JC 12:00:53 UTC
Hi everyone, thanks for joining our monthly meeting :coraza-party:
Matteo Pace 12:01:51 UTC
Hello :coraza-party: 👋
dune73 12:02:07 UTC
Hi there. @JC invited me to join you.
JC 12:03:10 UTC
Updates:
JC 12:04:54 UTC
Any comments on the above?
dune73 12:05:51 UTC
Nothing outside of congratulations on the 1K stars and RC2.
JC 12:06:11 UTC
Thanks! It’s been a journey but we are closer to v3.
JC 12:06:19 UTC
Let’s follow with the agenda
JC 12:06:22 UTC
Agenda:
dune73 12:07:02 UTC
So I get to go first? (thanks)
JC 12:08:28 UTC
Yes, be our guest.
↳ JC 12:08:52 UTC
We don’t want to waste your time too much time. You already been very careful to be here @dune73
dune73 12:08:33 UTC
Thank you
dune73 12:08:55 UTC
So we are getting closer to CRSv4 too. We are still working on keyword lists and that's the last big task.
dune73 12:09:54 UTC
Keyword lists means we no longer want to maintain outdated lists by hand. Instead we want to have sources and then we automate the retrieval and transformation of the keyword lists from these sources into our format, being regex or text-based data files.
dune73 12:10:13 UTC
I'm working on the new user-agent list which is now based on 3 github sources and very, very long.
dune73 12:10:26 UTC
Another big item which is open is PHP functions and keywords.
dune73 12:10:36 UTC
Other than that it looks mostly clear for v4.
dune73 12:11:39 UTC
Development had died down somewhat after we closed the remaining bug bounty issues back in February, but I feel things are taking up speed again.
JC 12:12:20 UTC
Great to hear
dune73 12:12:26 UTC
Not giving out any release dates just yet, but it's going forward.
JC 12:12:44 UTC
Dates are not needed. It is great to know we are getting closer.
dune73 12:12:50 UTC
+1
JC 12:13:31 UTC
Awesome.
JC 12:13:35 UTC
I can go next about v3.
JC 12:13:46 UTC
unless you want to give the updates @Matteo Pace?
dune73 12:13:52 UTC
Looking fwd to hear that.
JC 12:14:40 UTC
So we are close to v3 too. We have two tickets on triage and waiting for feedback. There is also a PR from @Matteo Pace about the scoring model we need to get in.
JC 12:15:05 UTC
In general the API is stable and we are just cutting final details but of course bug reports that come in the process need to be addressed ASAP.
Matteo Pace 12:15:45 UTC
Yep, would be nice to also squeeze it in v3 (corazawaf/coraza#778)
↳ Matteo Pace 12:16:04 UTC
I will try to address the review by today
↳ JC 12:16:17 UTC
Right. Tagged as v3 too.
JC 12:16:02 UTC
I expected we can close the tickets by the end of next week and we can release rc.3 which will be probably the final version.
dune73 12:16:24 UTC
You are not expecting any bug showing up in RC2?
JC 12:17:42 UTC
Well we didn’t have any report yet, not even in the work we are doing with the connectors.
dune73 12:17:54 UTC
ok
JC 12:18:08 UTC
Maybe @Matteo Pace wants to give an update on the work we are doing for connectors.
Matteo Pace 12:21:22 UTC
the main work has been around Caddy, aligning the middleware to the one that we are already using in the Coraza main repo and with corazawaf/coraza-caddy#56. The mage commands now mimic what we have in the proxy-wasm connector. It makes easier to jump from one connector to the other for just sone tests and provides an example reference easy to spin up. This PR introduces also FTW tests, Overall we have about 60 failing tests. Would be great to add it to the CI, but currently I’m experiencing some inconsistency across runs, with random tests failing 😞
Matteo Pace 12:22:42 UTC
Still, about the Caddy connector would be great to have a dedicated maintainer with some expertise on Caddy itself
JC 12:24:30 UTC
Yeah, that would be truly great. We are trying to make caddy be production ready but it would be cool to have someone who can give some more love and care.
JC 12:25:39 UTC
Does anyone have anything else to add?
Matteo Pace 12:28:16 UTC
Ups, sorry, let me update also about multiphase
JC 12:28:48 UTC
Sure, go ahead.
Matteo Pace 12:31:06 UTC
Multiphase rule evaluation is tricky, the main focus has been making it compatible with the CRS rules. All the CRS tests are passing, and most of the Coraza tests are now also running against Coraza with Multiphase evaluation enabled. Exceptions comes from corner cases of flow actions, that still have to be properly documented (raw documentation here: https://gist.github.com/M4tteoP/57001a5066f2f76c9f99c6dc3e9bf4af). There is quite a complex logic that avoids multiple matches for chained rules, but it has been mostly split in dedicated functions and file, so I’m confident it is not going to affect any Coraza “plain behavior” (When Multiphase evaluation is off)
Matteo Pace 12:31:33 UTC
Any further reviews would be really appreciated: corazawaf/coraza#719
Matteo Pace 12:34:40 UTC
The PR includes also the split of ARGS and ARGS_NAMES into *_GET and *_POST variables at parsing time
Matteo Pace 12:35:52 UTC
Overall I would consider it still an experimental feature, but proxy-wasm users are experiencing the issue that this feature is going to handle (E.g. https://github.com/corazawaf/coraza-proxy-wasm/issues/1719), so we might also have some early adopters and feedbacks 🙂
↳ JC 12:38:34 UTC
Thanks @Matteo Pace
JC 12:44:36 UTC
Thank you. Anyone else wants to add something? Otherwise thank you and see you in the other side.
↳ unknown user 12:45:25 UTC
... I hope is not that other side
↳ JC 12:46:33 UTC
You never know
Matteo Pace 12:48:31 UTC
Thanks, see you around!