fix: remove .env from lfi-os-files.data #4024
Conversation
`.env` is probably the most generic entry in `lfi-os-files.data`. Unfortunatlye, since the words are matched using `@pmFromFile`, `.env` is easily matched as a substring. Most other entries are fairly unique or have a prefix or suffix that makes it unlikely for them to become FPs. Note that `.env` is only commented out on purpose. `lfi-os-files.data` is also used as the base for other word files (e.g., `restricted-files.data` and since `.env` hasn't been an issue there until now, we don't want to remove it from those lists. Fixes coreruleset#3775
|
📊 Quantitative test results for language: |
|
You haven't added another rule to detect env files, or will it still be detected on REQUEST_FILENAME? It's really common for bots to scan for env files. I'm on mobile so it's a bit hard for me to check |
|
|
|
Everything else LGTM then, can you add a test to make sure it's not accidently uncommented? |
|
Done |
|
The intention is understandable (reduce the number of false positives), but during the log analysis I usually found attempts to access to Would it be possible to reorganize the data file, split it into two parts and create a sibling rule which is more strict on a higher PL? |
|
Yes, I just figured, it wasn't worth the effort. |
Not necessarily. Here is an example: This is the most frequent match. And now I see it's still covered by 930130 - so sorry for the noise :). |
.envis probably the most generic entry inlfi-os-files.data. Unfortunatlye, since the words are matched using@pmFromFile,.envis easily matched as a substring. Most other entries are fairly unique or have a prefix or suffix that makes it unlikely for them to become FPs.Note that
.envis only commented out on purpose.lfi-os-files.datais also used as the base for other word files (e.g.,restricted-files.dataand since.envhasn't been an issue there until now, we don't want to remove it from those lists.Fixes #3775