feat: add option for whitelisting broken Apple devices

README.md

@@ -53,6 +53,21 @@ For full and up to date instructions for the different available plugin
 installation methods, refer to [How to Install a Plugin](https://coreruleset.org/docs/concepts/plugins/#how-to-install-a-plugin)
 in the official CRS documentation.
 
+## Plugin configuration
+
+The settings for this plugin reside in `plugins/fake-bot-config.conf`.
+
+### tx.fake-bot-plugin_whitelist_broken_apple_devices
+
+Some software used by Apple devices send requests pretending to be a Facebook or Twitter (X) bot.
+iMessage, for example, does this to obtain link previews.
+If you want to allow this behavior and not block such requests, set this variable to `1`.
+
+Note: This setting, when enabled, opens a hole in the fake bot detection,
+which can be used by fake bots to bypass the protection provided by this plugin.
+
+Default value: 0
+
 ## Testing
 
 After installation, plugin should be tested, for example, using:  

plugins/fake-bot-after.conf

@@ -16,13 +16,26 @@
 # Documentation can be found here:
 # https://github.com/coreruleset/fake-bot-plugin
 
-SecRule REQUEST_HEADERS:User-Agent "@pm amazonbot applebot bingbot linkedinbot facebookbot facebookcatalog facebookexternalhit googlebot twitterbot" \
+SecRule TX:FAKE-BOT-PLUGIN_WHITELIST_BROKEN_APPLE_DEVICES "@streq 1" \
     "id:9504110,\
     phase:1,\
+    pass,\
+    t:none,\
+    msg:'Fake Bot Plugin: Broken Apple device detected from %{REMOTE_ADDR} - whitelisting',\
+    logdata:'Matched Data: REQUEST_HEADERS:User-Agent: %{REQUEST_HEADERS.User-Agent}',\
+    tag:'paranoia-level/1',\
+    ver:'fake-bot-plugin/1.0.0',\
+    skip:1,\
+    chain"
+    SecRule REQUEST_HEADERS:User-Agent "@endsWith facebookexternalhit/1.1 Facebot Twitterbot/1.0"
+
+SecRule REQUEST_HEADERS:User-Agent "@pm amazonbot applebot bingbot linkedinbot facebookbot facebookcatalog facebookexternalhit googlebot twitterbot" \
+    "id:9504120,\
+    phase:1,\
     block,\
     capture,\
     t:none,\
-    msg:'Fake bot detected: %{tx.fake-bot-plugin_bot_name}',\
+    msg:'Fake Bot Plugin: Detected fake %{tx.fake-bot-plugin_bot_name}.',\
     logdata:'Matched Data: %{TX.0} found within REQUEST_HEADERS:User-Agent: %{REQUEST_HEADERS.User-Agent}',\
     tag:'application-multi',\
     tag:'language-multi',\

plugins/fake-bot-config.conf

@@ -41,3 +41,12 @@
 #   pass,\
 #   nolog,\
 #   setvar:'tx.fake-bot-plugin_enabled=0'"
+
+SecAction \
+ "id:9504020,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  ver:'fake-bot-plugin/1.0.0',\
+  setvar:'tx.fake-bot-plugin_whitelist_broken_apple_devices=0'"

tests/regression/fake-bot-plugin/9504110.yaml → tests/regression/fake-bot-plugin/9504120.yaml

@@ -3,9 +3,9 @@ meta:
   author: "azurit"
   description: "Fake Bot Plugin"
   enabled: true
-  name: 9504110.yaml
+  name: 9504120.yaml
 tests:
-  - test_title: 9504110-1
+  - test_title: 9504120-1
     desc: Check that plugin is not blocking standard User-Agents
     stages:
       - stage:
@@ -20,8 +20,8 @@ tests:
             version: HTTP/1.1
             uri: /get
           output:
-            no_log_contains: id "9504110"
-  - test_title: 9504110-2
+            no_log_contains: id "9504120"
+  - test_title: 9504120-2
     desc: Check for blocking of fake Googlebot
     stages:
       - stage:
@@ -36,8 +36,8 @@ tests:
             version: HTTP/1.1
             uri: /get
           output:
-            log_contains: id "9504110"
-  - test_title: 9504110-3
+            log_contains: id "9504120"
+  - test_title: 9504120-3
     desc: Check for blocking of fake Facebookbot
     stages:
       - stage:
@@ -52,8 +52,8 @@ tests:
             version: HTTP/1.1
             uri: /get
           output:
-            log_contains: id "9504110"
-  - test_title: 9504110-4
+            log_contains: id "9504120"
+  - test_title: 9504120-4
     desc: Check for blocking of fake Bingbot
     stages:
       - stage:
@@ -68,8 +68,8 @@ tests:
             version: HTTP/1.1
             uri: /get
           output:
-            log_contains: id "9504110"
-  - test_title: 9504110-5
+            log_contains: id "9504120"
+  - test_title: 9504120-5
     desc: Check for blocking of fake Twitterbot
     stages:
       - stage:
@@ -84,8 +84,8 @@ tests:
             version: HTTP/1.1
             uri: /get
           output:
-            log_contains: id "9504110"
-  - test_title: 9504110-6
+            log_contains: id "9504120"
+  - test_title: 9504120-6
     desc: Check for blocking of fake Applebot
     stages:
       - stage:
@@ -100,8 +100,8 @@ tests:
             version: HTTP/1.1
             uri: /get
           output:
-            log_contains: id "9504110"
-  - test_title: 9504110-7
+            log_contains: id "9504120"
+  - test_title: 9504120-7
     desc: Check for blocking of fake LinkedInBot
     stages:
       - stage:
@@ -116,8 +116,8 @@ tests:
             version: HTTP/1.1
             uri: /get
           output:
-            log_contains: id "9504110"
-  - test_title: 9504110-8
+            log_contains: id "9504120"
+  - test_title: 9504120-8
     desc: Check for blocking of fake Amazonbot
     stages:
       - stage:
@@ -132,4 +132,4 @@ tests:
             version: HTTP/1.1
             uri: /get
           output:
-            log_contains: id "9504110"
+            log_contains: id "9504120"