8000 Backport v3.2 from v3.3 by emphazer · Pull Request #3347 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Backport v3.2 from v3.3 #3347

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Backport v3.2 from v3.3 #3347

wants to merge 1 commit into from

Conversation

emphazer
Copy link
Contributor

i tried to focus on critical changes.
i skipped #1805 for example.

8000
@emphazer emphazer requested a review from airween October 28, 2023 06:26
airween
airween requested changes Oct 31, 2023
View reviewed changes
Copy link
Contributor
@airween airween left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I reviewed the modifications, see the detailed comments above.

README.md
![Travis build v3.1/dev](https://img.shields.io/travis/spiderlabs/owasp-modsecurity-crs/v3.1/dev?label=v3.1%2Fdev)
![Travis build v3.0/dev](https://img.shields.io/travis/spiderlabs/owasp-modsecurity-crs/v3.0/dev?label=v3.0%2Fdev)
[![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-38a047.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Flagship_Projects)
![GHA build v3.3/dev](https://github.com/coreruleset/coreruleset/workflows/Test%20Ruleset%20against%20matrix/badge.svg?branch=v3.3%2Fdev)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we want to add the next version's URL into the README? Is there any reason?

rules/REQUEST-921-PROTOCOL-ATTACK.conf
# This would point to an attempt to inject a 2nd request into the request, thus bypassing
# tests carried out on the primary request.
#
# [ References ]
# http://projects.webappsec.org/HTTP-Request-Smuggling
#
SecRule ARGS_NAMES|ARGS|XML:/* "@rx [\n\r]+(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+[^\s]+(?:\s+http|[\r\n])" \
SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+[^\s]+(?:\s+http\/\d|[\r\n])" \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this modification is not complete, a part of the new regex is missing after unlock): (?:\/|\w). The line in 3.3 is this:

SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+(?:\/|\w)[^\s]*(?:\s+http\/\d|[\r\n])" \

rules/REQUEST-921-PROTOCOL-ATTACK.conf
@@ -84,7 +84,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"


SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bhttp\/\d|<(?:html|meta)\b)" \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there is an extra \ character here before the /\d. In 3.3 the operator's argument is this:

(?:\bhttp/\d|<(?:html|meta)\b)

(and not (?:\bhttp\/\d|<(?:html|meta)\b))

rules/REQUEST-921-PROTOCOL-ATTACK.conf
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not have paranoia-level/N tags in 3.2, you should remove this tag.

rules/REQUEST-921-PROTOCOL-ATTACK.conf
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB_ATTACK/HTTP_SPLITTING',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.2.0',\
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here you should add tag OWASP_CRS/3.2.3, not 3.2.0.

rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
@@ -121,7 +121,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?)://(.*)$" \
severity:'CRITICAL',\
setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=%{tx.1}',\
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An extra . (dot) is missing from here. The correct action is:

setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\

@fzipi fzipi mentioned this pull request Dec 4, 2023
Closed
@airween airween mentioned this pull request Jan 6, 2024
Merged
@dune73 dune73 mentioned this pull request Jan 8, 2024
Closed
@dune73 dune73 mentioned this pull request Feb 5, 2024
Closed
@theseion
Copy link
Contributor
theseion commented Feb 5, 2024

We have decided to close this PR and focus on the v4 release.

@theseion theseion closed this Feb 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@airween airween airween requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@emphazer @theseion @airween
0