fix: value setting

jcchavezs · jcchavezs · commit 3cc4dfab1162 · 2026-03-06T10:32:38.000+01:00
diff --git a/examples/http-server/go.mod b/examples/http-server/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/valllabh/ocsf-schema-golang v1.0.3 // indirect
-	golang.org/x/net v0.50.0 // indirect
+	golang.org/x/net v0.51.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
 	golang.org/x/tools v0.41.0 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
diff --git a/examples/http-server/go.sum b/examples/http-server/go.sum
@@ -27,8 +27,8 @@ github.com/valllabh/ocsf-schema-golang v1.0.3 h1:eR8k/3jP/OOqB8LRCtdJ4U+vlgd/gk5
 github.com/valllabh/ocsf-schema-golang v1.0.3/go.mod h1:sZ3as9xqm1SSK5feFWIR2CuGeGRhsM7TR1MbpBctzPk=
 golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
 golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
-golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
-golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
+golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
+golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
 golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
 golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
diff --git a/go.sum b/go.sum
@@ -67,8 +67,6 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ=
-golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
-golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
 golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
 golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
diff --git a/internal/bodyprocessors/json.go b/internal/bodyprocessors/json.go
@@ -27,7 +27,6 @@ func (js *jsonBodyProcessor) ProcessRequest(reader io.Reader, v plugintypes.Tran
 		return err
 	}
 	ss := s.String()
-
 	// Process with recursion limit
 	col := v.ArgsPost()
 	data, err := readJSON(ss, bpo.RequestBodyRecursionLimit)
@@ -48,17 +47,18 @@ func (js *jsonBodyProcessor) ProcessRequest(reader io.Reader, v plugintypes.Tran
 	return nil
 }
 
-func (js *jsonBodyProcessor) ProcessResponse(reader io.Reader, v plugintypes.TransactionVariables, bpo plugintypes.BodyProcessorOptions) error {
+const ignoreJSONRecursionLimit = -1
+
+func (js *jsonBodyProcessor) ProcessResponse(reader io.Reader, v plugintypes.TransactionVariables, _ plugintypes.BodyProcessorOptions) error {
 	// Read the entire body to store it and process it
 	s := strings.Builder{}
 	if _, err := io.Copy(&s, reader); err != nil {
 		return err
 	}
 	ss := s.String()
-
-	// Process with recursion limit
+	// Process with no recursion limit as we don't have a directive for response body
 	col := v.ResponseArgs()
-	data, err := readJSON(ss, bpo.RequestBodyRecursionLimit)
+	data, err := readJSON(ss, ignoreJSONRecursionLimit)
 	if err != nil {
 		return err
 	}
diff --git a/internal/corazawaf/transaction.go b/internal/corazawaf/transaction.go
@@ -71,7 +71,6 @@ type Transaction struct {
 	ForceRequestBodyVariable  bool
 	RequestBodyAccess         bool
 	RequestBodyLimit          int64
-	RequestBodyJsonDepthLimit int
 	ForceResponseBodyVariable bool
 	ResponseBodyAccess        bool
 	ResponseBodyLimit         int64
diff --git a/internal/corazawaf/waf.go b/internal/corazawaf/waf.go
@@ -190,7 +190,6 @@ func (w *WAF) newTransaction(opts Options) *Transaction {
 	tx.ForceRequestBodyVariable = false
 	tx.RequestBodyAccess = w.RequestBodyAccess
 	tx.RequestBodyLimit = w.RequestBodyLimit
-	tx.RequestBodyJsonDepthLimit = w.RequestBodyJsonDepthLimit
 	tx.ResponseBodyAccess = w.ResponseBodyAccess
 	tx.ResponseBodyLimit = w.ResponseBodyLimit
 	tx.RuleEngine = w.RuleEngine
diff --git a/internal/seclang/directives.go b/internal/seclang/directives.go
@@ -297,6 +297,11 @@ func directiveSecRequestBodyJsonDepthLimit(options *DirectiveOptions) error {
 	if err != nil {
 		return err
 	}
+
+	if limit <= 0 {
+		return errors.New("limit must be a positive integer")
+	}
+
 	options.WAF.RequestBodyJsonDepthLimit = limit
 	return nil
 }
diff --git a/testing/coraza_test.go b/testing/coraza_test.go
@@ -24,8 +24,9 @@ func TestEngine(t *testing.T) {
 		t.Run(p.Meta.Name, func(t *testing.T) {
 			tt, err := testList(t, &p)
 			if err != nil {
-				t.Error(err)
+				t.Fatal(err)
 			}
+
 			for _, test := range tt {
 				t.Run(test.Name, func(t *testing.T) {
 					if err := test.RunPhases(); err != nil {
diff --git a/testing/coreruleset/go.sum b/testing/coreruleset/go.sum
@@ -8,10 +8,6 @@ github.com/bmatcuk/doublestar/v4 v4.9.1 h1:X8jg9rRZmJd4yRy7ZeNDRnM+T3ZfHv15JiBJ/
 github.com/bmatcuk/doublestar/v4 v4.9.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
 github.com/corazawaf/coraza-coreruleset v0.0.0-20240226094324-415b1017abdc h1:OlJhrgI3I+FLUCTI3JJW8MoqyM78WbqJjecqMnqG+wc=
 github.com/corazawaf/coraza-coreruleset v0.0.0-20240226094324-415b1017abdc/go.mod h1:7rsocqNDkTCira5T0M7buoKR2ehh7YZiPkzxRuAgvVU=
-github.com/corazawaf/coraza-coreruleset/v4 v4.22.0 h1:rQhJ1+2+TZsoVBXlRWn+AVteECot3pIF8tSVDjjhkUc=
-github.com/corazawaf/coraza-coreruleset/v4 v4.22.0/go.mod h1:tRjsdtj39+at47dLCpE8ChoDa2FK2IAwTWIpDT8Z62g=
-github.com/corazawaf/coraza-coreruleset/v4 v4.23.0 h1:e7f2tRhOBFN8YtL72wqy2cMPS6o64XyMgS81dRbw2/c=
-github.com/corazawaf/coraza-coreruleset/v4 v4.23.0/go.mod h1:tRjsdtj39+at47dLCpE8ChoDa2FK2IAwTWIpDT8Z62g=
 github.com/corazawaf/coraza-coreruleset/v4 v4.24.0 h1:7Ys2vZegaDIwDeDcRuCQNjMzNaDLklqXogJsucoE1tk=
 github.com/corazawaf/coraza-coreruleset/v4 v4.24.0/go.mod h1:tRjsdtj39+at47dLCpE8ChoDa2FK2IAwTWIpDT8Z62g=
 github.com/corazawaf/libinjection-go v0.3.2 h1:9rrKt0lpg4WvUXt+lwS06GywfqRXXsa/7JcOw5cQLwI=
@@ -119,8 +115,6 @@ golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
 golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
 golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
 golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
-golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
-golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
 golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
 golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
 golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=

Original file line number	Diff line number	Diff line change
`@@ -297,6 +297,11 @@ func directiveSecRequestBodyJsonDepthLimit(options *DirectiveOptions) error {`
`297`	`297`	`if err != nil {`
`298`	`298`	`return err`
`299`	`299`	`}`
	`300`	`+`
	`301`	`+ if limit <= 0 {`
	`302`	`+ return errors.New("limit must be a positive integer")`
	`303`	`+ }`
	`304`	`+`
`300`	`305`	`options.WAF.RequestBodyJsonDepthLimit = limit`
`301`	`306`	`return nil`
`302`	`307`	`}`