Skip to content

feat: refactoring (944110 PL1) #3715

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fzipi merged 4 commits into from
Sep 19, 2024
Merged

feat: refactoring (944110 PL1) #3715

fzipi merged 4 commits into from
Sep 19, 2024

Conversation

@azurit
Copy link
Member

@azurit azurit commented May 24, 2024
edited
Loading

Rule 944110 is matching same variables in both main and chained rules. This is:

  1. Not required.
  2. Ineffective.
  3. Possible creating more FPs.

The list of variables in the chained rule should be replaced with a MATCHED_VARS variable as we only need to match against variables matched by the main rule. Also, the current behavior may create more FPs as main rule may match variable1 and the chained rule may match variable2 (which wasn't matched by main rule).

Also, the chained rule was missing t:lowercase so it was possible to bypass this check.

@azurit
Copy link
Member Author

azurit commented May 24, 2024

Failing tests are including keywords in multiple XML attributes. I found only one exploits which is splitted accross multiple XML elements/attributes and it is going to be catched also after my modification to the rule.

Was not able to find a non-XML exploit which is splitted into multiple variables.

Solutions:

  1. Remove failing tests.
  2. Include XML:/*|XML://@* in chained rule (togather with t:lowercase).
  3. Close this PR.

@azurit
Copy link
Member Author

azurit commented May 24, 2024

I would go with 2.

@dune73 dune73 mentioned this pull request Jun 3, 2024
Closed
@github-actions github-actions bot added the Stale label Jun 24, 2024
@fzipi fzipi mentioned this pull request Jul 1, 2024
Closed
@github-actions github-actions bot closed this Jul 8, 2024
@azurit azurit removed the Stale label Aug 31, 2024
@azurit azurit reopened this Aug 31, 2024
@fzipi fzipi mentioned this pull request Sep 2, 2024
Closed
@fzipi fzipi self-requested a review September 2, 2024 18:56
@fzipi
Copy link
Member

fzipi commented Sep 17, 2024

After reading (and re-reading) this one, and the exploit you mentioned there, idk if just going with 1) instead, and just document it. But 2) sounds good also, if you think it adds value.

@azurit
Copy link
Member Author

azurit commented Sep 19, 2024

@fzipi Can you look at it now? Thnx.

fzipi
fzipi approved these changes Sep 19, 2024
View reviewed changes
Copy link
Member

@fzipi fzipi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM now. Thanks!

@fzipi fzipi added this pull request to the merge queue Sep 19, 2024
Merged via the queue into coreruleset:main with commit e8227f0 Sep 19, 2024
@fzipi fzipi mentioned this pull request Oct 7, 2024
Closed
@azurit azurit deleted the Refactor944110 branch November 2, 2024 11:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fzipi fzipi fzipi approved these changes

Assignees

No one assigned

Labels

release:fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@azurit @fzipi