match_regex: id[:\s"]*123456
+expect_error: true
+Status describes the HTTP status code expected in the response.
+# Status
+status: 200
+ResponseContains describes the text that should be contained in the HTTP response.
+# ResponseContains
+response_contains: Hello, World
+LogContains describes the text that should be contained in the WAF logs.
+# LogContains
+log_contains: id 920100
+NoLogContains describes the text that should not be contained in the WAF logs.
+# NoLogContains
+no_log_contains: id 920100
+Log is used to configure expectations about the log contents.
+ expect_ids:
+ - 123456
+ no_expect_ids:
+ - 123456
+ match_regex: id[:\s"]*123456
+ no_match_regex: id[:\s"]*123456
+When `ExpectError` is true, we don't expect an answer from the WAF, just an error.
+# ExpectError
+expect_error: false
+When `RetryOnce` is true, the test run will be retried once upon failures. This options
+primary purpose is to work around a race condition in phase 5, where the log entry for
+a phase 5 rule may appear after the end marker of the previous test.
+Isolated specifies that the test is expected to trigger a single rule only.
+If the rule triggers any other rule than the (single) one specified in
+expect_ids, the test fill be considered a failure.
+Default: `false`
+# Isolated
+isolated: true
+## types.Log
+description: |
+ Expect the given IDs to be contained in the log output.
+ examples:
+ -value: ExampleLog.ExpectIds
+Expect the given IDs _not_ to be contained in the log output.
+ - 123456
+Expect the regular expression to match log content for the current types.
+match_regex: id[:\s"]*123456
+Expect the regular expression to _not_ match log content for the current types.
+no_match_regex: id[:\s"]*123456
diff --git a/spec/v2.3.0/waf-platform-overrides-schema-v2.3.0.json b/spec/v2.3.0/waf-platform-overrides-schema-v2.3.0.json
new file mode 100755
index 0000000..138a705
--- /dev/null
+++ b/spec/v2.3.0/waf-platform-overrides-schema-v2.3.0.json
@@ -0,0 +1 @@
\ No newline at end of file
diff --git a/spec/v2.3.0/waf-tests-schema-v2.3.0.json b/spec/v2.3.0/waf-tests-schema-v2.3.0.json
new file mode 100755
index 0000000..6a05795
--- /dev/null
+++ b/spec/v2.3.0/waf-tests-schema-v2.3.0.json
@@ -0,0 +1 @@
\ No newline at end of file
diff --git a/types/examples.go b/types/examples.go
index 7333a72..cd4cb94 100644
--- a/types/examples.go
+++ b/types/examples.go
@@ -27,6 +27,12 @@ var (
"Host": "localhost",
"Accept": "*/*",
+ ExampleOrderedHeaders = []HeaderTuple{
+ {"Host", "localhost"},
+ {"User-Agent", "CRS Tests"},
+ {"Host", "localhost"},
+ {"Accept", "*/*"},
+ }
ExampleInput = Input{
DestAddr: helpers.StrPtr(""),
Port: helpers.IntPtr(8080),
diff --git a/types/types.go b/types/types.go
index c7f8f39..78526c6 100644
--- a/types/types.go
+++ b/types/types.go
@@ -238,8 +238,19 @@ type Input struct {
// examples:
// - name: Headers
// value: ExampleHeaders
+ //
+ // Deprecated: use OrderedHeaders instead
Headers map[string]string `yaml:"headers,omitempty" json:"headers,omitempty" koanf:"headers,omitempty"`
+ // description: |
+ // Headers allows you to declare headers that the test should send.
+ // The headers will be sent in the exact order specified. It is also possible
+ // to specify the identical header multiple times.
+ // examples:
+ // - name: Headers
+ // value: ExampleOrderedHeaders
+ OrderedHeaders []HeaderTuple `yaml:"ordered_headers,omitempty" json:"ordered_headers,omitempty" koanf:"ordered_headers,omitempty"`
// description: |
// Data allows you to declare the payload that the test should in the request body.
// examples:
@@ -449,3 +460,9 @@ type Log struct {
// - value: ExampleLog.NoMatchRegex
NoMatchRegex string `yaml:"no_match_regex,omitempty" json:"no_match_regex,omitempty"`
+// Header represents the (name, value) tuple of an HTTP header
+type HeaderTuple struct {
+ Name string
+ Value string