This is the Agenda for the two Monthly CRS Chats.

The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2023-01-02, at 20:30 CET. That's the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, 2023-01-16. That's the 3rd Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).

Archived previous meetings and their decision are here.

What happend in the meantime since the chat last month

Outside development

• Setup tutorial for caddy&coraza
• Separate ModSecurity rule set for WordPress usage WPRS (by our very own @theMiddleBlue, somewhat outdated, but never reported here before)

Inside development

Rules

• The biggest task / roadblocker is the overhaul of 932150 in PR feat: split 932150 into new rules, depending on word length #3061. @theseion will work on this during the week and we will try to review / merge afterwards.
• We are not getting any traction with the keyword list updates. It's not quite clear why, but the BB still being open is certainly a problem. There is also the idea to pay somebody to get this done, but we would rather avoid this. But if anybody is interested in that, then please speak up.

CRS Sandbox

• @theMiddleBlue is currently creating a new challenge for the SQL in JSON bypass technique, in order to ask to try to bypass the new related rule

CRS Bug Bounty and Security

• The PR to solve the 2nd list of bypass findings by Shivam Bathla's is not merged yet (fix(multiple bypasses) from Shivam Bathla's 2nd bypasslist #2926). But close.
• Bug Bounty Findings stats: Coverage at PL1: 78.13% (up from 76.86%), PL2: 94.27% (92.57%), PL3: 94.69% (92.99%), PL4 98.94% (98.51%). Currently, 25 tests fail at PL3. We assume most of these will be fixed by the updated 932150. See above.

Plugins

• New task: Now that tests can be added to plugins, add tests to all plugins (Add tests to plugins #3051).
  • Moved this lengthy item to project discussions (see below).
• WordPress plugin needs to be update with all new FPs found in the latest WP version.
  • Remove FPs for the top installed WP plugins (SEO, Woocommerce, etc...)
  • Convert/refactor WPRS project into a CRS plugin (https://github.com/Rev3rseSecurity/wordpress-modsecurity-ruleset)

Documentation and Public Relations

• There is an effort on trying to get a release notes in Release Notes for v4  #3072
• The INSTALL document needs attention. We currently have four different install guides (INSTALL, 'Quick Start Guide', 'Extended Install', and coreruleset.org/installation/). We should not maintain four guides: we should squash them into a single source of truth for install documentation. @RedXanadu has agreed to look at this some time in the new year; it's a lot of work…
• The next developer portrait is going to be released coming weeks

Project Administration and Sponsor relationships

• All payments for CRS have been issues, not sure everything arrived before the end of the year.
• CRS sponsoring newsletter 2022.Q4 is pending
• CRS finances for 2022 not completed; once done 2023 budget has to be drafted

Tools

• no news

Testing incl. Seaweed and many future plans

• @vandanrohatgi is around again 🎉 . He offered to help with additional Seaweed plans. @fzipi will be working with him in getting additional features and see what he wants to help with.

Containers

• There is an outstanding problem with the certificate generation in issue idea: add a script for generating a new certificate once modsecurity-crs-docker#106.

CRS Status Page

• A few more 'missing PL 1 test cases' investigated and resolved.

Project discussions and decisions

• Should we remove response body audit logging from all rules? (I.e. remove ctl:auditLogParts=+E everywhere.)

  • We need to be consistent with our rules. We need to implement and document a CRS project policy on this:
    • CRS rules never audit log responses?
    • CRS rules sometimes audit log responses? If so, when?
  • Response bodies can contain sensitive data, so maybe CRS shouldn't ever trigger them to be logged and stored.
  • Would we need to provide a config item to (re-)activate response body audit logging for users who must keep it enabled?
  • What about users/integrators who might have a setting of their own?
  • Associated PR: fix(rules): remove response body from logs #3034 (@fzipi note: all four people involved in this PR were in sync that this was needed, so I went there and merged it).

• We talked about this in our retreat, but looks like we need a broader discussion, so let's have it: feat(ci): only close issues awaiting for feedback #2948

• Now that tests can be added to plugins, add tests to all plugins (Add tests to plugins #3051).

