Monthly Chat Agendas February (2021-02-01 and 2021-02-15) #1992

dune73 · 2021-01-27T14:34:58Z

This is the Agenda for the Monthly CRS Chats.

The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, February 1st, at 20:30 CET. That's the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, February 15th. That's the 3rd Monday of the month.

Items on the Agenda: (see previous meetings decisions: here)

What happend in the meantime since the chat last month

Outside development

Wallarm published a repo with an automatic test to detect CRS bypasses: Link
The wiki has a link to issues / PRs assigned to every CRS developer
Blog post Introducing msc_retest - a tool set to do performance testing of regex execution speed on various ModSec versions

PRs that have been merged since the last meeting

Fix false positives with rule 942360 #1817 Fix false positives with rule 942360
Stop decoding things twice #1845 Stop decoding things twice
feat(ci): add test plugin to annotate failures #1930 feat(ci): add test plugin to annotate failures
feat(ci): use relative paths in testing #1936 feat(ci): use relative paths in testing
phpMyAdmin exclusion rules package #1951 phpMyAdmin exclusion rules package
Fix false negative in rule 920480 #1957 Fix false negative in rule 920480
Update for restricted-files.data #1960 Update for restricted-files.data
New respose body blocking: Web shells #1962 New respose body blocking: Web shells
Rework pattern to fix false positive #1966 Rework pattern to fix false positive
Add support for sec-ch-ua and sec-ch-ua-mobile within Validate Bytes … #1970 Add support for sec-ch-ua and sec-ch-ua-mobile within Validate Bytes …
Fixing FP in WordPress while updating or deleting a plugin #1971 Fixing FP in WordPress while updating or deleting a plugin
Add note about stale issues to README.md #1976 Add note about stale issues to README.md
Drop unneeded capture groups #1983 Drop unneeded capture groups
Removing %{MATCHED_VAR} from logging #1985 Removing %{MATCHED_VAR} from logging
del terminating whitespace in crs-setup.conf #1989 del terminating whitespace in crs-setup.conf
feat(git): ignore docker-compose environment files in git #1994 feat(git): ignore docker-compose environment files in git
feat(env): add timezone variable to compose #1995 feat(env): add timezone variable to compose
WordPress exclusion profile improvements #1997 WordPress exclusion profile improvements
XenForo exclusion profile improvements #1998 XenForo exclusion profile improvements

Open PRs

Migrate PR: RE2 compatibility for 920120 #1868 Migrate PR: RE2 compatibility for 921120 - the performance numbers are here. What do we do with this?
Avoid FP at rule 933210 when Cookie contains / (slash) #1996 Avoid FP at rule 933210 when Cookie contains / (slash) - PR is ready, but this could at least in theory introduce new bypasses. Let's talk about this.
Draft: Plugins support + response body decompress plugin #1993: Draft: Plugins support + response body decompress plugin - This and Draft: Response body decompress feature #1968 bring the same functionality, this one here as a plugin
Draft: Response body decompress feature #1968: Draft: Response body decompress feature - This and Draft: Plugins support + response body decompress plugin #1993 are mutually exclusive
Introducing generic transformations #1990: Introducing generic transformations - This deserves a very close look. It's kind-a-big
Documentation: Enhancement of installation process for Nginx / IIS #1988: Documentation: Enhancement of installation process for Nginx / IIS - looking for confirmation we can really include *.conf on NGINX/IIS
Anti-virus support without need to run external programs #1986: Anti-virus support without need to run external programs - AV via Lua. Beautiful, but brings dependency on Lua
Fix almost all FPs with rule 930120 #1978: Fix almost all FPs with rule 930120 - Fix for FP via Lua, unfortunately also failing tests
Fix for issue #1922 #1958: Fix for issue Rules blocking Google OAuth2 redirect (callback) URLs #1922 - almost there, but we might have to split this rule
Nextcloud 20 false-positives #1975: Nextcloud 20 false-positives - More rule exclusions and an open question about differences in Nextcloud URIs

