Updated x-http-method-override rules for rest-api usage:

plugins/wordpress-rule-exclusions-before.conf

@@ -282,7 +282,8 @@
             ctl:ruleRemoveById=200002,\
             ctl:ruleRemoveById=200004"
 
-# Editing a page/post with gutenberg editor
+# Cannot update items using WordPress API (Such as pages/posts)
+# Pretty permalinks: Disabled
 SecRule REQUEST_FILENAME "@endsWith /index.php" \
     "id:9507146,\
     phase:1,\
@@ -291,11 +292,18 @@
     nolog,\
     ver:'wordpress-rule-exclusions-plugin/1.1.0',\
     chain"
-    SecRule REQUEST_HEADERS:x-http-method-override "@streq PUT" \
+    SecRule &ARGS:rest_route "@eq 1" \
         "t:none,\
-        ctl:ruleRemoveById=920450"
+        chain"
+        SecRule REQUEST_METHOD "@streq POST" \
+            "t:none,\
+            chain"
+            SecRule REQUEST_HEADERS:x-http-method-override "@rx ^(?:PUT|DELETE)$" \
+                "t:none,\
+                ctl:ruleRemoveById=920450"
 
-# Cannot update page|post in WordPress due to `x-http-method-override` header.
+# Cannot update items using WordPress API (Such as pages/posts)
+# Pretty Permalinks: Enabled
 SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:global-styles|navigation|pages|posts|sidebars|template-parts|templates|users)" \
     "id:9507147,\
     phase:1,\
@@ -304,9 +312,12 @@
     nolog,\
     ver:'wordpress-rule-exclusions-plugin/1.1.0',\
     chain"
-    SecRule &REQUEST_HEADERS:x-http-method-override "!@eq 0" \
+    SecRule REQUEST_METHOD "@streq POST" \
         "t:none,\
-        ctl:ruleRemoveById=920450"
+        chain"
+        SecRule REQUEST_HEADERS:x-http-method-override "@rx ^(?:PUT|DELETE)$" \
+            "t:none,\
+            ctl:ruleRemoveById=920450"
 
 # Loading tags/catagories for pages/posts
 # Obtaining metadata for pages/posts
@@ -510,7 +521,7 @@
         ctl:ruleRemoveTargetById=942520;ARGS:partials,\
         ctl:ruleRemoveTargetById=920272;REQUEST_BODY,\
         ctl:ruleRemoveTargetById=920273;REQUEST_BODY,\
         ctl:ruleRemoveTargetById=921180;TX:paramcounter_ARGS_NAMES:customized,\
         ctl:ruleRemoveTargetById=921180;TX:paramcounter_ARGS_NAMES:customize_changeset_uuid,\
         ctl:ruleRemoveTargetById=921180;TX:paramcounter_ARGS_NAMES:customize_theme,\
         ctl:ruleRemoveTargetById=921180;TX:paramcounter_ARGS_NAMES:customize_autosaved,\

