Regression tests for rule 931110 might be broken

_Issue originally created by user studersi on date 2019-04-09 13:12:29. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1342._

Type of Issue

The regression tests for rule 931110 in owasp-modsecurity-crs\util\regression-tests\tests\REQUEST-931-APPLICATION-ATTACK-RFI/931110.yaml might not effectively test the rule 931110.

Description

When I try to recreate the behaviour of the test request in 931110-1, the request is not blocked. But when I add parts of a URL, the request is blocked. This is consistent with the regex defined in rule 931110.

"@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?):\/\/"

These are the requests I used to reproduce the problem.

$ curl -v 'https://xxx.ch/?_CONF[path]' 2>&1 | grep "< HTTP/2"
< HTTP/2 200
$ curl -v 'https://xxx.ch/?_CONF[path]=https://' 2>&1 | grep "< HTTP/2"
< HTTP/2 403

The URL used in the regression test looks like this:

uri: /plugins/spamx/BaseAdmin.class.php?_CONF[path]

According to the regex, this should not match, but somehow the automated tests still succeed in the context of the CRS Project. The same is true for other tests for this rule.

Your Environment

• CRS version: v3.1.0
• ModSecurity version: 2.9.1
• Web Server and version: apache2 2.4.25
• Operating System and version: Debian

Confirmation

[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.