feat: implement SecUploadKeepFiles directive (#1557)

* feat: implement SecUploadKeepFiles with RelevantOnly support

Add UploadKeepFilesStatus type supporting On, Off, and RelevantOnly
values for the SecUploadKeepFiles directive. When set to On, uploaded
files are preserved after transaction close. When set to RelevantOnly,
files are kept only if rules matched during the transaction.

Closes #1550

* Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Apply suggestion from @M4tteoP

Co-authored-by: Matteo Pace <pace.matteo96@gmail.com>

* docs: update SecUploadKeepFiles in coraza.conf-recommended

Remove the "not supported" note and document the RelevantOnly option.

* fix: filter nolog rules in RelevantOnly upload keep files check

RelevantOnly now only considers rules with Log enabled, matching the
same filtering used for audit log part K. This prevents CRS
initialization rules (nolog) from making RelevantOnly behave like On.

* fix: require SecUploadDir when SecUploadKeepFiles is enabled

Add validation in WAF.Validate() to ensure SecUploadDir is configured
when SecUploadKeepFiles is set to On or RelevantOnly, matching the
ModSecurity requirement.

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* fix: directive docs

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Matteo Pace <pace.matteo96@gmail.com>

* fix: correct two compile errors in SecUploadKeepFiles implementation (#1560)

* Initial plan

* fix: correct lint errors - HasAccessToFS is a bool not a function, fix wrong constant name

Co-authored-by: fzipi <3012076+fzipi@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: fzipi <3012076+fzipi@users.noreply.github.com>

* fix: gofmt

Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>

* fix: skip SecUploadKeepFiles tests when no_fs_access build tag is set

The upload keep files tests expected success for On/RelevantOnly modes,
but the implementation correctly rejects these when filesystem access is
disabled. Guard these test cases behind environment.HasAccessToFS.

---------

Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Matteo Pace <pace.matteo96@gmail.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>

Author: 4 people

coraza.conf-recommended

@@ -121,11 +121,11 @@ SecDataDir /tmp/
 #
 #SecUploadDir /opt/coraza/var/upload/
 
-# If On, the WAF will store the uploaded files in the SecUploadDir
-# directory.
-# Note: SecUploadKeepFiles is currently NOT supported by Coraza
+# Controls whether intercepted uploaded files will be kept after
+# transaction is processed. Possible values: On, Off, RelevantOnly.
+# RelevantOnly will keep files only when a matching rule is logged (rules with 'nolog' do not qualify).
 #
-#SecUploadKeepFiles Off
+#SecUploadKeepFiles RelevantOnly
 
 # Uploaded files are by default created with permissions that do not allow
 # any other user to access them. You may need to relax that if you want to

internal/corazawaf/transaction.go

@@ -1455,6 +1455,18 @@ func (tx *Transaction) MatchedRules() []types.MatchedRule {
 	return tx.matchedRules
 }
 
+// hasLogRelevantMatchedRules returns true if any matched rule has Log enabled.
+// Rules with nolog (e.g. CRS initialization rules) are excluded, matching
+// the same filtering used for audit log part K.
+func (tx *Transaction) hasLogRelevantMatchedRules() bool {
+	for _, mr := range tx.matchedRules {
+		if mrWithLog, ok := mr.(*corazarules.MatchedRule); ok && mrWithLog.Log() {
+			return true
+		}
+	}
+	return false
+}
+
 func (tx *Transaction) LastPhase() types.RulePhase {
 	return tx.lastPhase
 }
@@ -1628,12 +1640,20 @@ func (tx *Transaction) Close() error {
 
 	var errs []error
 	if environment.HasAccessToFS {
-		// TODO(jcchavezs): filesTmpNames should probably be a new kind of collection that
-		// is aware of the files and then attempt to delete them when the collection
-		// is resetted or an item is removed.
-		for _, file := range tx.variables.filesTmpNames.Get("") {
-			if err := os.Remove(file); err != nil {
-				errs = append(errs, fmt.Errorf("removing temporary file: %v", err))
+		// UploadKeepFilesRelevantOnly keeps temporary files only when there are
+		// log-relevant matched rules (i.e., rules that would be logged; rules
+		// with actions such as "nolog" are intentionally excluded here).
+		keepFiles := tx.WAF.UploadKeepFiles == types.UploadKeepFilesOn ||
+			(tx.WAF.UploadKeepFiles == types.UploadKeepFilesRelevantOnly && tx.hasLogRelevantMatchedRules())
+
+		if !keepFiles {
+			// TODO(jcchavezs): filesTmpNames should probably be a new kind of collection that
+			// is aware of the files and then attempt to delete them when the collection
+			// is resetted or an item is removed.
+			for _, file := range tx.variables.filesTmpNames.Get("") {
+				if err := os.Remove(file); err != nil {
+					errs = append(errs, fmt.Errorf("removing temporary file: %v", err))
+				}
 			}
 		}
 	}