tests/regression/wordpress-rule-exclusions-plugin/9507146.yaml

@@ -0,0 +1,110 @@
+---
+meta:
+  author: "Joost de Keijzer"
+  description: "Wordpress Rule Exclusions Plugin"
+rule_id: 9507146
+tests:
+  - test_id: 1
+    desc: Editing template part of a website i.e header or footer
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: OWASP CRS test agent
+            Accept: application/json, */*;q=0.1
+            Content-Type: application/json
+            x-http-method-override: PUT
+          port: 80
+          method: POST
+          version: "HTTP/1.1"
+          # URI is actually sent with double slashes
+          uri: /index.php?rest_route=/wp/v2/template-parts/twentytwentyfour//header&_locale=user
+          # Data is sent with some special characters escaped
+          data: >-
+            {"id":"twentytwentyfour//header","content":"<!-- wp:group {\"align\":\"wide\",\"style\":{\"spacing\":{\"padding\":{\"top\":\"20px\",\"bottom\":\"20px\"}}},\"backgroundColor\":\"base\",\"layout\":{\"type\":\"constrained\"}} -->\n<div class=\"wp-block-group alignwide has-base-background-color has-background\" style=\"padding-top:20px;padding-bottom:20px\"><!-- wp:group {\"align\":\"wide\",\"layout\":{\"type\":\"flex\",\"justifyContent\":\"space-between\",\"flexWrap\":\"wrap\"}} -->\n<div class=\"wp-block-group alignwide\"><!-- wp:group {\"style\":{\"spacing\":{\"blockGap\":\"var:preset|spacing|20\"},\"layout\":{\"selfStretch\":\"fit\",\"flexSize\":null}},\"layout\":{\"type\":\"flex\"}} -->\n<div class=\"wp-block-group\"><!-- wp:site-logo {\"width\":60} /-->\n\n<!-- wp:group {\"style\":{\"spacing\":{\"blockGap\":\"0px\"}}} -->\n<div class=\"wp-block-group\">
+            <!-- wp:site-title {\"level\":0} /--></div>\n<!-- /wp:group --></div>\n<!-- /wp:group -->\n\n<!-- wp:paragraph -->\n<p>testing</p>\n<!-- /wp:paragraph -->\n\n<!-- wp:group {\"layout\":{\"type\":\"flex\",\"flexWrap\":\"wrap\",\"justifyContent\":\"left\"}} -->\n<div class=\"wp-block-group\"><!-- wp:navigation {\"ref\":21,\"style\":{\"spacing\":{\"margin\":{\"top\":\"0\"},\"blockGap\":\"var:preset|spacing|20\"},\"layout\":{\"selfStretch\":\"fit\",\"flexSize\":null}},\"layout\":{\"type\":\"flex\",\"justifyContent\":\"right\",\"orientation\":\"horizontal\"}} /--></div>\n<!-- /wp:group --></div>\n<!-- /wp:group --></div>\n<!-- /wp:group -->"}
+        output:
+          log:
+            no_expect_ids: [920450]
+  - test_id: 2
+    desc: Editing global styles for a theme
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: OWASP CRS test agent
+            Accept: application/json, */*;q=0.1
+            Content-Type: application/json
+            x-http-method-override: PUT
+          port: 80
+          method: POST
+          version: "HTTP/1.1"
+          uri: /index.php?rest_route=/wp/v2/global-styles/26&_locale=user
+          data: >-
+            {"id":26,"settings":{"color":{"duotone":{"theme":[{"colors":["#272727","#f9f9f9"],"slug":"duotone-1","name":"Donkergrijs en wit"},{"colors":["#272727","#5F584F"],"slug":"duotone-2","name":"Donkergrijs en walnoot"},{"colors":["#272727","#973C20"],"slug":"duotone-3","name":"Donkergrijs en kaneel"},{"colors":["#272727","#4D5B48"],"slug":"duotone-4","name":"Donkergrijs en olijfgroen"},{"colors":["#272727","#4F5959"],"slug":"duotone-5","name":"Donkergrijs en staal"}]},"gradients":{"theme":[{"slug":"gradient-1","gradient":"linear-gradient(to bottom, #5F584F 0%, #272727 100%)","name":"Verticaal zacht drijfhout naar donkergrijs"},{"slug":"gradient-2","gradient":"linear-gradient(to bottom, #6D533C 0%, #272727 100%)","name":"Verticaal zacht walnoot naar donkergrijs"},
