Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Review recent changes to rule 942370

See original GitHub issue

_Issue originally created by user fgsch on date 2019-08-09 13:07:17. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1504._

We recently updated rule 942370 (commit 62e7a8d2d68fe38f2acfe1335839b7caf09aed70 via #1466).

I believe there are a number of issues with this change:

The resulting pattern doesn’t make much sense to me
We removed part of the pattern from the .data file
We added (12) unnecessary capture groups

The last 2 points are self explanatory. For the first one, we now have:

^[\w\s\"'`-]*(and\s)(?:(between)|(and\s)|(like)|(div)|(xor)|(or))(xor\s)(nand\s)(not\s)(\|\|)(\&\&)\w+\(

Which seems incorrect. This is not to say that the previous pattern was better:

^[\w\s\"'`-]+(?<=and\s)(?:(?<=between)|(?<=and\s)|(?<=like)|(?<=div)|(?<=xor)|(?<=or))(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\(

I’d rather try to understand the intent here and find a suitable replacement or remove it altogether.

Issue Analytics

State:
Created 3 years ago
Comments:8

Top GitHub Comments

1reaction

CRS-migration-botcommented, May 13, 2020

User fgsch commented on date 2019-08-09 17:59:17:

Nobody’s fault, things happen. Sure, if you have the time please go ahead 👍

1reaction

CRS-migration-botcommented, May 13, 2020

User franbuehler commented on date 2019-08-09 17:52:29:

I reviewed this Pull Request #1466.

Yes, the resulting pattern is wrong! The result of $ util/regexp-assemble/regexp-assemble.pl util/regexp-assemble/regexp-942370.data is:

(?:[\"'`](?:\s*?(?:(?:\*.+(?:(?:an|i)d|between|like|x?or|div)\W*?[\"'`]|(?:between|like|x?or|and|div)\s[^\d]+[\w-]+.*?)\d|[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`]|[^\w\s]+\s*?[\W\d].*?(?:--|#))|.*?\*\s*?\d)|[()\*<>%+-][\w-]+[^\w\s]+[\"'`][^,]|\^[\"'`])

without these capturing groups! I am sorry, I do not know how I could overlook that! I have no clue. Maybe I concentrated on the regexes in the data file and not on the result of the assembly tool.

yes, that is true. The remove parts do not make sense. Therefore I (or dune73) opened #1477. I would like to bring back the originally intended regular expressions.
they are gone now.

Does that make sense to you fgsch ??

Top Results From Across the Web

Review recent changes to rule 942370 #1504 - GitHub

We recently updated rule 942370 (commit 62e7a8d via #1466). I believe there are a number of issues with this change: The resulting pattern ......

CRS rule groups and rules - Azure Web Application Firewall

CRS 3.2 offers a new engine and new rule sets defending against Java injections, ... 942370, Detects classic SQL injection probings 2/2.

Protections for Web Application Firewall - Oracle Help Center

Capability Key Version Name 943120 1 Session Fixation No Referer in SessionID 943110 1 Session Fixation Off‑Domain Referer in SessionID 943100 1 Session Fixation cookie in...

Search API failing due to violation of OWASP rules - GitLab

The current search query API is failing if the OWASP rules are apply ... but there is no substitution for OR (rules 942370...

Google Cloud Armor preconfigured WAF rules overview

Google Cloud Armor rule name, ModSecurity rule name, Current status ... Pre-GA products and features might have limited support, and changes to pre-GA ......