internal/corazawaf/transaction_test.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"os"
 	"regexp"
 	"runtime/debug"
 	"strconv"
@@ -1857,6 +1858,121 @@ func TestCloseFails(t *testing.T) {
 	}
 }
 
+func TestUploadKeepFiles(t *testing.T) {
+	if !environment.HasAccessToFS {
+		t.Skip("skipping test as it requires access to filesystem")
+	}
+
+	createTmpFile := func(t *testing.T) string {
+		t.Helper()
+		f, err := os.CreateTemp(t.TempDir(), "crztest*")
+		if err != nil {
+			t.Fatal(err)
+		}
+		name := f.Name()
+		if err := f.Close(); err != nil {
+			t.Fatalf("failed to close temp file: %v", err)
+		}
+		return name
+	}
+
+	t.Run("Off deletes files", func(t *testing.T) {
+		waf := NewWAF()
+		waf.UploadKeepFiles = types.UploadKeepFilesOff
+		tx := waf.NewTransaction()
+		tmpFile := createTmpFile(t)
+
+		col := tx.Variables().FilesTmpNames().(*collections.Map)
+		col.Add("", tmpFile)
+
+		if err := tx.Close(); err != nil {
+			t.Fatal(err)
+		}
+
+		if _, err := os.Stat(tmpFile); !os.IsNotExist(err) {
+			t.Fatal("expected temp file to be deleted when UploadKeepFiles is Off")
+		}
+	})
+
+	t.Run("On keeps files", func(t *testing.T) {
+		waf := NewWAF()
+		waf.UploadKeepFiles = types.UploadKeepFilesOn
+		tx := waf.NewTransaction()
+		tmpFile := createTmpFile(t)
+
+		col := tx.Variables().FilesTmpNames().(*collections.Map)
+		col.Add("", tmpFile)
+
+		if err := tx.Close(); err != nil {
+			t.Fatal(err)
+		}
+
+		if _, err := os.Stat(tmpFile); err != nil {
+			t.Fatal("expected temp file to be kept when UploadKeepFiles is On")
+		}
+	})
+
+	t.Run("RelevantOnly keeps files when log rules matched", func(t *testing.T) {
+		waf := NewWAF()
+		waf.UploadKeepFiles = types.UploadKeepFilesRelevantOnly
+		tx := waf.NewTransaction()
+		tmpFile := createTmpFile(t)
+
+		// Simulate a matched rule with Log enabled
+		tx.matchedRules = append(tx.matchedRules, &corazarules.MatchedRule{Log_: true})
+
+		col := tx.Variables().FilesTmpNames().(*collections.Map)
+		col.Add("", tmpFile)
+
+		if err := tx.Close(); err != nil {
+			t.Fatal(err)
+		}
+
+		if _, err := os.Stat(tmpFile); err != nil {
+			t.Fatal("expected temp file to be kept when UploadKeepFiles is RelevantOnly and log rules matched")
+		}
+	})
+
+	t.Run("RelevantOnly deletes files when only nolog rules matched", func(t *testing.T) {
+		waf := NewWAF()
+		waf.UploadKeepFiles = types.UploadKeepFilesRelevantOnly
+		tx := waf.NewTransaction()
+		tmpFile := createTmpFile(t)
+
+		// Simulate a matched rule with Log disabled (e.g. CRS initialization rules)
+		tx.matchedRules = append(tx.matchedRules, &corazarules.MatchedRule{Log_: false})
+
+		col := tx.Variables().FilesTmpNames().(*collections.Map)
+		col.Add("", tmpFile)
+
+		if err := tx.Close(); err != nil {
+			t.Fatal(err)
+		}
+
+		if _, err := os.Stat(tmpFile); !os.IsNotExist(err) {
+			t.Fatal("expected temp file to be deleted when UploadKeepFiles is RelevantOnly and only nolog rules matched")
+		}
+	})
+
+	t.Run("RelevantOnly deletes files when no rules matched", func(t *testing.T) {
+		waf := NewWAF()
+		waf.UploadKeepFiles = types.UploadKeepFilesRelevantOnly
+		tx := waf.NewTransaction()
+		tmpFile := createTmpFile(t)
+
+		col := tx.Variables().FilesTmpNames().(*collections.Map)
+		col.Add("", tmpFile)
+
+		if err := tx.Close(); err != nil {
+			t.Fatal(err)
+		}
+
+		if _, err := os.Stat(tmpFile); !os.IsNotExist(err) {
+			t.Fatal("expected temp file to be deleted when UploadKeepFiles is RelevantOnly and no rules matched")
+		}
+	})
+}
+
 func TestRequestFilename(t *testing.T) {
 	tests := []struct {
 		name     string