+            {"slug":"gradient-3","gradient":"linear-gradient(to bottom, #973C20 0%, #272727 100%)","name":"Verticaal zacht kaneel naar donkergrijs"},{"slug":"gradient-4","gradient":"linear-gradient(to bottom, #4D5B48 0%, #272727 100%)","name":"Verticaal zacht olijf naar donkergrijs"},{"slug":"gradient-5","gradient":"linear-gradient(to bottom, #4F5959 0%, #272727 100%)","name":"Verticaal zacht staal naar donkergrijs"},{"slug":"gradient-6","gradient":"linear-gradient(to bottom, #909090 0%, #272727 100%)","name":"Verticaal zacht tin naar donkergrijs"},{"slug":"gradient-7","gradient":"linear-gradient(to bottom, #5F584F 50%, #272727 50%)","name":"Verticaal hard beige naar donkergrijs"},{"slug":"gradient-8","gradient":"linear-gradient(to bottom, #6D533C 50%, #272727 50%)","name":"Verticaal hard walnoot naar donkergrijs"},
+            {"slug":"gradient-9","gradient":"linear-gradient(to bottom, #973C20 50%, #272727 50%)","name":"Verticaal hard kaneel naar donkergrijs"},{"slug":"gradient-10","gradient":"linear-gradient(to bottom, #4D5B48 50%, #272727 50%)","name":"Verticaal hard olijf naar donkergrijs"},{"slug":"gradient-11","gradient":"linear-gradient(to bottom, #4F5959 50%, #272727 50%)","name":"Verticaal hard staal naar donkergrijs"},{"slug":"gradient-12","gradient":"linear-gradient(to bottom, #A4A4A4 50%, #272727 50%)","name":"Verticaal hard tin naar donkergrijs"}]},"palette":{"theme":[{"color":"#272727","name":"Basis","slug":"base"},{"color":"#303030","name":"Basis / Twee","slug":"base-2"},{"color":"#f9f9f9","name":"Contrast","slug":"contrast"},{"color":"#B7B7B7","name":"Contrast / Twee","slug":"contrast-2"},
+            {"color":"#909090","name":"Contrast / Drie","slug":"contrast-3"},{"color":"#5F584F","name":"Accent","slug":"accent"},{"color":"#6D533C","name":"Accent / Twee","slug":"accent-2"},{"color":"#973C20","name":"Accent / Drie","slug":"accent-3"},{"color":"#4D5B48","name":"Accent / Vier","slug":"accent-4"},{"color":"#4F5959","name":"Accent / Vijf","slug":"accent-5"}]}}}}
+        output:
+          log:
+            no_expect_ids: [920450]
+  - test_id: 3
+    desc: Editing widgets
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: application/json, */*;q=0.1
+            Content-Type: application/json
+            x-http-method-override: PUT
+          port: 80
+          method: POST
+          version: "HTTP/1.1"
+          uri: /index.php?rest_route=/wp/v2/sidebars/sidebar-1&_locale=user
+          data: |-
+            {"id":"sidebar-1","widgets":["search-2","recent-posts-2","recent-comments-2","archives-2","categories-2","meta-2","block-2","block-3"]}
+        output:
+          log:
+            no_expect_ids: [920450]
+  - test_id: 4
+    desc: Save post
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: application/json, */*;q=0.1
+            Content-Type: application/json
+            x-http-method-override: PUT
+          port: 80
+          method: POST
+          version: "HTTP/1.1"
+          uri: /index.php?rest_route=/wp/v2/posts/1&_locale=user
+          data: |-
+            {"id":1,"content":"<p>Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!</p>\n\n<!-- wp:paragraph -->\n<p>dddd</p>\n<!-- /wp:paragraph -->"}
+        output:
+          log:
+            no_expect_ids: [920450]
+  - test_id: 5
+    desc: Delete post
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: application/json, */*;q=0.1
+            Content-Type: application/json
+            x-http-method-override: DELETE
+          port: 80
+          method: POST
+          version: "HTTP/1.1"
+          uri: /index.php?rest_route=/wp/v2/posts/1&_locale=user
+        output:
+          log:
+            no_expect_ids: [920450]

