search

SpiderLabs / owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)
https://modsecurity.org/crs
Apache License 2.0
2.45k stars 726 forks source link

Extend sql having in rule 942230 #1674

Closed franbuehler closed 4 months ago

franbuehler commented 4 years ago

This PR solves issues #1607 and #1598 and adds new regression tests.

A "having" SQL statement only makes sense in combination with a SELECT statement somewhere.

The whole new regex is: (?i:[\s()]case\s*?\(|\)\s*?like\s*?\(|select.*?having\s*?[^\s]+\s*?[^\w\s]|if\s?\([\d\w]\s*?[=<>~])

The important part is select.*?having\s*?[^\s]+\s*?[^\w\s] (original part was |having\s*?[^\s]+\s*?[^\w\s] only)

I'm not quite sure about my .*? maybe there would be a better option. But we definitely solve the reported false positives. A word boundary with \b would not be sufficient.

For info: We cover the having clause in 5 other rules too:

util/regexp-assemble/regexp-942190.data:[\"'`];?\s*?having\b\s*?[^\s]
util/regexp-assemble/regexp-942210.data:\/\w+;?\s+having\W
util/regexp-assemble/regexp-942260.data:[\"'`]\s*?and\s+[\s\w]+=\s*?\w+\s*?having\s+
util/regexp-assemble/regexp-942260.data:[\"'`]\s*?nand\s+[\s\w]+=\s*?\w+\s*?having\s+
util/regexp-assemble/regexp-942260.data:[\"'`]\s*?or\s+[\s\w]+=\s*?\w+\s*?having\s+
util/regexp-assemble/regexp-942260.data:[\"'`]\s*?xor\s+[\s\w]+=\s*?\w+\s*?having\s+
util/regexp-assemble/regexp-942260.data:[\"'`]\s*?xxor\s+[\s\w]+=\s*?\w+\s*?having\s+
util/regexp-assemble/regexp-942260.data:[\"'`]\s*?div\s+[\s\w]+=\s*?\w+\s*?having\s+
util/regexp-assemble/regexp-942260.data:[\"'`]\s*?like\s+[\s\w]+=\s*?\w+\s*?having\s+
util/regexp-assemble/regexp-942260.data:[\"'`]\s*?between\s+[\s\w]+=\s*?\w+\s*?having\s+
util/regexp-assemble/regexp-942260.data:[\"'`]\s*?not\s+[\s\w]+=\s*?\w+\s*?having\s+
util/regexp-assemble/regexp-942260.data:[\"'`]\s*?\|\|\s+[\s\w]+=\s*?\w+\s*?having\s+
util/regexp-assemble/regexp-942260.data:[\"'`]\s*?\&\&\s+[\s\w]+=\s*?\w+\s*?having\s+
util/regexp-assemble/regexp-942380.data:\b(?i:having)\b\s+\d{1,10}\s*?[=<>]
util/regexp-assemble/regexp-942380.data:\b(?i:having)\b\s+'[^=]{1,10}'\s*?[=<>]
util/regexp-assemble/regexp-942380.data:\bhaving\b ?\d{1,10} ?[=<>]+
util/regexp-assemble/regexp-942380.data:\bhaving\b ?[\'\"][^=]{1,10}[\'\" ?[=<>]+
util/regexp-assemble/regexp-942380.data:exists\s\b(?i:having)\b\s+\d{1,10}
util/regexp-assemble/regexp-942480.data:\bgroup\b.*?\bby\b.{1,100}?\bhaving\b
dune73 commented 4 years ago

Meeting decision: I will review this.

https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1671#issuecomment-584320407

dune73 commented 4 years ago

I'm trying to get Verizon to test this rule on the CDN as a test case of a collaboration on testing rules. Sorry this takes time.