Add exclusion set for OData standard #2127
Comments
|
We talked about this issue at our recent project meeting. Decision: @theseion takes this on and @fzipi promises to coach him. |
|
I read through some of the OData documentation. From what I understand we will have to come up with an exclusion package that disables all those rules (mainly SQLi and RCE I suppose) that trigger false positives. For that we will need a comprehensive suite of tests that can generate the FP's. Is that what you had in mind? I guess we can start by focusing on the specification and create tests that run through the different types of queries with a bunch of different parameters. This approach is of course quite limited, because the queries can become extremely complex. But I think it's valid start. A possible second step could be to write a test data generator, that basically takes the spec as input and produces valid random queries with varying complexity. That might be too much effort though (but it sounds cool :)). BTW, if we're doing this for OData, should we also do it for things like JsonAPI or GraphQL? Others? |
|
GraphQL and others are coming, for sure. We can use the OData test service in https://services.odata.org/ and see what we get. Probably proxying it with modsec will give us an initial subset. From RCE, we only had one particular match, but taking a look there won't hurt. |
|
Looks like also https://pragmatiqa.com/xodata/ is using that site for tests. |
|
@theseion : We are usually not as systematic as you propose. It's more of an empiric approach. Like putting CRS in front of an installation and logging the FPs, doing the REs and then repeat until no more FPs. Ideally it's a group of people that use a software and we kind of wished the communities behind these softwares would join / support us with coming up with RE packages, but that never happend. |
|
Any update here, @theseion? |
|
No, I haven't worked on this yet. |
|
Any interest to keep this on, or do we search a new volunteer? Orignally @fzipi had an interest in this. |
|
If someone else volunteered that would be great. |
|
OK. Adding this to the agenda for tonight. |
|
For the record: We're waiting for a volunteer to provide a PR here |
|
This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days |
|
This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days |
|
This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days |
|
It's maybe worthwhile to touch on this in the Monday meeting as well. Feel free to add. |
Motivation
OData (Open Data Protocol) is an ISO/IEC approved, OASIS standard that defines a set of best practices for building and consuming RESTful APIs. Its usage of common wording, similar to SQL is probably going to be something to consider in next versions.
This is a proposal to add some exclusion set that allows our users to use OData in a controlled environment.
Proposed solution
Create a new exclusion ruleset that enables users to start rolling OData.
Additional context
This was originally detected in issue #2123.
The text was updated successfully, but these errors were encountered: