Closed
Description
This is the Agenda for the two Monthly CRS Chats.
The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2024-09-02, at 20:30 CEST. That's the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, 2024-09-16. That's the 3rd Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).
Archived previous meetings and their decision are here.
What happened in the meantime since the chat last month
Outside development
Blog Posts that mention CRS
- FIXME: Please fill in
Inside development
Rules
- FIXME: Please fill in
CRS Sandbox
- FIXME: Please fill in
Security
- 🔧 We released 4.6.0 and 3.3.6 that fixes some potential problems with multipart headers.
Plugins
- FIXME: Please fill in
Documentation and Public Relations
- 🎉 Our friends over at OWASP ModSecurity have taken control of modsecurity.org which is live again after several years! They've published a new blog post to mark the occasion.
Project Administration and Sponsor relationships
- @fzipi has started doing more project administration and will onboard sponsor relationship building along with OWASP's Projects Director Starr Brown.
Tools
- 🧪 Test and test override files now have JSON schemas on schemastore.org
Testing incl. Seaweed and many future plans
- No news here.
Containers
- A new release with 4.6.0 was relased.
CRS Status Page
- FIXME: Please fill in
Project discussions and decisions
- (↓ Is it possible to clarify/state what the project discussion or decision is that we need to make here? Or should we move these issues to the issues chat so that we will have something to discuss at the issues chat?)
- fix(security): resolve SQL injection protection bypass (942380 PL2) #3720
- feat: refactoring (944110 PL1) #3715
Rules development, key project numbers
PRs that have been merged since the last meeting
- chore: merge back after 3.3.6 release #3807
- Release/v3.3.6 #3806
- fix: update supported versions #3805
- chore: post-release v4.7.0-dev #3803
- feat: add new rule to catch invalid character in multipart headers (v3) #3797
- chore: release v4.6.0 #3802
- test: enable disabled 920480 tests #3801
- feat: add new rule to catch invalid character in multipart headers #3796
- fix: prevent using backslash in file names (v3) #3800
- fix: prevent using backslash in file names #3799
- fix(942160): check REQUEST_FILENAME #3782
- ci: fix docker compose call #3798
- fix: tests typos #3794
- docs: improve documentationt of 941160 #3790
We merged 14 PRs since the last monthly project chat.
Open PRs
Open PRs marked DRAFT or work in progress or needs action
- feat: added rule to detect Bash Brace Expansion #3780
- feat: refactoring (944110 PL1) #3715
- fix(security): resolve SQL injection protection bypass (942380 PL2) #3720
- feat: accidental firewall disability prevention #3650
- fix: prevent invalid commands matches on 5 characters or less (932220 PL-2, 932230 PL-1, 932232 PL-3, 932235 PL-1, 932236 PL-2, 932237 PL-3, 932238 PL-3, 932239 PL-2, 932250 PL-1, 932260 PL-1) #3735
- feat: improve detection of onwebkitplaybacktargetavailabilitychanged event #3734
- fix(security): remove double URL decode (921151 PL2, 932190 PL3, 942441 PL2, 942442 PL2, 942460 PL3) #3741
- Review the documentation #3809
Separate 2nd Meeting (Monday, 2024-09-16)
We generally cover 10 issues per month in a separate issue meeting. Add them as you see fit.
- Issue slot 1: feat: add product name tags #3815. @RedXanadu is going to make sense of this, @fzipi will help if needed.
- Issue slot 2: feat: added rule to detect Bash Brace Expansion #3780
- Issue slot 3: feat: added detection for quote evasion #3813
- Issue slot 4: False positive response to a combination of Cyrillic letters. #3793
Other topics
- FIXME: Please fill in
How to get to our slack and join the meeting?
If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .
Everybody is welcome to join our community chat.