internal/corazawaf/waf.go

@@ -94,9 +94,9 @@ type WAF struct {
 	// Path to store data files (ex. cache)
 	DataDir string
 
-	// If true, the WAF will store the uploaded files in the UploadDir
-	// directory
-	UploadKeepFiles bool
+	// UploadKeepFiles controls whether uploaded files are kept after the transaction.
+	// On: always keep, Off: always delete (default), RelevantOnly: keep only if log-relevant rules matched (excluding nolog rules).
+	UploadKeepFiles types.UploadKeepFilesStatus
 	// UploadFileMode instructs the waf to set the file mode for uploaded files
 	UploadFileMode fs.FileMode
 	// UploadFileLimit is the maximum size of the uploaded file to be stored
@@ -446,6 +446,16 @@ func (w *WAF) Validate() error {
 		return errors.New("request body json depth limit should be bigger than 0")
 	}
 
+	if environment.HasAccessToFS {
+		if w.UploadKeepFiles != types.UploadKeepFilesOff && w.UploadDir == "" {
+			return errors.New("SecUploadDir is required when SecUploadKeepFiles is enabled")
+		}
+	} else {
+		if w.UploadKeepFiles != types.UploadKeepFilesOff {
+			return errors.New("SecUploadKeepFiles requires filesystem access, which is not available in this build")
+		}
+	}
+
 	return nil
 }
 

internal/corazawaf/waf_test.go

@@ -7,6 +7,9 @@ import (
 	"io"
 	"os"
 	"testing"
+
+	"github.com/corazawaf/coraza/v3/internal/environment"
+	"github.com/corazawaf/coraza/v3/types"
 )
 
 func TestNewTransaction(t *testing.T) {
@@ -107,6 +110,39 @@ func TestValidate(t *testing.T) {
 		},
 	}
 
+	if environment.HasAccessToFS {
+		testCases["upload keep files on without upload dir"] = struct {
+			customizer func(*WAF)
+			expectErr  bool
+		}{
+			expectErr: true,
+			customizer: func(w *WAF) {
+				w.UploadKeepFiles = types.UploadKeepFilesOn
+				w.UploadDir = ""
+			},
+		}
+		testCases["upload keep files relevant only without upload dir"] = struct {
+			customizer func(*WAF)
+			expectErr  bool
+		}{
+			expectErr: true,
+			customizer: func(w *WAF) {
+				w.UploadKeepFiles = types.UploadKeepFilesRelevantOnly
+				w.UploadDir = ""
+			},
+		}
+		testCases["upload keep files on with upload dir"] = struct {
+			customizer func(*WAF)
+			expectErr  bool
+		}{
+			expectErr: false,
+			customizer: func(w *WAF) {
+				w.UploadKeepFiles = types.UploadKeepFilesOn
+				w.UploadDir = "/tmp"
+			},
+		}
+	}
+
 	for name, tCase := range testCases {
 		t.Run(name, func(t *testing.T) {
 			waf := NewWAF()

internal/seclang/directives.go

@@ -935,12 +935,34 @@ func directiveSecDataDir(options *DirectiveOptions) error {
 	return nil
 }
 
