WordPress: exclude Gutenberg via rest_route

[lifeforms]

In WordPress 5.x, the Gutenberg editor uses WordPress REST API to store the content, therefore we have excluded the URI pattern /wp-json/wp/v2/posts/1234 to solve false positives in posted HTML.

However, on sites without pretty permalinks setting (and also sometimes in other situations), WordPress posts to the following endpoint instead /index.php?rest_route=/wp/v2/posts/1234.

So, we also have to make an exclusion on index.php if the rest_route parameter is matching.

Fixes #1309 .

[fgsch]

Do you need to check if it is present before checking for the pattern?
Wouldn't this:

SecRule REQUEST_FILENAME "@endsWith /index.php" \
    "id:9002141,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    chain"
    SecRule ARGS:rest_route "@rx ^/wp/v[0-9]+/(?:posts|pages)" \
        "t:none,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:content,\
        ctl:ruleRemoveTargetByTag=CRS;ARGS:json.content"

achieve the same?

[lifeforms]

Trying to check for HTTP parameter pollution due to the parameter appearing twice, so that the attacker passes a different actual rest_route to WordPress. Might be a bit pedantic.