Describe the bug

In #3055 a new rule was introduced for JSON-Based SQL Injection.
This is a v4 rule.

In testing, we have discovered that the regular expression for this rule triggers time-outs in the regex engine.

Reviewing the regex it definitively has too many backtrack points and therefore a bad worst-case behavior.

Steps to reproduce

I cannot share the actual payloads, but in our testing, it only needs a long-running relatively small JSON to trigger long running regex execution.

Additional context

Your Environment

• CRS version (e.g., v3.2.0): Custom CRS version with JSON-Based SQL Injection included.
• Paranoia level setting: PL1
• ModSecurity version (e.g., 2.9.3): VMware (Avi Load Balancer), libmodsecurity3, PCRE