Closed jessebot closed 2 months ago
Also, to note, this happens when I try to put most json code blocks into Nextcloud Deck cards too.
@jessebot Thanks for the report
I see that your using CRS 3.3.5, plugins are only supported in CRS 4.x and newer releases. I recommend upgrading to the latest CRS 4.4 for proper support for plugins.
would it make sense to have something like this added to the plugin?
I see a few issues with the rules that you wrote, most notably you are disabling 949110 which is an anomoly scoring rule, disabling 949110 disables CRS. You only want to disable rules that contribute to the anomoly score, like you did with 921130 and 921110. Never disable 949110 unless you want to disable the CRS.
When disabling rules, it's generally not a good idea to disable them completely, this can introduce bypasses. You should instead disable rules for a specific target, this is the safest way to disable a rule. See this example in the docs on how to do this https://coreruleset.org/docs/concepts/false_positives_tuning/#example-7-ctlruleremovetargetbyid
The issue you reported should have been caught by our testing, I added an extra test to make sure this doesn't occur in the future.
I have a PR open that should fix this issue, I found a few more false positives in my own testing: #81
I see that your using CRS 3.3.5, plugins are only supported in CRS 4.x and newer releases. I recommend upgrading to the latest CRS 4.4 for proper support for plugins.
I was using 3.3.5 only until this PR for the ingress-nginx controller gets released as the docs still say:
Plugins are not part of the CRS 3.3.x release line. They are released officially with CRS 4.0. In the meantime, plugins can be used with one of the stable releases by following the instructions presented below.
Until that PR is released, I can't upgrade the CRS unfortunately :( It is merged though, so I am hopeful it makes it into a release in the next month or so š¤
I see a few issues with the rules that you wrote, most notably you are disabling 949110 which is an anomoly scoring rule, disabling 949110 disables CRS. You only want to disable rules that contribute to the anomoly score, like you did with 921130 and 921110. Never disable 949110 unless you want to disable the CRS.
Oh, thank you for letting me know! š
The issue you reported should have been caught by our testing, I added an extra test to make sure this doesn't occur in the future.
I have a PR open that should fix this issue, I found a few more false positives in my own testing: https://github.com/coreruleset/nextcloud-rule-exclusions-plugin/pull/81
Thank you so much!
I also wanted to note that using Deck, also get ModSecurity rule exceptions when trying to click the complete button or clicking the card's menu and hitting "mark as done" (hits rule 911100) in a deck card, though it looks like you got that one in #81 š
I also get a rule hit when trying to change a tag (also hits rule 911100). In case you didn't know how to edit a tag if you want to reproduce (because I didn't until today):
@jessebot Thanks, I've pushed a few more fixes along with what you reported.
Hi core rule set friends!
I tried to create a card in Nextcloud's Deck app with the following code block:
It was actually a card for fixing another modsecurity issue with matrix haha, but it gave me this error:
Looks like it hit the following rules: 921110, 921130, 949110.
would it make sense to have something like this added to the plugin?
If so, I could try and submit a PR for this. If not, please let me know what the best course of action is š
Env info
CRS version:
3.3.5
ModSecurity version:ModSecurity v3.0.12 (Linux)
type of web server: ingress-nginx controller via k8s