  • Realistically, who is going to do this work?
    This task needs a person responsible for it or it won't get done. It looks like an enormous amount of work. Should we pay someone to do this project? Last year we had budgeted money for 'projects' that we did not use. Open for discussion.
  • What is needed?
  • Step 1: Copy the template-plugin github actions workflow directory to the destination plugin.
  • Step 2: Create the tests subdirectory 👉 tests/regression/<the plugin name>
  • Step 3: Create a test file for at least one rule. What are we testing? That the plugin works. Meaning? If this is for an exclusion rule, then use any REQUEST_URI that we are removing rules from, and then see that after GET/POST ing to that url with whatever the rule is targeting, no_log_contains the rule we are excluding.
  • Is there any example of this crazy magic? Yes, please see the one in the phpmyadmin-rule-exclusions-plugin
  • But wait a minute, do we need to add a test for all rules also? 👉 @fzipi suggests we delay doing this. We need to test that the plugin itself is working, we don't need 100% coverage now. We are testing that our decoupling from the core still makes the plugin work.
  • So it is just copying that .workflows directory then, and writing ONE TEST FILE with ONE TEST INSIDE then? Pretty much, yes.
  • And what about complex plugins that require Lua extensions? We cannot cover those now. That's future work. As we are using the "regular" CRS docker, for that we will need to extend it to have the new lua files, etc. This is future work.

Rules development, key project numbers

PRs that have been merged since the last meeting

• fix(rules): remove response body from logs #3034
• fix(data): optimized regex for 933211 w/ crs-toolchain #3026
• feat: add relevant info for java-classes.data #3048
• Cleaning up TX variables #3043
• feat(ci): add check for conventional commit PR title #3067
• test: add coverage BB finding 9P5LL13Y #3063
• fix: update github template labels #3066
• Add wordlist for RCE of length > 3 as 932235 #3052
• New rule 942550 (PL1) JSON in SQL #3055
• Add status page test for rule 920470 #3058
• Add REQUEST_FILENAME to 942120 to catch path SQLi #3057
• chore: update 934101 to use regex-assembly #3020
• Add more tests from bug bounty to 932230 #3053
• fix 942190 : Update 942190.data and rebuild rule with crs-toolchain. #2946
• fix(942151) - add PostgreSQL JSON functions #3041
• feat(932125): update list with latest aliases #3050
• feat(rce): additional signatures for NodeJS RCE (934100) #2573

We merged 17 PRs since the last monthly project chat.

Open PRs

Open PRs marked DRAFT or work in progress or needs action

• fix(regex): fix data file for 942280 rule #2933
• feat(932110): update windows list 1/2 #3059
• fix(942480) - add newlines to overlay placing #3040
• feat: add method override headers to restricted headers, rules 900250 and 901165 #3056
• feat: add scalaj-http/ user agent to scripting-user-agents.data  #3045
• fix(942320) - add postgres data types and multiple plus minus signs #3019
• Util to find English words on .data #3029
• fix(regex): fix data file for 942370 #2954
• Update REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example #2878
• feat(ci): only close issues awaiting for feedback #2948
• feat: Split Node-Validator keywords functionally #2637
• Negative lookarounds for rule 941310 to stop matching Japanese word Company. #2666

Open issues and PRs

• As of Monday, we have FIXME open issues.
• As of Monday, we have FIXME open pull requests.

Separate 2nd Meeting (Monday, 2023-01-16)

• BB Status of refactoring of rule 932150 and friends is the final showstopper. @theseion is working on this, with @fzipi and @dune73 waiting for a PR they volunteered to review.
• CRS v3.x IP reputation blocks are errant when EXECUTING_PARANOIA_LEVEL is used #3079
  Unless there is someone who is keen to fix a corner case bug with the IP reputation rules in CRS 3.x, I think this issue will realistically become a 'Won't fix' issue.
• Consider deprecating use of ARGS and ARGS_NAMES #3087
  @anuraaga from Coraza proposed a feature request which replaces ARGS/ARGS_NAMES with ARGS_GET/ARGS_GET_NAMES and ARGS_POST/ARGS_POST_NAMES. We need to think deeply about the consequences.
• Initialization of collections (see Variable tx.ua_hash and IP collection set but not used in CRS core #3068)
  • CRS no longer needs collections, but plugins may want to work with collections
  • So either CRS initializes them for the plugins, or plugins need to coordinate themselves
  • If it's CRS, it should be off by default, but an prepared config item
• CRS Community Summit in Dublin Feb 14: Participation, staying (AirBnB?), program
• We stated we want to get serious about Coraza on NGINX in 2023. Is it time to start?

How to get to our slack and join the meeting?

If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .

Everybody is welcome to join our community chat.