8000 fix: remove sql function names to resolve false positives (942151 PL1) by franbuehler · Pull Request #3973 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix: remove sql function names to resolve false positives (942151 PL1) #3973

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Jan 10, 2025
Merged

fix: remove sql function names to resolve false positives (942151 PL1) #3973

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
ceaa47d
fix: remove sql function names to resolve false positives (942151 PL1)
franbuehler Jan 1, 2025
6097379
fix: remove sql function names to resolve false positives (942151 PL1)
franbuehler Jan 1, 2025
30a2091
fix: remove sql function names to resolve false positives (942151 PL1)
franbuehler Jan 1, 2025
fd64245
fix: remove sql function names to resolve false positives (942151 PL1)
franbuehler Jan 1, 2025
2dcedcd
fix: remove sql function names to resolve false positives (942151 PL1)
franbuehler Jan 1, 2025
67f281b
fix: remove sql function names to resolve false positives (942151 PL1)
franbuehler Jan 2, 2025
f029ba5
fix: replace http/1.0 with 1.1
franbuehler Jan 10, 2025
25a9ada
Apply suggestions from code review
franbuehler Jan 10, 2025
3d46322
Update regex-assembly/exclude/sql-injection-function-names-fps-pl1.ra
franbuehler Jan 10, 2025
780ab79
Merge branch 'main' into fix-942151
franbuehler Jan 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion regex-assembly/942151.ra
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,7 @@

##!+ i

##!> include sql-injection-function-names
##!^ \b
##!$ \W*\(

##!> include-except sql-injection-function-names sql-injection-function-names-fps-pl1
3 changes: 3 additions & 0 deletions regex-assembly/942152.ra
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,7 @@

##!+ i

##!^ \b
##!$ \W*\(

##!> include sql-injection-function-names
16 changes: 16 additions & 0 deletions regex-assembly/exclude/sql-injection-function-names-fps-pl1.ra
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regex_assembly/.

##! This list excludes command words that are prone to cause false positives
##! at paranoia level 1.

convert
degrees
elt
left
likelihood
lower
position
quarter
space
unlikely
3 changes: 0 additions & 3 deletions regex-assembly/include/sql-injection-function-names.ra
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,6 @@
##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regex_assembly/.

