Monthly Chat Agenda May (2020-05-04)

This is the Agenda for the Monthly CRS Chat.

The chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, May 4, at 20:30 CET.

Items on the Agenda:

Previous Meetings decisions: here

PRs

1707 New ldap injection rule 921200 (fixes issue #276)
1708 Perf issue with regexes that start with repeating digits
1710 Add word boundaries around values in SQL tautologies (942130) - reviewed, approved by @franbuehler. Ready to be merged.
1734 Fix content type whitelist (feedback @franbuehler: rule only on test system, @lifeforms?)
1735 Fix link for 941310
1738 WordPress: exclude additional URL fields in profile editor
1739 XenForo: update exclusions
1740 Make Content-Type case insensitive (on hold until #1748 is merged)
1742 Suppress rule 200002 when editing contacts in Nextcloud
1743 Allow REPORT requests without Content-Type header in Nextcloud
1744 Update README.md
1745 Changed variable to lowercase (fixed #1741)
1746 Fix 921120 FP (resolves issue #1615)
1748 Content-Type var fix ModSec v2 v3 900220 soap xml
1750 Added 'ver' action with current version to all necessary rules (fix for #650)

PRs on hold

1602 932200: PL1 RCE bypass uninitialized variable (DRAFT) (Has been in need of action for a long time)
1616 Revert #578 (Needs action)
1663 RE2 compatibility for 920120 (no feedback from CDN unfortunately)
1667 Remove /util/docker folder from v3.3/dev branch (now in dedicated repo) (In progress)
1674 Extend sql having in rule 942230 (no feedback from CDN unfortunately)
1690 Update REQUEST-920-PROTOCOL-ENFORCEMENT.conf (Needs action)

Other items

GitHub migration scheduled for March 18 had to be cancelled / postponed. TW and CRS do not agree on the procedure. Migration team: @dune73, @lifeforms and @fzipi. A full test was performed today, you will see that every issue has a mention from the friendly CRS-migration-bot. You can see the results in https://github.com/crstest01/owasp-modsecurity-crs. There is also a plan to perform the migration, we only need to set the date with Trustwave.

Feel free to add items as you see fit either above, or below as comments.

Open Issues

In January 2020, we decided to look into 10 issues at the chat every month. But only after the Other items. Pick the issues before the meeting and list them below.

Issue slot 1: #1666
Issue slot 2: #1711
Issue slot 3: #1726
Issue slot 4: #1727
Issue slot 5: #1736
Issue slot 6: #1737
Issue slot 7: #1751

If you are not yet on the OWASP Slack, here is your invite: https://join.slack.com/t/owasp/shared_invite/enQtNjExMTc3MTg0MzU4LWQ2Nzg3NGJiZGQ2MjRmNzkzN2Q4YzU1MWYyZTdjYjA2ZTA5M2RkNzE2ZjdkNzI5ZThhOWY5MjljYWZmYmY4ZjM . Everybody is welcome to join our community chat.

Decisions

PRs

1707 merge
1708 @airween und Mirko will work on this PR and see it or a new PR getting merged during May
1710 merge
1734 merge
1735 merge
1738 merge
1739 merge
1740 stalled until #1748 is merged. Then @franbuehler needs somebody to talk this through.
1742 merge
1743 merge
1744 Assigning @franbuehler to review and investigat the use of ENV variables
1745 merge
1746 review by @fzipi
1748 merge and make sure we note the config change in the release notes (-> issue: #1752)
1750 merge

Other Items

Repo migration is now planned (but not confirmed by TW) for Wednesday May 13.
The migration will happen with a helper script and a migration bot programmed by @fzipi. This will copy all issues via the API and make sure the IDs remain the same! A test migration went smooth and @nerrehmit will now check the result carefully (-> https://github.com/fzipi/crs-migration)
We are seeing less active developers in the project. This is probably natural turnover, but it is painful for the project. We will schedule a talk about this at the next meeting.

Issues

1751 -> @dune73
1736 -> @fzipi
1737 -> @lifeforms
1666 -> @franbuehler
1727 -> @mirkodziadzka-avi
1726 -> @fzipi
1711 -> @franbuehler

SpiderLabs / owasp-modsecurity-crs

Monthly Chat Agenda May (2020-05-04) #1749

Items on the Agenda:

PRs

1707 New ldap injection rule 921200 (fixes issue #276)

1708 Perf issue with regexes that start with repeating digits

1710 Add word boundaries around values in SQL tautologies (942130) - reviewed, approved by @franbuehler. Ready to be merged.

1734 Fix content type whitelist (feedback @franbuehler: rule only on test system, @lifeforms?)

1735 Fix link for 941310

1738 WordPress: exclude additional URL fields in profile editor

1739 XenForo: update exclusions

1740 Make Content-Type case insensitive (on hold until #1748 is merged)

1742 Suppress rule 200002 when editing contacts in Nextcloud

1743 Allow REPORT requests without Content-Type header in Nextcloud

1744 Update README.md

1745 Changed variable to lowercase (fixed #1741)

1746 Fix 921120 FP (resolves issue #1615)

1748 Content-Type var fix ModSec v2 v3 900220 soap xml

1750 Added 'ver' action with current version to all necessary rules (fix for #650)

PRs on hold

1602 932200: PL1 RCE bypass uninitialized variable (DRAFT) (Has been in need of action for a long time)

1616 Revert #578 (Needs action)

1663 RE2 compatibility for 920120 (no feedback from CDN unfortunately)

1667 Remove /util/docker folder from v3.3/dev branch (now in dedicated repo) (In progress)

1674 Extend sql having in rule 942230 (no feedback from CDN unfortunately)

1690 Update REQUEST-920-PROTOCOL-ENFORCEMENT.conf (Needs action)

Other items

Open Issues

Decisions

PRs

1707 merge

1708 @airween und Mirko will work on this PR and see it or a new PR getting merged during May

1710 merge

1734 merge

1735 merge

1738 merge

1739 merge

1740 stalled until #1748 is merged. Then @franbuehler needs somebody to talk this through.

1742 merge

1743 merge

1744 Assigning @franbuehler to review and investigat the use of ENV variables

1745 merge

1746 review by @fzipi

1748 merge and make sure we note the config change in the release notes (-> issue: #1752)

1750 merge

Other Items

Issues

1751 -> @dune73

1736 -> @fzipi

1737 -> @lifeforms

1666 -> @franbuehler

1727 -> @mirkodziadzka-avi

1726 -> @fzipi

1711 -> @franbuehler