fix: rule 930110 is not supposed to match bare '..' without (back)slashes #4050

azurit · 2025-03-24T09:36:31Z

Feature was originally added in #2016 but was incorrectly implemented. Test, which was supposed to check for this, was not working because rule is targeting REQUEST_URI from which is engine removing . and .. in the path part of the URI (path is normalized).

github-actions · 2025-03-24T09:37:06Z

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

azurit · 2025-03-24T09:45:58Z

@theseion Can you please check what is going on? It should work, see (test 7 is on the last line):
https://regex101.com/r/ZQBjt6/1

Maybe the backend is returning 400 Bad Request?

theseion · 2025-03-24T18:05:14Z

I think you need to change the test to expect_ids:.... As the comment says, it appears to have been "disabled" due to the behaviour of REQUEST_URI. The comment should probably also be updated.

azurit · 2025-03-24T18:19:19Z

No, it is a negative test...

theseion · 2025-03-25T06:06:10Z

There's an override for nginx in nginx-overrides.yaml. You need to remove that since your change makes the test work as expected in nginx.

theseion · 2025-03-25T06:31:34Z

I've added a change to your PR that fixes a race condition when waiting for the server to start.

azurit · 2025-03-25T07:03:56Z

@theseion The main problem is with test 930110-7 which should pass. Here you can see that a regex from this PR does not match a value from test 7 (at the last line).

azurit · 2025-03-25T07:17:14Z

That is why i'm asking why exactly is it not passing as i cannot get this information by myself (i assume - i don't think i have access to it, correct me if i'm wrong). And that is why i was suggesting that backend (apache/nginx) is, maybe, returning code 400 (Bad Request) because this is what Apache and also nginx is returning when .. is in path part of the request URI - so, maybe, that code 400 is a reson why is this test not passing. Because it should pass.

theseion · 2025-03-25T07:54:20Z

As I wrote, just update nginx-overrides.yaml and add that change to your PR.

azurit · 2025-03-25T13:17:54Z

As I wrote, just update nginx-overrides.yaml and add that change to your PR.

Cool, thanks, misunderstood you the first time.

Update REQUEST-930-APPLICATION-ATTACK-LFI.conf

52eccf6

Update REQUEST-930-APPLICATION-ATTACK-LFI.conf

f9b6fa5

Update REQUEST-930-APPLICATION-ATTACK-LFI.conf

a05d611

azurit mentioned this pull request Mar 24, 2025

fix(security): fixing double URL decode of REQUEST_URI #4047

Merged

theseion force-pushed the Fix930110 branch 2 times, most recently from 16f8b10 to 7e33353 Compare March 25, 2025 06:18

chore: add debugging output

f2a67b5

theseion force-pushed the Fix930110 branch from 7e33353 to f2a67b5 Compare March 25, 2025 06:27

theseion mentioned this pull request Mar 25, 2025

fix: use boundary to fix false positive with email firstname.dockery@host.tld #4045

Merged

azurit added 2 commits March 25, 2025 14:16

Update nginx-overrides.yaml

2da1b02

Merge branch 'main' into Fix930110

917f18c

theseion approved these changes Mar 25, 2025

View reviewed changes

azurit added this pull request to the merge queue Mar 25, 2025

Merged via the queue into coreruleset:main with commit 81cf60c Mar 25, 2025
6 checks passed

azurit deleted the Fix930110 branch March 25, 2025 16:34

fzipi added the release:fix label Mar 27, 2025

fzipi mentioned this pull request Apr 7, 2025

Monthly Chat Agenda April 2025-04-07 #4087

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: rule 930110 is not supposed to match bare '..' without (back)slashes #4050

fix: rule 930110 is not supposed to match bare '..' without (back)slashes #4050

fix: rule 930110 is not supposed to match bare '..' without (back)slashes #4050

fix: rule 930110 is not supposed to match bare '..' without (back)slashes #4050

Conversation