+// Description: Configures whether intercepted files will be kept after the transaction is processed.
+// Syntax: SecUploadKeepFiles On|RelevantOnly|Off
+// Default: Off
+// ---
+// The `SecUploadKeepFiles` directive is used to configure whether intercepted files are
+// preserved on disk after the transaction is processed.
+// This directive requires the storage directory to be defined (using `SecUploadDir`).
+//
+// Possible values are:
+//   - On: Keep all uploaded files.
+//   - Off: Do not keep uploaded files.
+//   - RelevantOnly: Keep only uploaded files that matched at least one rule that would be
+//     logged (excluding rules with the `nolog` action).
 func directiveSecUploadKeepFiles(options *DirectiveOptions) error {
-	b, err := parseBoolean(options.Opts)
+	if len(options.Opts) == 0 {
+		return errEmptyOptions
+	}
+
+	status, err := types.ParseUploadKeepFilesStatus(options.Opts)
 	if err != nil {
 		return err
 	}
-	options.WAF.UploadKeepFiles = b
+
+	if !environment.HasAccessToFS && status != types.UploadKeepFilesOff {
+		return fmt.Errorf("SecUploadKeepFiles: cannot enable keeping uploaded files: filesystem access is disabled")
+	}
+
+	options.WAF.UploadKeepFiles = status
 	return nil
 }
 
@@ -967,6 +989,11 @@ func directiveSecUploadFileLimit(options *DirectiveOptions) error {
 	return err
 }
 
+// Description: Configures the directory where uploaded files will be stored.
+// Syntax: SecUploadDir /path/to/dir
+// Default: ""
+// ---
+// This directive is required when enabling SecUploadKeepFiles.
 func directiveSecUploadDir(options *DirectiveOptions) error {
 	if len(options.Opts) == 0 {
 		return errEmptyOptions

internal/seclang/directives_test.go

@@ -154,8 +154,7 @@ func TestDirectives(t *testing.T) {
 		"SecUploadKeepFiles": {
 			{"", expectErrorOnDirective},
 			{"Ox", expectErrorOnDirective},
-			{"On", func(w *corazawaf.WAF) bool { return w.UploadKeepFiles }},
-			{"Off", func(w *corazawaf.WAF) bool { return !w.UploadKeepFiles }},
+			{"Off", func(w *corazawaf.WAF) bool { return w.UploadKeepFiles == types.UploadKeepFilesOff }},
 		},
 		"SecUploadFileMode": {
 			{"", expectErrorOnDirective},
@@ -317,6 +316,10 @@ func TestDirectives(t *testing.T) {
 			{"/tmp-non-existing", expectErrorOnDirective},
 			{os.TempDir(), func(w *corazawaf.WAF) bool { return w.UploadDir == os.TempDir() }},
 		}
+		directiveCases["SecUploadKeepFiles"] = append(directiveCases["SecUploadKeepFiles"],
+			directiveCase{"On", func(w *corazawaf.WAF) bool { return w.UploadKeepFiles == types.UploadKeepFilesOn }},
+			directiveCase{"RelevantOnly", func(w *corazawaf.WAF) bool { return w.UploadKeepFiles == types.UploadKeepFilesRelevantOnly }},
+		)
 	}
 
 	for name, dCases := range directiveCases {

types/waf.go

@@ -78,6 +78,32 @@ func (re RuleEngineStatus) String() string {
 	return "unknown"
 }
 
+// UploadKeepFilesStatus represents the status of the upload keep files directive.
+type UploadKeepFilesStatus int
+
+const (
+	// UploadKeepFilesOff will delete all uploaded files after transaction (default)
+	UploadKeepFilesOff UploadKeepFilesStatus = iota
+	// UploadKeepFilesOn will keep all uploaded files after transaction
+	UploadKeepFilesOn
+	// UploadKeepFilesRelevantOnly will keep uploaded files only if a log-relevant rule matched
+	// (that is, a matched rule with logging enabled, excluding rules marked with nolog).
+	UploadKeepFilesRelevantOnly
+)
+
+// ParseUploadKeepFilesStatus parses the upload keep files status
+func ParseUploadKeepFilesStatus(s string) (UploadKeepFilesStatus, error) {
+	switch strings.ToLower(s) {
+	case "on":
+		return UploadKeepFilesOn, nil
+	case "off":
+		return UploadKeepFilesOff, nil
+	case "relevantonly":
+		return UploadKeepFilesRelevantOnly, nil
+	}
+	return -1, fmt.Errorf("invalid upload keep files status: %q", s)
+}
+
 // BodyLimitAction represents the action to take when
 // the body size exceeds the configured limit.
 type BodyLimitAction int