fzipi
commented
10 hours ago Hopefully this is solved once we incorporate the new parser!
Open geoolekom opened 10 hours ago
fzipi
commented
10 hours ago Hopefully this is solved once we incorporate the new parser!
geoolekom
commented
9 hours ago @fzipi This bug happens because ParseVariables function doesn’t handle cases where a regex contains special characters like |. It tries to split everything using |, but if | is part of the regex, it gets confused and treats way more of the input as part of the regex than it should.
It doesn’t seem too hard to fix. We just need to handle this specific case properly and add some tests. No need to wait for a full parser refactoring to fix it. If you don't mind, I'd provide a PR.
fzipi
commented
8 hours ago Please do!
jcchavezs
commented
7 hours ago Please do!
Description
Coraza does not correctly parse regex arguments in
SecRule. Let's consider a rule:Coraza treats the entire string
um_options\[/|!ARGS:um_options[checkmail_email]as the regex instead of isolatingum_options\[as the intended regex. This behavior leads to incorrect rule parsing and potentially unintended behavior when matching against request arguments.Steps to reproduce
Create a SecRule directive similar to the following:
Run WAF that uses the rule.
Expected result
Coraza should interpret the regex
/um_options\[/correctly as a standalone match and not combine it with the rest of the string, i.e.,|!ARGS:um_options[checkmail_email].Actual result
Coraza incorrectly parses the regex as
um_options\[/|!ARGS:um_options[checkmail_email], leading to an error:With other regexes, it might lead to unexpected behavior and possibly incorrect matching of arguments.
I’m planning to work on a fix for this issue to make sure that regex parsing in
SecRuleworks as expected. If the maintainers have any concerns or suggestions about this approach, I’d be happy to hear them before moving forward. Thank you!