coreruleset: Synapse windows command injection false positive

Description

---wxhp0Kfp---B--
PUT /_matrix/federation/v1/send/1668004491987 HTTP/1.1
Content-Length: 1058
User-Agent: Synapse/1.71.0
Content-Type: application/json
Authorization: X-Matrix origin CENSOR
Host: chat.fuo.fi:443

---wxhp0Kfp---C--
{"origin":"libera.chat","origin_server_ts":1668361864315,"pdus":[{"auth_events":["CENSOR","$CENSOR"],"content":{"body":"it was, you want a cache server. no go RTFM, its FAR to complex of a subject to just say \"type this one line and you are good\"","format":"org.matrix.custom.html","formatted_body":"it was, you want a cache server. no go RTFM, its FAR to complex of a subject to just say "type this one line and you are good"","msgtype":"m.text"},"depth":552560,"hashes":{"sha256":"CENSOR"},"origin":"libera.chat","origin_server_ts":1668361864211,"prev_events":["CENSOR"],"room_id":"CENSOR","sender":"@Whiskey`:libera.chat","signatures":{"libera.chat":{"ed25519:t4fjCr":"CENSOR"}},"type":"m.room.message","unsigned":{"age_ts":1668361864211}}]}

---wxhp0Kfp---F--
HTTP/1.1 200
Server:
Server:
Date: Sun, 13 Nov 2022 17:51:04 GMT
Content-Type: application/json
Access-Control-Allow-Origin: *
Connection: keep-alive
Cache-Control: no-cache, no-store, must-revalidate
Access-Control-Allow-Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: X-Requested-With, Content-Type, Authorization, Date
Strict-Transport-Security: max-age=63072000

---wxhp0Kfp---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:[;\n\r`]|t[\"\^]*i[\"\^]*m[\"\^]*e|(?:\|)?\||&?&|\{)\s*(?:['(,@\"\s])*(?:(?:(?:[\x5c'\"\^]*\w[\x5c'\"\^]*:.*|[\^\.\w '\"/\x5c]*)\x5c|[\w'\"\./]+\/))?[\"\^]*(?:s[\"\^]*(?:y[\"\^]*s[\"\^]*(?:t[\" (5113 characters omitted)' against variable `ARGS:json.pdus.array_0.content.formatted_body' (Value: `it was, you want a cache server. no go RTFM, its FAR to complex of a subject to just say "type  (36 characters omitted)' ) [file "/etc/nginx/modsec/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "229"] [id "932115"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: ;type this one line and you are good&quot found within ARGS:json.pdus.array_0.content.formatted_body: it was, you want a cache server. no go RTFM, its FAR to complex of a subject to just (52 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "CENSOR"] [uri "/_matrix/federation/v1/send/1668004491987"] [unique_id "166836186474.987131"] [ref "o94,41v41,136"]

Audit Logs / Triggered Rule Numbers

932115

Your Environment

• CRS version (e.g., v3.2.0): 4.0-dev
• Paranoia level setting:
• ModSecurity version (e.g., 2.9.3): latest
• Web Server and version (e.g., apache 2.4.41): nginx
• Operating System and version: ubuntu

Confirmation

[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.