tests/regression/wordpress-rule-exclusions-plugin/9507147.yaml

@@ -21,7 +21,7 @@ tests:
           # URI is actually sent with double slashes
           uri: /post/wp-json/wp/v2/template-parts/twentytwentyfour//header?_locale=user
           # Data is sent with some special characters escaped
-          data: |
+          data: >-
             {"id":"twentytwentyfour//header","content":"<!-- wp:group{\"align\":\"wide\",\"style\":{\"spacing\":{\"padding\":{\"top\":\"20px\",\"bottom\":\"20px\"}}},\"backgroundColor\":\"base\",\"layout\":{\"type\":\"constrained\"}} -->\n<div class=\"wp-block-groupalignwide has-base-background-color has-background\" style=\"padding-top:20px;padding-bottom:20px\"><!-- wp:group{\"align\":\"wide\",\"layout\":{\"type\":\"flex\",\"justifyContent\":\"space-between\",\"flexWrap\":\"wrap\"}} -->\n<div class=\"wp-block-group alignwide\"><!-- wp:group{\"style\":{\"spacing\":{\"blockGap\":\"var:preset|spacing|20\"},\"layout\":{\"selfStretch\":\"fit\",\"flexSize\":null}},\"layout\":{\"type\":\"flex\"}} -->\n<div class=\"wp-block-group\">
             <!-- wp:site-logo{\"width\":60,\"shouldSyncIcon\":false} /-->\n\n<!-- wp:group {\"style\":{\"spacing\":{\"blockGap\":\"0px\"}}} -->\n<div class=\"wp-block-group\"><!-- wp:site-title {\"level\":0} /--></div>\n<!-- /wp:group--></div>\n<!-- /wp:group -->\n\n<!-- wp:navigation{\"ref\":2180,\"icon\":\"menu\",\"layout\":{\"type\":\"flex\",\"justifyContent\":\"right\",\"orientation\":\"horizontal\",\"flexWrap\":\"wrap\"},\"style\":{\"spacing\":{\"margin\":{\"top\":\"0\"},\"blockGap\":\"va>/--></div>\n<!-- /wp:group -->\n\n<!-- wp:paragraph -->\n<p></p>\n<!-- /wp:paragraph --></div>\n<!-- /wp:group -->"}
         output:
@@ -42,7 +42,7 @@ tests:
           method: POST
           version: "HTTP/1.1"
           uri: /post/wp-json/wp/v2/global-styles/1?wp_theme_preview=twentytwentyfour&_locale=user
-          data: |
+          data: |-
             {"id":2934,"styles":{"blocks":{"core/site-title":{"typography":{"fontWeight":"400"}},"core/pullquote":{"typography":{"fontSize":"var(--wp--preset--font-size--large)","fontStyle":"normal","fontWeight":"normal","lineHeight":"1.2"}},"core/quote":{"variations":{"plain":{"typography":{"fontStyle":"normal","fontWeight":"400"}}},"typography":{"fontFamily":"var(--wp--preset--font-family--heading)","fontSize":"var(--wp--preset--font-size--large)","fontStyle":"normal"}},"core/navigation":{"typography":{"fontWeight":"400"}}},"elements":{"button":{"typography":{"fontFamily":"var(--wp--preset--font-family--heading)","fontSize":"var(--wp--preset--font-size--small)","fontStyle":"normal"}},"heading":{"color":{"background":"#ab5a5a"}}},"css":""}}
         output:
           log:
@@ -62,8 +62,86 @@ tests:
           method: POST
           version: "HTTP/1.1"
           uri: /post/wp-json/wp/v2/sidebars/sidebar-1?_locale=user
-          data: |
+          data: |-
             {"id":"sidebar-1","widgets":["block-16","block-17","block-18"]}
         output:
           log:
             no_expect_ids: [920450]
+  - test_id: 4
+    desc: Save post
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: application/json, */*;q=0.1
+            Content-Type: application/json
+            x-http-method-override: PUT
+          port: 80
+          method: POST
+          version: "HTTP/1.1"
+          uri: /wp-json/wp/v2/posts/1&_locale=user
+          data: |-
+            {"id":1,"content":"<p>Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!</p>\n\n<!-- wp:paragraph -->\n<p>dddd</p>\n<!-- /wp:paragraph -->"}
+        output:
+          log:
+            no_expect_ids: [920450]
+  - test_id: 5
+    desc: Delete post
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: application/json, */*;q=0.1
+            Content-Type: application/json
+            x-http-method-override: DELETE
+          port: 80
+          method: POST
+          version: "HTTP/1.1"
+          uri: /wp-json/wp/v2/posts/1&_locale=user
+        output:
+          log:
+            no_expect_ids: [920450]
+  - test_id: 6
+    desc: Save post when permalink struct starts with /index.php/
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: application/json, */*;q=0.1
+            Content-Type: application/json
+            x-http-method-override: PUT
+          port: 80
+          method: POST
+          version: "HTTP/1.1"
+          uri: /index.php/wp-json/wp/v2/posts/1&_locale=user
+          data: |-
+            {"id":1,"content":"<p>Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!</p>\n\n<!-- wp:paragraph -->\n<p>dddd</p>\n<!-- /wp:paragraph -->"}
+        output:
+          log:
+            no_expect_ids: [920450]
+  - test_id: 7
+    desc: Save post for multisite or a WordPress installation in "nested directories"
+    stages:
+      - input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: localhost
+            User-Agent: "OWASP CRS test agent"
+            Accept: application/json, */*;q=0.1
+            Content-Type: application/json
+            x-http-method-override: PUT
+          port: 80
+          method: POST
+          version: "HTTP/1.1"
+          uri: /subdir/wordpress-here/wp-json/wp/v2/posts/1&_locale=user
+          data: |-
+            {"id":1,"content":"<p>Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!</p>\n\n<!-- wp:paragraph -->\n<p>dddd</p>\n<!-- /wp:paragraph -->"}
+        output:
+          log:
+            no_expect_ids: [920450]