Open PRs marked "work in progress" / needs action

V3.4/dev ftw main #1938 V3.4/dev ftw main - draft
feat(ci): upgrades ci to run tests using python 3 #1934: feat(ci): upgrades ftw to python 3 supported version - tests are failing and PR needs more work

Other items

Python 2.7 deprecated (see feat(ci): use relative paths in testing #1936 (review))
Special topic* : Blogpost about the ModSec3 security problem with disabling request body access.
Talking about the 3.4 release
Idea to allow for plugins: So that's rule sets outside the main CRS releases with rules that we or 3rd parties develop
- This would allow for rules that are somewhat out of scope for us
- This would allow for 3rd parties to integrate with anomaly scoring more easily
- This would allow for the use of more advanced features (-> Lua!) without limiting CRS integration with more dependencies
- This would allow these rule sets to follow their own release rhythm (right now, such additional rule sets will only be updated when we do a major release

Open Issues - Separate Issues Meeting (Monday, February 15th)

We generally cover 10 issues per month in a separate issue meeting. Add them as you see fit.

Issue slot 1: REQUEST-912-DOS-PROTECTION paranoia level 2 sets ip.dos_block=1 outside of dos_burst_time_slice window dos-protection-plugin-modsecurity#11 REQUEST-912-DOS-PROTECTION paranoia level 2 sets ip.dos_block=1 outside of dos_burst_time_slice window - assigned to #dune73
Issue slot 2: Proposal to include monitoring agents exceptions in a new data file #1589 Whitelisting of UA - stale proposal by @theMiddleBlue that would be worthy of being finished for CRS 3.4
Issue slot 3: FP Rule [id "941120"] [msg "XSS Filter - Category 2: Event Handler Vector"] #2006 FP Rule [id "941120"] [msg "XSS Filter - Category 2: Event Handler Vector"] - closed in favor of FP: 941120 (PL1) base64 encoded string in param #1867
Issue slot 4: 942300 matching "for ? (" when it's expected to find OR? #2007 942300 matching "for ? (" when it's expected to find OR? - assigned to @csanders
Issue slot 5: FP: Rule 930110 - Path Traversal Attack (/../) - triggered on .. #2005 FP: Rule 930110 - Path Traversal Attack (/../) - triggered on naked .. - assigned to @lifeforms
Issue slot 6: Rule 920300 false positive in Chrome for hyperlink with download attribute (also pdf viewer) #2001 Rule 920300 false positive in Chrome for hyperlink with download attribute (also pdf viewer) - decided to move to an even higher PL and assigned to @franbuehler
Issue slot 7: PL1: 932115 triggered by a URL containing a query string parameter of "sort" #1931 PL1: 932115 triggered by a URL containing a query string parameter of "sort" - assigned to @franbuehler
Issue slot 8: FP: 941120 (PL1) base64 encoded string in param #1867 - decided to move to PL2 and assigned to @csanders
Issue slot 9:
Issue slot 10:

How to get to our slack and join the meeting?

If you are not yet on the OWASP Slack, here is your invite: https://owasp-slack.herokuapp.com/ .

Everybody is welcome to join our community chat.

The text was updated successfully, but these errors were encountered:

franbuehler · 2021-02-01T20:23:06Z

Decisions

PRs

Migrate PR: RE2 compatibility for 920120 #1868: Migrate PR: RE2 compatibility for 921120 - Move regex into a comment, @franbuehler will do this
Avoid FP at rule 933210 when Cookie contains / (slash) #1996 Avoid FP at rule 933210 when Cookie contains / (slash) - We postpone the decision and @theMiddleBlue tests the PR with a PoC and then @airween can adopt.
Draft: Plugins support + response body decompress plugin #1993: Draft: Plugins support + response body decompress plugin - @azurit and @dune73 think this through and they come back with a proposal in a couple of weeks. This and Draft: Response body decompress feature #1968 bring the same functionality.
Draft: Response body decompress feature #1968: Draft: Response body decompress feature - This and Draft: Plugins support + response body decompress plugin #1993 are mutually exclusive - closed
Introducing generic transformations #1990: Introducing generic transformations - @dune73 will try and make this a plugin and ideally independent of PL and come back with a new version.
Documentation: Enhancement of installation process for Nginx / IIS #1988: Documentation: Enhancement of installation process for Nginx / IIS - looking for confirmation we can really include *.conf on NGINX/IIS - @airween: Can you look into this and get back to @azurit and you see if it can be merged as is?
Anti-virus support without need to run external programs #1986: Anti-virus support without need to run external programs - AV via Lua. Beautiful, but brings dependency on Lua - Another plugin candidate
Fix almost all FPs with rule 930120 #1978: Fix almost all FPs with rule 930120 - Fix for FP via Lua, unfortunately also failing tests - closed
Fix for issue #1922 #1958: Fix for issue Rules blocking Google OAuth2 redirect (callback) URLs #1922 - Let's take this offline (-> github) and talk about this during the week.
Nextcloud 20 false-positives #1975: Nextcloud 20 false-positives - More rule exclusions and an open question about differences in Nextcloud URIs - @azurit will review this one

