Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Rule 942200 triggers a substantial number of false positives.

See original GitHub issue

Description

Not sure what rule 942200 is supposed to do exactly (as it’s not docummented nor has tests), but it yields a lot false-positives. For example, the simple payload like this gets blocked: ?text=yes, bob's.

For the corpus wikipedia_2016_1M it yields 28342 results.

$ grep -i -E -c -f regexes.txt ./eng_wikipedia_2016_1M/eng_wikipedia_2016_1M-sentences.txt
28342

The the most critical expression from 942200.data is ,.*?[)\da-f\"'`][\"'`][^\"'`]+ which alone yields 27983 results.

TBF, the rule doesn’t seem to be doing anything useful (except \Wselect.+\W*?from which doesn’t fit the rule and should be moved somewhere else) so I’d consider disabling it. One thing for sure it needs a docummentation and tests.

The usage of the word space also seems to be a bug.

Issue Analytics

State:
Created a year ago
Reactions:1
Comments:16 (7 by maintainers)

Top GitHub Comments

1reaction

FYN-Michielcommented, Nov 10, 2022

Adding them to RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf works, learning every day 😃

For people finding this ticket:

SecRuleUpdateTargetById 942260 !REQUEST_COOKIES
SecRuleUpdateTargetById 942340 !REQUEST_COOKIES
SecRuleUpdateTargetById 942200 !REQUEST_COOKIES
SecRuleUpdateTargetById 942370 !REQUEST_COOKIES

SecRuleUpdateTargetById 920300 !REQUEST_HEADERS

1reaction

theseioncommented, May 29, 2022

msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination' space is a function in MysQL, apparently.

The SLQi rules are a mess and we’re in the process of cleaning them up. It will probably be a while before we can address this particular issue, so I’ve added a new sqli label.