Closed studersi closed 5 years ago
Similarly, regression tests for rule 931120 appear to be broken as well.
The regex for rule 931120 look like this:
Rule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
Matching for example a request like the following:
$ curl -v 'https://xxx.ch/?x=file?' 2>&1 | grep "< HTTP/2"
< HTTP/2 403
Requests like the one contained in regression test 931120-3 are not blocked and do not trigger rule 931120:
$ curl -v 'https://xxx.ch/components/com_uhp/uhp_config.php?mos/administrator/c/appserv/appserv/main.php?appserv_root' 2>&1 | grep "< HTTP/2"
< HTTP/2 404
And again, the request does not look like it should be matched by the regex.
These tests are not enabled. See enabled: false
at the top of the file.
We'd very welcome fixes for these tests in the format of a PR if you have the time and the inclination though!
Thanks for the quick response @fgsch. I missed the fact that there are disabled rules, but this explains it.
I'll look into it this weekend, I might be able to fix a few of them.
That'd be great! Please let us know if you need a hand.
Ok, I created a pull request here: https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/1350.
Type of Issue
The regression tests for rule 931110 in
owasp-modsecurity-crs\util\regression-tests\tests\REQUEST-931-APPLICATION-ATTACK-RFI/931110.yaml
might not effectively test the rule 931110.Description
When I try to recreate the behaviour of the test request in 931110-1, the request is not blocked. But when I add parts of a URL, the request is blocked. This is consistent with the regex defined in rule 931110.
These are the requests I used to reproduce the problem.
The URL used in the regression test looks like this:
According to the regex, this should not match, but somehow the automated tests still succeed in the context of the CRS Project. The same is true for other tests for this rule.
Your Environment
Confirmation
[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.