Closed
Description
This is the Agenda for the two Monthly CRS Chats.
The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2023-03-06, at 20:30 CET. That's the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, 2023-03-20. That's the 3rd Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).
Archived previous meetings and their decision are here.
What happened in the meantime since the chat last month
Outside development
- 🇮🇪 The CRS Community Summit took place in Dublin and was a success. 15 CRS developers, users, and interested parties attended a day of CRS-related talks. The videos are available at https://www.youtube.com/@owaspmodsecuritycoreruleset; blog post is in the making
- 🌍 OWASP Global AppSec Dublin 2023 also took place, with several project members in attendance.
Note that OWASP has officially changed its name (the W has changed from Web to Worldwide). - Commercial ModSecurity integrator Atomicorp hosted an online conference. The videos have been published at https://atomicorp.wistia.com/projects/rkpj16lgce
Inside development
Rules
- FIXME: Please fill in
CRS Sandbox
- fix sandbox bot (update, status)
- add response header
x-crs-last-commitwith the last commit hash
CRS Bug Bounty and Security
- All Bug Bounty Findings addresses, everything blocked at PL2 (with very few wont-fix items).
- We're currently tracking 4 security reports in our private repo.
Plugins
- added test infrastructure and a couple of tests to the nextcloud plugin
- fixed some setup issues with plugin tests
Documentation and Public Relations
- 📜 New blog post published: A new rule to prevent SQL in JSON
Covers our new rule 942550 which combats the recent JSON SQL syntax problem. - regex-assembly documentation has been updated.
- Website (which includes documentation) updated with new OWASP name: Web -> Worldwide.
- Issue templates have been updated. They ask for example curl requests to reproduce the problem now.
Project Administration and Sponsor relationships
- No news to report other than OWASP is currently paying out CRS reimbursement requests for the dev retreat last year
Tools
- work started on separating test specification from the test runner; this will allow us to evolve the test format and have proper versioning
- crs-toolchain no longer includes any patterns that end up in the output (except for some internal fixups). Instead, patterns such as those used by the
cmdlineprocessors are read from thetoolchain.yamlconfiguration file.
Testing incl. Seaweed and many future plans
- Seaweed: we detached the repo and fixed CI runs by upgrading nuclei version.
Containers
- Latest version published with tag ending in
202303020603now creates a new certificate (if it doesn't exist) dynamically each time you start the container. This fixes long-standing problem of shipping the certificate baked into the image.
CRS Status Page
- No news to report. Waiting for CRS v4 until we pick this up for real.
Project Decisions
- FIXME: Please fill in
Rules development, key project numbers
PRs that have been merged since the last meeting
- feat: make 920600 more lenient #3145
- docs: update Slack invitation URL #3142
- fix: add rce detection in request headers #3132
- fix(test): update user-agent across all tests (#3136) #3137
- fix(test): update user-agent across all tests #3136
- chore: adds 426 and 505 status codes for HTTP/0.9 tests #3134
- fix: few invalid uri for 934130 and 934131 tests #3133
- fix: disallow access to /tmp/ #3131
- fix: detect IXMZUXBG #3130
- feat: combined PL2 rule for unix RCE #3128
- fix: detect quote evasion (N9FKP2XQ) #3120
- chore: add tests for 5ZLKNU33 #3123
- feat: add method override headers to restricted headers, rules 900250 and 901165 #3056
- fix: PHP errors data file #3119
- feat: consolidate unix evasion prefix #3126
- feat(932150): apply same philosophy behind 932100 #3092
We merged 16 PRs since the last monthly project chat.
Open PRs
Open PRs marked DRAFT or work in progress or needs action
- fix: TBA #3151
- feat(config): Adds enable_default_collections flag to do not initialize collections by default #3141
- feat: Split Node-Validator keywords functionally #2637
- docs: Rewrite issue templates for false positives and false negatives #3135
- Negative lookarounds for rule 941310 to stop matching Japanese word Company. #2666
- Update REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example #2878
- Util to find English words on .data #3029
- fix: Rework restricted headers #3152
Open issues and PRs
- As of Monday, we have 101 open issues.
- As of Monday, we have 16 open pull requests.
Agenda for Monthly meeting
- (themiddle) detailed changelog for integrators
- (themiddle) many
refereranduser-agentrequest header FPs 4.0 - Status of keyword lists update
- Synapse windows command injection false positive #2998: Do we want to add
t:htmlEntityDecodeon 932115?
Separate 2nd Meeting (Monday, 2023-03-20)
- Plugins may need to be able to hook into any of the rules files #3154: do we go ahead with the proposed solution, for plugins to duplicate default values if they require them?
- Slack message from @jcchavezs: Hallo CRSers, could something like https://github.com/jcchavezs/coraza-httpbin replace the CRS playground? It is httpbin with coraza as reverse proxy. Does it make sense?
- Status keyword list updates
- Mark Curphey retiring from OWASP board of directors after "open letter" was not adopted fast enough. Announces new organization that will work with "focused, planned and coordinated set of sustainably high quality projects". Also promises central funding of development. (https://www.linkedin.com/pulse/yesterdays-owasp-board-directors-meeting-i-resigned-my-mark-curphey/)
How to get to our slack and join the meeting?
If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite.
Everybody is welcome to join our community chat.