Closed
Description
This is the Agenda for the Monthly CRS Chat.
The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2022-04-04, at 20:30 CET. That's the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, 2022-04-18. That's the 3rd Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).
Items on the Agenda: (see previous meetings decisions: here)
What happend in the meantime since the chat last month
Outside development
- Blogpost about ImpressCMS weaknesses that also describes a CRS false negative at PL1 via a prepared statement and omitting whitespace.
- @airween published a first version of a service to read rule documentation at https://crsdoc.digitalwave.hu/parse.html
- Good Summer of Code application has found a lot of interest with contact with 8 students
PRs that have been merged since the last meeting
10000- 932150: remove 'time' and 'ping' which are FP prone #2457
- 933110: update owasp.org vulnerability URL #2467
- 944140: deny uploading .jsp and .jspx files #2456
- Sqli replaces spaces with character class #2436
- Improved test setup #2363
- fix(942440): remove unneded space symbols from regex #2459
- Add path traversal detection in file upload #2451
- Change documentation git module link to https #2461
- docs: update policy to include signed releases #2465
- Backslashes 932100, 932110 #2454
- Add header Sec-CH-UA to rule 920274 #2444
- Adding AWS cli files into restricted #2439
- Backslashes 941190 #2442
- Backslashes 933100 #2441
- Added support for plugins to docker-compose #2448
- fix(ci): update secrules-parsing module #2445
- Removed special handling of \x5c in 930100-slashes.data #2426
- #2431 Added Krzana bot #2432
- Typo resolved #2430
- dev: add pre-commit config file #2406
- Email ruleset #2322
- fix(913100): move ecairn to scanners from crawlers #2408
We merged 22 PRs since the last monthly project chat.
Open PRs
- Spring RCE missing payloads #2464 good to go?
- Remove FP on 942440 (JWT) #2460 good to go?
- 920470: allow * in Content-Type to fix 'application/*+json' FP #2455
- Sqli remove unnecessary lazy quantifiers #2437 BIG, needs thorough review
- Fixing few SQLi related false negatives #2429 good to go?
- Re2 support 942130 #2425 good to go?
- Updated comments in rule files on how to use regexp-assemble.py #2423 conflict, otherwise good to go?
- Refactor scoring variables #2417 Preliminary reviews look good. Reporting question open.
Open PRs marked DRAFT or work in progress or needs action
- log4j / log4shell defense: new rules 932131, 944140, 944141 #2349 final open point about stricter sibling, otherwise good to go
- Unified regex utils #2422 waiting for review
- fix 933180 regex #2303 draft
- fix: 933161 regex #2302 draft
- fix: 933160 regex #2301 draft
- Sqli regex update to support comment blocks #2290 needs action
- Exclusion list fot RoundCube webmail #2217 needs action
- Proposal for a new plugin: Machine Learning on ModSecurity #2067 draft
- Nextcloud 20 false-positives #1975 new traffic on this PR
Open Non-Core PRs
- Contributed pgAdmin rule exclusion plugin: Add pgAdmin rule exclusions plugin plugin-registry#9
Dev retreat topics
-
- /juiceshop backend is active and running in production.
- all requests that match a rule under /juiceshop receive a 403 Forbidden with the usual JSON/CSV/TXT output.
- I’m writing an HTML matched rules output that should be the default output format for /juiceshop.
- There’re some FPs on juiceshop and we should develop an exclusion rule set for it (for example allow PUT method).
- Since there’re RCE and SQLi vulnerabilities, we need to find a clean solution to “factory reset” the backend (maybe a crontab job that kills the container and recreates it via docker-compose).
-
- 📊 Anomaly scoring content: still stuck at 99% complete. Now has feedback from @dune73. Needs re-visiting.
- 🔧 Development section: now in a PR! @theseion has left some comments, which need to be looked into.
- Help required with the following headings:
- When and Why to Anchor Regular Expressions
- Lazy Matching
- Writing RE2-compatible Regular Expressions
- Testing section: ported from the wiki.
- Help required with the following headings:
- 🚒 Engine options and integrations: still todo.
- 🧹 Final tidy up: todo, needs everything else to be finished first.
-
Technical Blog Posts: FIXME
-
Status page: There has not been additional progress in the Status page project.
-
Coraza: FIXME
Other items
- 🔌 Plugins: Should they be allowed to set global (server context) ModSec/engine settings (e.g.
SecCollectionTimeout)? - Plugin activation / disabling per VH?
- Feature Freeze
Open Issues - Separate Issues Meeting (Monday, FIXME)
Status of issues covered last month
- Issue slot 1: #FIXME
- Issue slot 2: #FIXME
- Issue slot 3: #FIXME
- Issue slot 4: #FIXME
- Issue slot 5: #FIXME
- Issue slot 6: #FIXME
- Issue slot 7: #FIXME
- Issue slot 8: #FIXME
- Issue slot 9: #FIXME
- Issue slot 10: #FIXME
Stats
- Covered in chat: FIXME
- Closed: FIXME
- Pending: FIXME
This month's issues
There are FIXME open issues at the beginning of the issue chat.
We generally cover 10 issues per month in a separate issue meeting. Add them as you see fit.
- Issue slot 1: False Positive in PL2 with double encoded JSON data #2449
- Issue slot 2: Sandbox is wrong about in which PL a payload would be detected. #2450
- Issue slot 3: add a rule with APPLICATION-ATTACK-JAVA.conf to block Actuator url #2447
- Issue slot 4: Rule Id: 932150 false positive on time keyword #2044 - is this fixed by 932150: remove 'time' and 'ping' which are FP prone #2457
- Issue slot 5: #FIXME
- Issue slot 6: #FIXME
- Issue slot 7: #FIXME
- Issue slot 8: #FIXME
- Issue slot 9: #FIXME
- Issue slot 10: #FIXME
How to get to our slack and join the meeting?
If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .
Everybody is welcome to join our community chat.