From 0fd01af23c0ebd2298a4d5a86e36ac8d80461c64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= <tdiot@bunkerity.com>
Date: Tue, 31 Dec 2024 13:53:11 +0000
Subject: [PATCH] [#1762] Add configurable limit for SecRequestBodyNoFilesLimit
 in ModSecurity

---
 CHANGELOG.md                                             | 1 +
 .../confs/server-http/modsecurity-rules.conf.modsec      | 2 +-
 src/common/core/modsecurity/plugin.json                  | 9 +++++++++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6aec2f8808..f8908d334e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@
 - [FEATURE] Add health check endpoint and integrate it into the scheduler for instance status monitoring
 - [FEATURE] Add country tracking to bans data
 - [FEATURE] Refactored the way the database migrations are handled to make it more reliable and faster using alembic
+- [FEATURE] Add configurable limit for SecRequestBodyNoFilesLimit in ModSecurity via the `MODSECURITY_REQ_BODY_NO_FILES_LIMIT` setting
 - [DEPRECATION] Remove `X-XSS-Protection` header from the `header` plugin as it is deprecated
 - [DEPS] Updated coreruleset-v4 version to v4.10.0
 
diff --git a/src/common/core/modsecurity/confs/server-http/modsecurity-rules.conf.modsec b/src/common/core/modsecurity/confs/server-http/modsecurity-rules.conf.modsec
index b6da713dbd..9ae905dd8b 100644
--- a/src/common/core/modsecurity/confs/server-http/modsecurity-rules.conf.modsec
+++ b/src/common/core/modsecurity/confs/server-http/modsecurity-rules.conf.modsec
@@ -34,7 +34,7 @@ SecRequestBodyLimit 13107200
 {% endif %}
 
 # Maximum data size for requests without files
-SecRequestBodyNoFilesLimit 131072
+SecRequestBodyNoFilesLimit {{ MODSECURITY_REQ_BODY_NO_FILES_LIMIT }}
 
 # Reject requests if bigger than max data size
 SecRequestBodyLimitAction Reject
diff --git a/src/common/core/modsecurity/plugin.json b/src/common/core/modsecurity/plugin.json
index a35751de77..cd031f9459 100644
--- a/src/common/core/modsecurity/plugin.json
+++ b/src/common/core/modsecurity/plugin.json
@@ -79,6 +79,15 @@
       "label": "SecAuditLogParts",
       "regex": "^A(([B-K])(?!.*\\2))+Z$",
       "type": "text"
+    },
+    "MODSECURITY_REQ_BODY_NO_FILES_LIMIT": {
+      "context": "multisite",
+      "default": "131072",
+      "help": "SecRequestBodyNoFilesLimit directive of ModSecurity.",
+      "id": "modsecurity-req-body-no-files-limit",
+      "label": "SecRequestBodyNoFilesLimit",
+      "regex": "^[0-9]+$",
+      "type": "text"
     }
   },
   "jobs": [