Add functions to cover one half, the not encoded part, of issue 2509 #2567
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
14 tasks
|
@theseion There is a warning we need to fix before merging |
|
Do you mean the "Github Actions syntax check"? |
The octothorp character in YAML starts a comment. Quoting line 90 prevents the parser from treating the GH issue number as a comment.
62e8caa to
eb7d6ef
Compare
|
@fzipi should be fixed now. |
|
Shall we remove the |
|
Let me do a review first. |
|
Would appreciate that. The three PRs with the label are now really keeping back the BB PRs and we better get going with those. |
theseion
commented
Jun 19, 2022
tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml
Outdated
Show resolved
Hide resolved
|
@fzipi @franbuehler LGTM. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
On behalf of @franbuehler
Replaces #2521 for v4.1/dev.
This PR tries to cover one half of issue #2512, the not Unicode encoded part, by adding some functions that were used in the bypass.
This PR only covers the reported functions, but maybe we should have a look at other document properties and not only document.domain (https://developer.mozilla.org/en-US/docs/Web/API/Document/domain).
And the same for atob(), btoa() and alert() (https://www.w3schools.com/jsref/obj_window.asp) -> I chose the PHP file because they have been mentioned together with eval() and the enhancement of this existing file was simple and quick. But maybe we should add a separate rule with Javascript functions instead of adding them to the existing PHP file?
Nevertheless, I'm pushing this PR now, also as a concrete basis for discussion. We can still make changes.
Next, we also need a PR to cover the Unicode part of the reported bypass. I'll have a look at this too.