search

SpiderLabs / owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)
https://modsecurity.org/crs
Apache License 2.0
2.45k stars 727 forks source link

Regression tests for rule 931110 might be broken #1342

Closed studersi closed 5 years ago

studersi commented 5 years ago

Type of Issue

The regression tests for rule 931110 in owasp-modsecurity-crs\util\regression-tests\tests\REQUEST-931-APPLICATION-ATTACK-RFI/931110.yaml might not effectively test the rule 931110.

Description

When I try to recreate the behaviour of the test request in 931110-1, the request is not blocked. But when I add parts of a URL, the request is blocked. This is consistent with the regex defined in rule 931110.

"@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?):\/\/"

These are the requests I used to reproduce the problem.

$ curl -v 'https://xxx.ch/?_CONF[path]' 2>&1 | grep "< HTTP/2"
< HTTP/2 200
$ curl -v 'https://xxx.ch/?_CONF[path]=https://' 2>&1 | grep "< HTTP/2"
< HTTP/2 403

The URL used in the regression test looks like this:

uri: /plugins/spamx/BaseAdmin.class.php?_CONF[path]

According to the regex, this should not match, but somehow the automated tests still succeed in the context of the CRS Project. The same is true for other tests for this rule.

Your Environment

Confirmation

[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

studersi commented 5 years ago

Similarly, regression tests for rule 931120 appear to be broken as well.

The regex for rule 931120 look like this:

Rule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \

Matching for example a request like the following:

$ curl -v 'https://xxx.ch/?x=file?' 2>&1 | grep "< HTTP/2"
< HTTP/2 403

Requests like the one contained in regression test 931120-3 are not blocked and do not trigger rule 931120:

$ curl -v 'https://xxx.ch/components/com_uhp/uhp_config.php?mos/administrator/c/appserv/appserv/main.php?appserv_root' 2>&1 | grep "< HTTP/2"
< HTTP/2 404

And again, the request does not look like it should be matched by the regex.

fgsch commented 5 years ago

These tests are not enabled. See enabled: false at the top of the file.

fgsch commented 5 years ago

We'd very welcome fixes for these tests in the format of a PR if you have the time and the inclination though!

studersi commented 5 years ago

Thanks for the quick response @fgsch. I missed the fact that there are disabled rules, but this explains it.

I'll look into it this weekend, I might be able to fix a few of them.

fgsch commented 5 years ago

That'd be great! Please let us know if you need a hand.

studersi commented 5 years ago

Ok, I created a pull request here: https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/1350.