Update REQUEST-920-PROTOCOL-ENFORCEMENT.conf

SpiderLabs / owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)

https://modsecurity.org/crs

Apache License 2.0

2.45k stars 726 forks source link

Update REQUEST-920-PROTOCOL-ENFORCEMENT.conf #1688

Closed azurit closed 4 years ago

azurit commented 4 years ago

According to SOAP 1.2 specification, the optional 'action' parameter is allowed for 'Content-Type' header, see RFC3902: https://www.ietf.org/rfc/rfc3902.txt

Also, the original regexp was invalid as it was allowing only one parameter to 'Content-Type' header (there were two possible parameters which can be set at once: charset and boundary [now they are three]).

Finally, i added a hashtag character into allowed ones, real-world example: Content-Type: application/soap+xml; charset=utf-8; action="urn:localhost-hwh#getQuestions"

dune73 commented 4 years ago

Hey Azurit, Travis is green now, but only because of our workaround. In fact it complains a lot and the reason is you added the hashtag character at the end of the character class. If you want to add the hash character, it's got to be before the dash.

Could you explain what you did there - and why you reconfigure the number of occurrences at the end of the regex?

azurit commented 4 years ago

As i stated in the comment, the original regexp was invalid because character '?' means '0 or 1 occurances', so there could be only one of the parts at the end of the regexp at a time. According to RFCs, all of these 'Content-Type' headers are valid:

Content-Type: application/soap+xml
Content-Type: application/soap+xml; charset=utf-8
Content-Type: application/soap+xml; charset=utf-8; action="urn:localhost-hwh#getQuestions"
Content-Type: application/soap+xml; action="urn:localhost-hwh#getQuestions"
Content-Type: application/soap+xml; charset=utf-8; boundary="something"
Content-Type: application/soap+xml; boundary="something"

Your original regexp was able to match only these:

Content-Type: application/soap+xml
Content-Type: application/soap+xml; charset=utf-8
Content-Type: application/soap+xml; boundary="something"

azurit commented 4 years ago

Maybe the combination: Content-Type: application/soap+xml; charset=utf-8; boundary="something"; action="example"

isn't valid (or has no sense). In that case, the number of occurrences can be changed to {0,2}

dune73 commented 4 years ago

Got it. Thank you. Much clearer now (and I'm running after half a dozen PRs in parallel after Travis got the hickups, my iq is thus spread over too many items ATM).

Can you fix the hash problem?

azurit commented 4 years ago

You mean like? "!@rx ^[\w/.+-]+(?:\s?;\s?(?:boundary|charset|action)\s?=\s?['\"\w.()+,/:=?#-]+){0,3}$"

or? "!@rx ^[\w/.+-]+(?:\s?;\s?(?:boundary|charset|action)\s?=\s?['\"\w.()+,/:=?-\#]+){0,3}$"

dune73 commented 4 years ago

Yes, the former. The escaping does not cut it. It's about the order.