Other items

For FTW tests we still depend on py2 which will no longer be supported. @fzipi is working on a Go port: https://github.com/fzipi/go-ftw.
Release 3.4 was scheduled 3.4 for Feb / March but after the last meeting more problems with the early blocking on ModSec3 popped up. We have to wait for a couple of weeks...

Open Issues - Separate Issues Meeting (Monday, February 15th)

Issue slot 1: REQUEST-912-DOS-PROTECTION paranoia level 2 sets ip.dos_block=1 outside of dos_burst_time_slice window dos-protection-plugin-modsecurity#11 REQUEST-912-DOS-PROTECTION paranoia level 2 sets ip.dos_block=1 outside of dos_burst_time_slice window - assigned to @dune73
Issue slot 2: Proposal to include monitoring agents exceptions in a new data file #1589 Whitelisting of UA - stale proposal by @theMiddleBlue that would be worthy of being finished for CRS 3.4 - currently no takers
Issue slot 3: 942300 matching "for ? (" when it's expected to find OR? #2007 - @csanders-git takes this one
Issue slot 4: FP Rule [id "941120"] [msg "XSS Filter - Category 2: Event Handler Vector"] #2006 - We agree on moving this rule to PL2 as there is no good solution. @csanders-git will open a PR.
Issue slot 5: FP: Rule 930110 - Path Traversal Attack (/../) - triggered on .. #2005 - @lifeforms volunteers to take this one
Issue slot 6: Rule 920300 false positive in Chrome for hyperlink with download attribute (also pdf viewer) #2001 - We decide to change the PL to 3 or 4. @franbuehler will propose a PR.
Issue slot 7: PL1: 932115 triggered by a URL containing a query string parameter of "sort" #1931 PL1: 932115 triggered by a URL containing a query string parameter of "sort" - assigned to @franbuehler
Issue slot 8: FP: 941120 (PL1) base64 encoded string in param #1867 - decided to move to PL2 and assigned to @csanders
Issue slot 9:
Issue slot 10:

dune73 added the 🔖 Meeting Agenda label Jan 29, 2021

dune73 mentioned this issue Feb 10, 2021

Monthly Chat Agendas March (2021-03-01 and 2021-02-15) Meeting Agenda #2008

Closed

dune73 closed this as completed Feb 16, 2021

dune73 mentioned this issue Nov 15, 2021

Move 941120 from PL1 to PL2 #2306

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Monthly Chat Agendas February (2021-02-01 and 2021-02-15) #1992

Monthly Chat Agendas February (2021-02-01 and 2021-02-15) #1992

Uh oh!

Uh oh!

Monthly Chat Agendas February (2021-02-01 and 2021-02-15) #1992

Monthly Chat Agendas February (2021-02-01 and 2021-02-15) #1992

Comments

Uh oh!

What happend in the meantime since the chat last month

Outside development

PRs that have been merged since the last meeting

Open PRs

Open PRs marked "work in progress" / needs action

Other items

Open Issues - Separate Issues Meeting (Monday, February 15th)

How to get to our slack and join the meeting?

Uh oh!

Decisions

PRs

Other items

Open Issues - Separate Issues Meeting (Monday, February 15th)

Uh oh!