Closed toadzhou closed 1 year ago
Same issue using Caddy v2.6.1
and and Coreruleset v3.3.4
. Coreruleset Nightly from today produces:
failed to compile rule (error parsing regexp: invalid nested repetition operator: `*+`): REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*(?:\s*+,\s*+(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*)*$" "id:920600,phase:1,block,t:none,t:lowercase,msg:'Illegal Accept header: charset parameter',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',ver:'OWASP_CRS/4.0.0-rc1',severity:'CRITICAL',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
I've tried different versions of Coreruleset and have different problems. Feeling that it cannot be used in production yet
Hey, since CRS v4,, we have been struggling with regression issues; we are working together with CRS to make this work: https://github.com/coreruleset/coreruleset/issues/2848.
We are adding Github actions to CRS to avoid this to ensure RE2 (golang regex) compatibility.
We also have to upgrade coraza-caddy to the latest coraza v3 commit, as we added support for new ModSecurity features required by CRS 4. (MULTIPART_PARTS_HEADERS)
CRS is not tagging versions, so we can only rely on hash IDs.
We will be posting soon some proper measures to avoid this from happening in the future. It should include new github actions and a CRS compatibility matrix.
It is recommended to maintain a set of available rule versions by yourself to avoid production accidents caused by updating the official coreruleset rules.
Open discussion @corazawaf/core-developers. Until CRS ensures RE2 regression, we could maintain a Coraza-compatible CRS fork.
This issue is now fixed, please update CRS: https://github.com/coreruleset/coreruleset/pull/2862
Is anyone still having this issue? I am still getting it with branches v4.0/dev, v3.3/dev and v3.3/master. I do not have the issue for v4.0/main or v3.4/dev but I would assume these rulesets are out of date.
Hello, @rholden3 it actually works for me with OWASP_CRS/4.0.0-RC1. I tried OWASP_CRS/3.2.3 and OWASP_CRS/3.3.4 and i still have the same error "failed to compile rule"
Upgrading to v4 and https://github.com/corazawaf/coraza-caddy/releases/tag/v1.2.2 is the solution to this
Caddyfile
Start error