coreruleset · Xhoenix · Jun 28, 2024 · Jun 20, 2024 · Jun 20, 2024 · Jun 21, 2024
diff --git a/regex-assembly/932175.ra b/regex-assembly/932175.ra
@@ -16,8 +16,13 @@
   \b\s+
   ##!=>
 
+  ##! match flags
+  (?:[+\-][a-z]+\+?\s+)?
+  ##!=>
+
   ##! match the alias name
-  ['"\w!%,@]+
+  ##! The '.' and '-' character match payloads like "alias ls-al='ls -al'" and "alias ..='cd ..'"
+  [.'"\w!%\-,@]+
   ##!=>
 
   ##! match equals something

diff --git a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
@@ -647,7 +647,7 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932175
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \ba[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s\b[\s\x0b]+[!\"%',0-9@-Z_a-z]+=[^\s\x0b]" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \ba[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s\b[\s\x0b]+(?:[\+\-][a-z]+\+?[\s\x0b]+)?[!\"%',-\.0-9@-Z_a-z]+=[^\s\x0b]" \
     "id:932175,\
     phase:2,\
     block,\

diff --git a/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932175.yaml b/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932175.yaml
@@ -163,3 +163,111 @@ tests:
             version: HTTP/1.1
           output:
             log_contains: id "932175"
+  - test_title: 932175-10
+    desc: "Test for alias with -p argument"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+            method: POST
+            port: 80
+            uri: "/post"
+            data: |
+              rce=alias -p jzfrx=id
+            version: HTTP/1.1
+          output:
+            log_contains: id "932175"
+  - test_title: 932175-11
+    desc: "Test for alias with zsh flags"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+            method: POST
+            port: 80
+            uri: "/post"
+            data: |
+              rce=alias -gmr a=b
+            version: HTTP/1.1
+          output:
+            log_contains: id "932175"
+  - test_title: 932175-12
+    desc: |
+      Test for alias with zsh '+' flags.
+      Payload: "alias +m a=b"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+            method: GET
+            port: 80
+            uri: "/get?rce=%61%6c%69%61%73%20%2b%6d%20%61%3d%62"
+            version: HTTP/1.1
+          output:
+            log_contains: id "932175"
+  - test_title: 932175-13
+    desc: |
+      Test for alias with trailing '+' in a flag.
+      Payload: "alias +g+ a=b"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+            method: GET
+            port: 80
+            uri: "/get?rce=%61%6c%69%61%73%20%2b%67%2b%20%61%3d%62"
+            version: HTTP/1.1
+          output:
+            log_contains: id "932175"
+  - test_title: 932175-14
+    desc: "Test for alias with zsh flags"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+            method: POST
+            port: 80
+            uri: "/post"
+            data: |
+              rce=alias ls-al='ls -al'
+            version: HTTP/1.1
+          output:
+            log_contains: id "932175"
+  - test_title: 932175-15
+    desc: "Test for alias with zsh flags"
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              Host: localhost
+              User-Agent: "OWASP CRS test agent"
+            method: POST
+            port: 80
+            uri: "/post"
+            data: |
+              rce=alias ..='cd ..'
+            version: HTTP/1.1
+          output:
+            log_contains: id "932175"