##!^ \b
##!$ \W*\(

adddate
addtime
aes_decrypt
Expand Down
2 changes: 1 addition & 1 deletion rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 942151
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert_tz)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|s_(?:de|en)crypt)|ump)|e(?:n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|insert|object(?:_(?:agg|keys))?|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|east|i(?:kely|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2))|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:lygon|w)|rocedure_analyse)|qu(?:ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp))|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" \
"id:942151,\
phase:2,\
block,\
Expand Down
215 changes: 201 additions & 14 deletions tests/regression/tests/REQUEST-942-APPLICATION-ATTACK-SQLI/942151.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
meta:
author: "Christian Folini, azurit"
author: "Christian Folini, azurit, Franziska Bühler"
description: Various SQL injection tests
rule_id: 942151
tests:
Expand All @@ -17,7 +17,7 @@ tests:
port: 80
uri: "/post"
data: "var=foo'||(select extractvalue(xmltype('<?xml version=\"1.1\" encoding=\"UTF-8\"?><!DOCTYPE root [ <!ENTITY % tocob SYSTEM \"https://unit'||'tests.coreruleset.org/\">%tocob;"
version: HTTP/1.0
version: HTTP/1.1
output:
log:
expect_ids: [942151]
Expand All @@ -34,7 +34,7 @@ tests:
port: 80
uri: "/post"
data: "var=/config.txt' (select load_file('\\\\\\\\unittests.coreruleset.org\\\\zow')) '"
version: HTTP/1.0
version: HTTP/1.1
output:
log:
expect_ids: [942151]
Expand All @@ -51,7 +51,7 @@ tests:
port: 80
uri: "/post"
data: "var=(select load_file('\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\unitests.corerule'||'set.org\\\\\\\\\\\\\\\\hvs'))"
version: HTTP/1.0
version: HTTP/1.1
output:
log:
expect_ids: [942151]
Expand All @@ -68,12 +68,12 @@ tests:
port: 80
uri: "/post"
data: "var=, FIND_IN_SET('22', Category )"
version: HTTP/1.0
version: HTTP/1.1
output:
log:
expect_ids: [942151]
- test_id: 5
desc: "SQL injection using 'likelihood' function"
desc: "SQL injection using 'substring' function"
stages:
- input:
dest_addr: 127.0.0.1
Expand All @@ -84,8 +84,8 @@ tests:
method: POST
port: 80
uri: "/post"
data: "email=1'%20%2B%201%20is%20likelihood(0.0%2C0.0)%20is%201--"
version: HTTP/1.0
data: "email=%27%20AND%20SUBSTRING%28%28SELECT%20Password%20FROM%20Users%20WHERE%20Username%20%3D%20%27Administrator%27%29%2C%201%2C%201%29%20%3E%20%27m"
version: HTTP/1.1
output:
log:
expect_ids: [942151]
Expand All @@ -102,7 +102,7 @@ tests:
port: 80
uri: "/post"
data: "email=admin%40example.com'%20or%20sqlite_compileoption_used%20(id)--"
version: HTTP/1.0
version: HTTP/1.1
output:
log:
expect_ids: [942151]
Expand All @@ -119,7 +119,7 @@ tests:
port: 80
uri: "/post"
data: "email=admin%40example.com'and%20not%20sqlite_compileoption_get%20(id)--"
version: HTTP/1.0
version: HTTP/1.1
output:
log:
expect_ids: [942151]
Expand All @@ -135,7 +135,7 @@ tests:
method: GET
port: 80
uri: "/get/index.php?id=starts_with(password,'a')::int"
version: HTTP/1.0
version: HTTP/1.1
output:
log:
expect_ids: [942151]
Expand All @@ -151,7 +151,7 @@ tests:
method: GET
port: 80
uri: "/get/index.php?id=jsonb_pretty(...(1,password)::jsonb)::int"
version: HTTP/1.0
version: HTTP/1.1
output:
log:
expect_ids: [942151]
Expand All @@ -167,7 +167,7 9E7A @@ tests:
method: GET
port: 80
uri: "/get/index.php?id=...(json_build_object(1,password)::jsonb)::int"
version: HTTP/1.0
version: HTTP/1.1
output:
log:
expect_ids: [942151]
Expand All @@ -183,7 +183,194 @@ tests:
method: GET
port: 80
uri: "/get/index.php?id=unistr(password)::int"
version: HTTP/1.0
version: HTTP/1.1
output:
log:
expect_ids: [942151]
- test_id: 12
desc: "False positive with elt ("
stages:
- input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: POST
port: 80
uri: "/post"
data: "payload=Weitere überlieferte Bezeichnungen sind Harsle (1319), Crucesignati in Herslo (1475) und Haßelt (1599)."
version: HTTP/1.1
output:
log:
no_expect_ids: [942151]
- test_id: 13
desc: "False positive with left ("
stages:
- input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: POST
port: 80
uri: "/post"
data: "payload=Left (WA, RR), following wood edge south (‘Restrictive Byway’/RB) for ½ mile to Pangfield Farm (564719)."
version: HTTP/1.1
output:
log:
no_expect_ids: [942151]
- test_id: 14
desc: "False positive with quarter ("
stages:
- input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: POST
port: 80
uri: "/post"
data: "payload=One quarter (24%) of people have had an affair and cheated on a partner at some point in their lives, according to results released today."
version: HTTP/1.1
output:
log:
no_expect_ids: [942151]
- test_id: 15
desc: "False positive with space ("
stages:
- input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: POST
port: 80
uri: "/post"
data: "payload=You can choose between front up to maximise space (ideal for art and drawing), left up (for right handed users) and right up (for left handed users)."
version: HTTP/1.1
output:
log:
no_expect_ids: [942151]
- test_id: 16
desc: "False positive with likelihood ("
stages:
- input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: POST
port: 80
uri: "/post"
data: 'payload=A maximum of the likelihood function occurs at the same parameter-value as a maximum of the logarithm of the likelihood (the "log likelihood"), because the logarithm is an increasing function.'
version: HTTP/1.1
output:
log:
no_expect_ids: [942151]
- test_id: 17
desc: "False positive with lower ("
stages:
- input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: POST
port: 80
uri: "/post"
data: "payload=Below the rank of species he sometimes recognized taxa of a lower (unnamed) rank ; these have since acquired standardised names such as variety in botany and subspecies in zoology."
version: HTTP/1.1
output:
log:
no_expect_ids: [942151]
- test_id: 18
desc: "False positive with convert ("
stages:
- input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: POST
port: 80
uri: "/post"
data: "payload=Grasshopper v1.0 made its eighth, and final, test flight on October 7, 2013, flying to an altitude of convert (0.46 miles) before making its eighth successful VTVL landing."
version: HTTP/1.1
output:
log:
no_expect_ids: [942151]
- test_id: 19
desc: "False positive with position ("
stages:
- input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: POST
port: 80
uri: "/post"
data: "payload=In older texts printed down to c. 1630, v was used in initial position (even when it represented a vowel, e.g. in vt, later printed ut) and u was used elsewhere, e.g. in nouus, later printed novus."
version: HTTP/1.1
output:
log:
no_expect_ids: [942151]
- test_id: 20
desc: "False positive with degrees ("
stages:
- input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: POST
port: 80
uri: "/post"
data: "payload=The measures of the interior angles of the triangle always add up to 180 degrees (same color to point out they are equal)."
version: HTTP/1.1
output:
log:
no_expect_ids: [942151]
- test_id: 21
desc: "False positive with unlikely ("
stages:
- input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: POST
port: 80
uri: "/post"
data: "payload=There are numerous causes of asystole that may be reversible if determined quickly enough, however, survival is very unlikely (~2% if not in a hospital)."
version: HTTP/1.1
output:
log:
no_expect_ids: [942151]
- test_id: 22
desc: "False positive with left, ("
stages:
- input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: POST
port: 80
uri: "/post"
data: "payload=The script is written from right to left, (Lal 1966) and sometimes follows a boustrophedonic style."
version: HTTP/1.1
output:
log:
no_expect_ids: [942151]
Loading
0