fix(sqli): additional regular expressions for SQL auth bypass #2557
Conversation
406d8e1 to
f232001
Compare
|
Hi @karelorigin , thanks for sending this! |
|
Hi! This PR should also be able to catch a NoSQL bypass reported by @hussein98d in |
|
This also covers |
|
Hi @dune73, I've updated my original comment to better outline the reports this PR applies to. That should be the complete list of reports relevant to this PR. |
|
Thank you. We'll get to the question of |
CRS Bug Bounty PR assessment
This is not meant to be final. As a CRS dev, feel free to comment below and edit this form directly. As committer or ob 8000 server, feel free to comment below with feedback and we will think about updating the assessment accordingly. |
|
CRS TODO: add a comment on file util/regexp-assemble/data/942340.data line 43-47 on why are those there, so documentation is in one file (we can't ask this in this PR, wasn't agreed in the first place). |
|
Hi @karelorigin ! Inevitably, we run onto conflicts after we started merging. Can you help us resolve this one? |
|
Hey @fzipi, yeah for sure! I could rebase but that rewrites git history and will probably create a mess, so I'll try to do it via the GitHub interface. Will work on it as soon as I get the chance (might take a couple of days) |
|
Hi @karelorigin, there seem to be still some odd conflicts, could you solve them or do you need help? |
|
@lifeforms, I've been super busy but I'll get on this ASAP. I should be able to resolve them just fine but I'll definitely ask for help if I need it. Sorry about that! |
a00e94a to
ffaa90f
Compare
|
Resolved all conflicts, should be fine merging this now :) |
|
Looks awesome! Thanks @karelorigin for this PR! 🎉 |
This PR contains new regular expressions for different kinds of auth bypasses. In an ideal world, these would be inside the operator dataset, but unfortunately, they look too much like normal sentences to accurately block.
Edit:
DV2UKLP4,2AUWUOVF,RICGZH4Q)YPWZU6PDandQ6FBUFOD)