8000 fix(933150): moving printf to 933160 for additional php syntax check (933150 PL-1, 933160 PL-1) by EsadCetiner · Pull Request #3840 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix(933150): moving printf to 933160 for additional php syntax check (933150 PL-1, 933160 PL-1) #3840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 10 commits into
base: main
Choose a base branch
8000
from
Open

fix(933150): moving printf to 933160 for additional php syntax check (933150 PL-1, 933160 PL-1) #3840

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
c6e0ebe
fix: SprintForTheCause false positive by moving printf to 933160 (933…
EsadCetiner Oct 2, 2024
9a9515d
Merge branch 'main' into fix-printf-false-positive
RedXanadu Oct 3, 2024
e6fca34
Merge branch 'main' into fix-printf-false-positive
fzipi Oct 7, 2024
64c0fa0
Merge branch 'main' into fix-printf-false-positive
EsadCetiner Oct 26, 2024
4d53981
fix: update comments
EsadCetiner Oct 26, 2024
70e035b
Merge branch 'main' into fix-printf-false-positive
EsadCetiner Feb 25, 2025
c6299f0
chore: update regex
EsadCetiner Feb 25, 2025
4049d59
Merge branch 'main' into fix-printf-false-positive
fzipi Feb 27, 2025
29633dc
Merge branch 'main' into fix-printf-false-positive
EsadCetiner Feb 28, 2025
70c30e3
apply code review suggestions
EsadCetiner Feb 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions regex-assembly/933160.ra
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ md5
opendir
passthru
popen
printf
readfile
tmpfile
unpack
Expand Down
10 changes: 5 additions & 5 deletions rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -274,27 +274,27 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
# The list of PHP functions is divided into four groups of varying attack/false positive risk.
# Four separate rules are used to detect these groups of functions:
#
# - Rule 933150: ~40 words highly common to PHP injection payloads and extremely rare in
# - Rule 933150: ~242 words highly common to PHP injection payloads and extremely rare in
# natural language or other contexts.
# Examples: 'base64_decode', 'file_get_contents'.
# These words are detected as a match directly using @pmFromFile.
# Function names are defined in php-function-names-933150.data
#
# - Rule 933160: ~220 words which are common in PHP code, but have a higher chance to cause
# - Rule 933160: ~31 words which are common in PHP code, but have a higher chance to cause
# false positives in natural language or other contexts.
# Examples: 'chr', 'eval'.
# To mitigate false positives, a regexp looks for PHP function syntax, e.g. 'eval()'.
# Regexp is generated from function names in /regexp-assemble/data/933160.ra
#
# - Rule 933151: ~1300 words of lesser importance. This includes most PHP functions and keywords.
# - Rule 933151: ~2200 words of lesser importance. This includes most PHP functions and keywords.
# Examples: 'addslashes', 'array_diff'.
# For performance reasons, the @pmFromFile operator is used, and many functions from lesser
# used PHP extensions are removed.
# To mitigate false positives, we only match when the '(' character is also found.
# This rule only runs in paranoia level 2 or higher.
# Function names are defined in php-function-names-933151.data
#
# - Rule 933161: ~200 words with short or trivial names, possibly leading to false positives.
# - Rule 933161: ~95 words with short or trivial names, possibly leading to false positives.
# Examples: 'abs', 'cos'.
# To mitigate false positives, a regexp matches on function syntax, e.g. 'abs()'.
# This rule only runs in paranoia level 3 or higher.
Expand Down Expand Up @@ -362,7 +362,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 933160
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|f(?:ile(?:group)?|open)|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|md5|o(?:pendir|rd)|p(?:assthru|open|rev)|(?:read|tmp)file|un(?:pac|lin)k|s(?:tat|ubstr|ystem))(?:/(?:\*.*\*/|/.*)|#.*|[\s\x0b\"])*[\"']*\)?[\s\x0b]*\([^\)]*\)" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|f(?:ile(?:group)?|open)|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|md5|o(?:pendir|rd)|p(?:assthru|open|r(?:intf|ev))|(?:read|tmp)file|un(?:pac|lin)k|s(?:tat|ubstr|ystem))(?:/(?:\*.*\*/|/.*)|#.*|[\s\x0b\"])*[\"']*\)?[\s\x0b]*\([^\)]*\)" \
"id:933160,\
phase:2,\
block,\
Expand Down
1 change: 0 additions & 1 deletion rules/php-function-names-933150.data
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -170,7 +170,6 @@ preg_replace_callback
preg_replace_callback_array
preg_split
print_r
printf
proc_close
proc_get_status
proc_nice
Expand Down
32 changes: 32 additions & 0 deletions tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933150.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -567,3 +567,35 @@ tests:
output:
log:
no_expect_ids: [933150]
- test_id: 34
desc: False positive with SprintForTheCause matching printf
stages:
- input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: POST
port: 80
uri: "/post/?test=SprintForTheCause"
version: "HTTP/1.1"
output:
log:
no_expect_ids: [933150]
- test_id: 35
desc: Don't block printf function (Handled by 933160)
stages:
- input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: POST
port: 80
uri: "/post/?test=printf(foo)"
version: "HTTP/1.1"
output:
log:
no_expect_ids: [933150]
34 changes: 33 additions & 1 deletion tests/regression/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933160.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
meta:
author: "lifeforms, Franziska Bühler, Max Leske, azurit"
author: "lifeforms, Franziska Bühler, Max Leske, azurit, Esad Cetiner"
rule_id: 933160
tests:
- test_id: 1
Expand Down Expand Up @@ -728,3 +728,35 @@ tests:
output:
log:
no_expect_ids: [933160]
- test_id: 41
desc: False positive with SprintForTheCause matching printf
stages:
- input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: POST
port: 80
uri: "/post/?test=SprintForTheCause"
version: "HTTP/1.1"
output:
log:
no_expect_ids: [933160]
- test_id: 42
desc: Block Printf PHP function
stages:
- input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: POST
port: 80
uri: "/post/?test=printf(foo)"
version: "HTTP/1.1"
output:
log:
expect_ids: [933160]
0