Monthly Chat Agenda August 2022 (2022-08-01 and 2022-08-15) #2690

dune73 · 2022-07-19T16:57:24Z

This is the Agenda for the Monthly CRS Chat.

The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2022-08-01, at 20:30 CET. That's the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, 2022-08-15. That's the 3rd Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).

Archived previous meetings and their decision are here.

What happend in the meantime since the chat last month

Outside development

Blog post explaining the delay
The CRS project entered an agreement with a PR company to help us with project marketing. The goal is the promote the project and participating as developer (we are not doing marketing to bring CRS to users, we do marketing to bring developers to our project!). This is paid for by our sponsors.
The CRS project has started to pay Christian Folini / @dune73 a small monthly sum for project coordination and various administration work. This is paid for by our sponsors.
There is a virtual hackathon running from Aug 1 to Aug 5 where CRS developers will write PRs to fix the remaining open bug bounty reports. This is happening in the private dev slack channel.
The 2022 CRS developer retreat will happen from Saturday Oct 29 to Saturday November 5, 2022. We'll stay in the Villa Cagnola near Varese, Italy. That's 20-30 min from Milano airport.

PRs that have been merged since the last meeting

We merged 10 PRs since the last monthly project chat.

Open PRs

Open PRs marked DRAFT or work in progress or needs action

Sub projects

Demo / Sandbox site: There is a new sandbox mode that triggers a blockade / 403 if the anomaly score is above the treshold. This can be configured via a HTTP header.
Documentation: no change
Technical Blog Posts:
- @RedXanadu is slowly 🐢 🐌 working on a blog post idea: "A quantitative approach to false positives": Testing our regular expressions against large bodies of examples of natural language and seeing how different PLs compare for FPs (inspired by a Bug Bounty submission).
Status page: no change
Coraza: no news
GSoC: 2 midterm evaluations submitted: CVE: pass / ML: pass but with addition "I have some reservations about passing the contributor".

Other items

Sandbox: Should blocking with 403 be the new default behavior?
Restricted file types: We removed .axd from the restricted extensions list, but there's talk of adding it back. Should we leave it off the list? (Re: feat(extensions): added some archive extensions as restricted #2562)
feat(protocol): Accept, Accept-Charset and Content-Encoding protocol enforcement rules #2591 is at an impasse. Need to make a tough decision about the direction we are taking here.

Open Issues - Separate Issues Meeting (Monday, 2022-08-15)

First item on agenda: Status of the bug bounty findings
The turning to open PRs, namely bug bounty
Looking through bug bounty findings and how to attack the remaining open ones
Sandbox with different results than a local CRS installation

This month's issues

There are FIXME open issues at the beginning of the issue chat.

We generally cover 10 issues per month in a separate issue meeting. Add them as you see fit.

Issue slot 1: #FIXME
Issue slot 2: #FIXME
Issue slot 3: #FIXME
Issue slot 4: #FIXME
Issue slot 5: #FIXME
Issue slot 6: #FIXME
Issue slot 7: #FIXME
Issue slot 8: #FIXME
Issue slot 9: #FIXME
Issue slot 10: #FIXME

How to get to our slack and join the meeting?

If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .

Everybody is welcome to join our community chat.

The text was updated successfully, but these errors were encountered:

franbuehler · 2022-08-01T19:21:22Z

Meeting decisions

Other Items

Sandbox: Should blocking with 403 be the new default behavior?
-> Unless @fzipi and maybe @theMiddleBlue bring some cutting arguments in favor of 200 we'll change to 403 by default during the week.
Restricted file types: We removed .axd from the restricted extensions list, but there's talk of adding it back. Should we leave it off the list? (feat(extensions): added some archive extensions as restricted #2562)
-> If we removed .axd in 7 Dec 2020 and no one has noticed or complained… maybe we keep it simple and take it out for good. Assuming there are no objections or good reasons to add it back in. And if somebody has hard feelings we're open for a PR that adds a commented out variant with .axd to crs-setup.conf.
feat(protocol): Accept, Accept-Charset and Content-Encoding protocol enforcement rules #2591 is at an impasse. Need to make a tough decision about the direction we are taking here. We have 2 options to deal with:
- Max has created an admittedly hard and probably relatively slow regular expression. A manual regex.
- Karel has created a PoC script that writes an optimized regular expression. But the script is not ready for prime time. Integrating it into the regex-assembly would take some really hard work. And we're a bit worn down on that front.
  -> We agree on starting with Max' (fixed) regexp for now, and revisit the issue when the script by Karel is going places.

Open PRs

feat(xss): add js methods to prevent xss #2702 -> volunteer @fzipi as reviewer, he'll merge when ok.
fix(932105): update data list #2677 -> discussion around python regex still required; will happen in PR; @theseion in the lead
fix(932100): update data list #2676 -> ready to merge; waiting for approval from @fzipi; @theseion in the lead
Negative lookarounds for rule 941310 to stop matching Japanese word Company. #2666 -> ask for emulated look-around; @theseion in the lead
feat(list): update php errors list #2663 -> @fzipi needs to finalise documentation
feat: Split Node-Validator keywords functionally #2637 -> tests are failing; @theseion will check
fix(932200): detect windows style filepaths #2595 -> @fzipi will debug failing tests
feat(protocol): Accept, Accept-Charset and Content-Encoding protocol enforcement rules #2591 -> @karelorigin will analyse @theseion's regex, which will be used as a temporary solution until look-around emulation is ready
fix(942120): add collate operator #2584 -> @fzipi will resolve conflicts; @lifeforms assigned for review
fix(rce): block PHP function calls without trailing semi-colon (stricter sibling) #2581 -> @fziipi will review
fix(sqli): additional sqli auth bypasses #2575 -> assigned to @lifeforms for now
feat(rce): additional signatures for NodeJS RCE (934100) #2573 -> waiting for @karelorigin to update the PR

azurit · 2022-09-21T11:21:49Z

Can i close this?

dune73 · 2022-09-22T13:49:30Z

Absolutely. Thank you for cleaning up.

dune73 added the 🔖 Meeting Agenda label Jul 19, 2022

dune73 assigned fzipi and unassigned fzipi Aug 1, 2022

dune73 mentioned this issue Sep 4, 2022

feat(protocol): Accept, Accept-Charset and Content-Encoding protocol enforcement rules #2591

Closed

azurit closed this as completed Sep 22, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Monthly Chat Agenda August 2022 (2022-08-01 and 2022-08-15) #2690

Monthly Chat Agenda August 2022 (2022-08-01 and 2022-08-15) #2690

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Monthly Chat Agenda August 2022 (2022-08-01 and 2022-08-15) #2690

Monthly Chat Agenda August 2022 (2022-08-01 and 2022-08-15) #2690

Comments

Uh oh!

What happend in the meantime since the chat last month

Outside development

PRs that have been merged since the last meeting

Open PRs

Open PRs marked DRAFT or work in progress or needs action

Sub projects

Other items

Open Issues - Separate Issues Meeting (Monday, 2022-08-15)

This month's issues

How to get to our slack and join the meeting?

Uh oh!

Meeting decisions

Other Items

Open PRs

Uh oh!

Uh oh!

Uh oh!