Describe the bug

Since v4.18, we have added to the default list of allowed request content types two content types that are not processed by a default ModSecurity installation. As such, this has opened the way for request body bypasses.

Steps to reproduce

curl -v localhost -H "Content-Type: application/csp-report" --data '{"foo": "/bin/bash"}'

=> Anomaly Scores: (Inbound Scores: blocking=5, detection=5, per_pl=0-0-0-5, threshold=5)

This only matches against the PL4 "Invalid character" rule which catches things like the quote marks ".

curl -v localhost -H "Content-Type: application/reports+json" --data '{"foo": "/bin/bash"}'

Note: The official CRS Docker containers use non-standard ModSecurity configurations that do catch this content type (they turn on the optional "+json" rule 200006 by default.) Vanilla ModSecurity does not catch this content type.

Expected behaviour

CRS must not allow content types that we do not process/parse by default.

Actual behaviour

CRS allows through requests of content types application/csp-report and application/reports+json.

Additional context

Your Environment

• CRS version (e.g., v3.2.0): 4.18, 4.19, 4.20
• Paranoia level setting: PL4
• ModSecurity version (e.g., 2.9.3): n/a
• Web Server and version (e.g., apache 2.4.41): n/a
• Operating System and version: n/a