8000 fix: 933160 regex by theMiddleBlue · Pull Request #2301 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix: 933160 regex #2301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix: 933160 regex #2301

wants to merge 1 commit into from

Conversation

theMiddleBlue
Copy link
Contributor

removed suffix #* and //* from regex since isn't a valid PHP syntax

system#("ls");
system//("ls");

the only valid syntax should be

system/*foo*/("ls");

This was referenced Nov 10, 2021
Merged
Closed
@theMiddleBlue theMiddleBlue marked this pull request as draft November 10, 2021 14:48
@theMiddleBlue
Copy link
Contributor Author

switched to draft because a valid syntax could be something like

$a = ["system"];
$a #foo
	[0] //bar
	('ls');

so we need a different solution :(

@theMiddleBlue theMiddleBlue marked this pull request as ready for review November 10, 2021 15:34
theseion
theseion reviewed Nov 11, 2021
View reviewed changes
util/regexp-assemble/data/933160.data Outdated
@@ -24,7 +24,7 @@

##!+i
##!^\b
##!$(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)
##!$\(.*\)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After removing whitespace and comment markers you might miss this:

=array_map\n#dummy comment\n('gotcha')

which would be converted to:

=array_mapdummycomment('gotcha')

Removing whitespace could be ok I guess but removing comment markers will break the rule.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep, your example payload doesn't match anymore :/ The problem we need to solve is just the //.* part of the regex. I'm switching this to draft while looking for a solution tnx

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe you can work around it by matching the end of the line, since // will comment everything up to the end:

//[^\n\r]*[\n\r]\(.*\)

@theMiddleBlue theMiddleBlue marked this pull request as draft November 12, 2021 07:16
@fzipi fzipi mentioned this pull request Dec 4, 2021
Closed
@dune73
Copy link
Member
dune73 commented Dec 6, 2021

What is the status here?

@fzipi fzipi mentioned this pull request Jan 2, 2022
Closed
@fzipi
Copy link
Member
fzipi commented Feb 3, 2022

IMHO, I don't think we can solve the aliasing problem using secrules. So we should stick with something with less coverage, but functional.

@fzipi fzipi mentioned this pull request Feb 7, 2022
Closed
@fzipi fzipi mentioned this pull request Mar 6, 2022
Closed
@fzipi fzipi mentioned this pull request Apr 4, 2022
Closed
@dune73 dune73 mentioned this pull request May 2, 2022
Closed
@fzipi fzipi mentioned this pull request Jun 5, 2022
Closed
@dune73 dune73 mentioned this pull request Jul 4, 2022
Closed
@fzipi fzipi mentioned this pull request Aug 1, 2022
Closed
@fzipi fzipi mentioned this pull request Sep 5, 2022
Closed
@fzipi fzipi mentioned this pull request Oct 2, 2022
Closed
@dune73 dune73 mentioned this pull request Apr 17, 2023
Closed
@theMiddleBlue theMiddleBlue force-pushed the fix-933160 branch 2 times, most recently from 7a1d7a9 to 9f37d51 Compare April 18, 2023 19:34
@theMiddleBlue theMiddleBlue changed the base branch from v3.4/dev to v4.0/dev April 18, 2023 19:36
@theMiddleBlue theMiddleBlue changed the title fix 933160 regex fix: 933160 regex Apr 18, 2023
@theMiddleBlue
Copy link
Contributor Author

rebased on v4.0/dev

@theMiddleBlue
Copy link
Contributor Author

it seems that regex assembly has done the magic, the produced regex is no more affected by ReDoS!
basically we can close this PR.

but I think the rule regression tests need to be fixed...

Can anyone explain why we're doing this?

$ grep 'Print_r' tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml 
            data: x=Print_r%28%20%29
            data: x=Print_r%28%20%29
            data: x=Print_r%28%20%29
            data: x=Print_r%28%20%29
            data: x=Print_r%28%20%29
            data: x=Print_r%28%20%29
            data: x=Print_r%28%20%29
            data: x=Print_r%28%20%29
            data: x=Print_r%28%20%29
            data: x=Print_r%28%20%29
            data: x=Print_r%28%20%29
            data: x=Print_r%28%20%29
            data: x=Print_r%28%20%29
            data: x=Print_r%28%20%29

maybe there's a good reason, but all these tests pass just because the rule matches always the same payload.

@theMiddleBlue
Copy link
Contributor Author

better opening an issue for this.
closing 🎉

@theseion
Copy link
Contributor

Ha, nice :D

@theseion
Copy link
Contributor

I agree on the tests. They're garbage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@theseion theseion theseion left review comments

Assignees
No one assigned
Labels
👀 Needs action
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@theMiddleBlue @dune73 @fzipi @theseion
0