coreruleset: regexp-assemble generates a malformed regex pattern for rule 932100

Describe the bug

When executing

./regexp-assemble.py generate 932100

a malformed regular expression pattern is generated. Specifically, one of the double quote marks is not correctly escaped. Note at the end here:

(?:[;\n\r`]|\$(?:\(?\(|{)|(?:\|)?\||\(\s*\)|[<>]\(|&?&|\{)\s*(?:(?:\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|(?:\s*\(|!)\s*|\{|\$))*\s*(?:["'])...

the (?:["']) should be escaped as (?:[\"']).

The un-escaped " causes havoc: the server config becomes invalid and the server process will not start (at least with Apache and nginx).

Steps to reproduce

In the v4.0/dev branch, execute:

./regexp-assemble.py generate 932100

Observe that the double quote mark is not escaped.

Execute:

./regexp-assemble.py update 932100

and try start either of the Docker containers. Observe that they fail to start correctly:

Apache:

$ sudo docker-compose up modsec2-apache
[+] Running 2/2
 ⠿ Container tests-backend-1  Running                                                                                                                                                    0.0s
 ⠿ Container modsec2-apache   Created                                                                                                                                                    0.8s
Attaching to modsec2-apache
modsec2-apache  | AH00526: Syntax error on line 119 of /etc/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf:
modsec2-apache  | SecRule takes two or three arguments, rule target, operator and optional action list
modsec2-apache exited with code 1

nginx:

$ sudo docker-compose up modsec3-nginx
[+] Running 2/0
 ⠿ Container tests-backend-1  Running                                                                                                                                                    0.0s
 ⠿ Container modsec3-nginx    Created                                                                                                                                                    0.0s
Attaching to modsec3-nginx
modsec3-nginx  | nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf. Line: 99. Column: 6504. Expecting an action, got:  \./\x5c]+/)?[\x5c'\"]*(?:l[\x5c'\"]*(?:w[\x5c'\"]*p[\x5c'\"]*-[\x5c'\"]*(?:d[\x5c'\"]*(?:o[\x5c'\"]*w[\x5c'\"]*n[\x5c'\"]*l[\x5c'\"]*o[\x5c'\"]*a[\x5c'\"]*d|u[\x5c'\"]*m[\x5c'\"]*p)|r[\x5c'\"]*e[\x5c'\"]*q[\x5c'\"]*u[\x5c'\"]*e[\x5c'\"]*s[\x5c'\"]*t|m[\x5c'\"]*i[\x5c'\"]*r[\x5c'\"]*r[\x5c'\"]*o[\x5c'\"]*r)|s(?:[\x5c'\"]*(?:b[\x5c'\"]*_[\x5c'\"]*r[\x5c'\"]*e[\x5c'\"]*l[\x5c'\"]*e[\x5c'\"]*a[\x5c'\"]*s[\x5c'\"]*e|c[\x5c'\"]*p[\x5c'\"]*u|m[\x5c'\"]*o[\x5c'\"]*d|p[\x5c'\"]*c[\x5c'\"]*i|u[\x5c'\"]*s[\x5c'\"]*b|-[\x5c'\"]*F|h[\x5c'\"]*w|o[\x5c'\"]*f))?|z[\x5c'\"]*(?:(?:[ef][\x5c'\"]*)?g[\x5c'\"]*r[\x5c'\"]*e[\x5c'\"]*p|c[\x5c'\"]*(?:a[\x5c'\"]*t|m[\x5c'\"]*p)|m[\x5c'\"]*(?:o[\x5c'\"]*r[\x5c'\"]*e|a)|d[\x5c'\"]*i[\x5c'\"]*f[\x5c'\"]*f|l[\x5c'\"]*e[\x5c'\"]*s[\x5c'\"]*s)|o[\x5c'\"]*(?:g[\x5c'\"]*(?:(?:n[\x5c'\"]*a[\x5c'\"]*m|s[\x5c'\"]*a[\ in /etc/nginx/conf.d/modsecurity.conf:2
modsec3-nginx exited with code 1

Expected behaviour

The double quote mark " should be escaped in the output pattern, as is expected.

Actual behaviour

The double quote mark " is not correctly escaped in the output pattern.

Your Environment

  • CRS version (e.g., v3.2.0): v4.0/dev

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 18 (18 by maintainers)

Commits related to this issue

Most upvoted comments

I’m really no Perl expert. AFAICT, the module wasn’t really designed for inheritance and I had to patch a subroutine for one of the changes (the subroutines are huge and complicated, so overriding would mean copying large amounts of code). I don’t know how well monkey patching works in Perl, I think I read somewhere that it can lead to interesting results.

You’re welcome to try something different. From my point of view the current approach works reasonably well and is reasonably maintainable, given the circumstances.