The Big Backslash Hunt #2332
Comments
|
There is only one occurrence of $ git diff
diff --git a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
index 5d0a5e3..e89a66c 100644
--- a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
+++ b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
@@ -178,7 +178,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
#
# [NoScript InjectionChecker] Attributes injection
#
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\\\(\[\.<]|[\s\S]*?(?:\bname\b|[\\\\][ux]\d))|data:(?:(?:[a-z]\w+/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|[^-]*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[^:]*?:\W*?u\W*?r\W*?l[\s\S]*?\(" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\\\(\[\.<]|[\s\S]*?(?:\bname\b|\xc5[ux]\d))|data:(?:(?:[a-z]\w+/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|[^-]*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[^:]*?:\W*?u\W*?r\W*?l[\s\S]*?\(" \
"id:941170,\
phase:2,\
block,\which is not built but created manually. Perhaps you mean all How do we want to change the other forms, eg. in case of 941330? What's the expected new form? Note, I've made a small script with msc_pyparser which replaces the occurrence of |
|
I've made some researches, looks like replacing the and the subject is from our test case: It's same as in case of test. This subject matches with the modified pattern. |
|
🤔 We should also create a wiki page with the motivation and alternatives, so it has more visibility. |
|
@fzipi Maybe a wiki page for now, and then move it into the "Information for Developers and Contributors" section of the documentation when that is written. Do you think that's a good plan? I wanted to put it straight into the documentation, but I think that section is a way off from being ready to be written, at the moment. |
|
Sure, makes sense. I was thinking on a place were we store a list of "design decisions", so we don't forget why we did this 10 years from now 😄 |
|
@RedXanadu From what I can see, now what remains here is to walk the rest of the ruleset and find new occurrences, right? Do you need help for that? |
Possible staring point: https://github.com/coreruleset/coreruleset/wiki/Technical-Decisions-and-Best-Practices |
|
Go ahead. I wasn't sure where to put it anyway :). Just let me know where it lives because I need to reference it from 920120. |
|
@RedXanadu we should add our names to the todo items we're working on so we don't overlap. |
|
@theseion Sure. I got up to 932100 and then got stuck. I think all of the 932xxx rules require a change to regexp-assemble in order to fix them. I think regexp-assemble puts In the mean time, I'll start working from the bottom of the list up :) |
|
Ok. I'll look into that. |
|
@RedXanadu let me know if I an give you a hand with the remaining two PR's. |
|
One task remaining only! 😱 |
1 similar comment
|
One task remaining only! 😱 |
|
All remaining use of As such, this task is complete! Thank you to everyone who helped submit and review PRs along the way 🎉 Closing issue. |
Uh oh!
There was an error while loading. Please reload this page.
Motivation
After discussion at the December monthly meeting (#2291), it was decided to standardise on using
\x5cto represent the backslash\character in regular expressions. Some of the reasons we chose this method are:regexp-assemble.pyscript.Alternatives
We (I) had previously started using the pattern
[\\\\]in CRS rules. This is an alternative portable backslash representation. It was decided not to adopt this method. For future reference, some of the problems with this method are:regexp-assemble.pyscript.[a-zA-Z<portable-backslash>]Plan
The plan is to tackle each rule individually with a separate PR, to make it simple to track the work and review each rule change.
I'll start by undoing the previous changes I made to move to
[\\\\]and will modify those rules to use\x5cinstead.The goal is to use
\x5cin all rules and rule building files. There is also a note on the documentation planning wiki page to document how and why we represent backslashes in this way for the benefit of future CRS developers.Progress
[\\\\]changes: convert to using\x5c(undoing PR 2183)\\,\\\\etc. is legitimateThe text was updated successfully, but these errors were encountered: