search

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
https://www.modsecurity.org
Apache License 2.0
8.06k stars 1.58k forks source link

DOC: `SecRuleUpdateActionById` and `chain` docs are errant for both 2.x and 3.x #2860

Open diablodale opened 1 year ago

diablodale commented 1 year ago

The official doc for modsecurity 2.x and 3.x for both SecRuleUpdateActionById and chain are errant. They lead to errant rule writing and/or exposing underlying modsecurity bugs. I request clarification/rewrite of at least these two sections of both 2.x and 3.x docs.

This is a cascade issue from https://github.com/coreruleset/coreruleset/issues/3080#issuecomment-1374575642. I recommend reviewing that whole issue to understand the errant docs and gaps in information.

Doc Problems

  1. SecRuleUpdateActionById doesn't organize limitations/workarounds together; e.g. modsec 2.x SecRuleUpdateActionById on rule chains has a chain workaround (see issue above) and limitation (see issue above) and may have additional behavior/workaround changes in 3.x (I can't test 3.x)
  2. chain has wrong language, e.g. "Non-disruptive rules" should be "Non-disruptive actions"
  3. chain has wrong facts, e.g. "they [non-disruptive actions] will be executed if the rule that contains them matches and not only when the entire chain matches". That statement is false since it has been proven in 2.x (can't test myself in 3.x) that setvar does NOT "not only when the entire chain matches".
  4. Coordinate chain with SecRuleUpdateActionById docs so they match each other's limitations/workarounds.

Docs problems of these areas exist in both 2.x and 3.x docs; sometimes similar, sometimes identical. I recommend adding some rule + rule update examples to demonstrate how to use them correctly on each 2.x and 3.x. The issue above has premade examples.

Below is one suggestion for the 3.x docs.

Example 3.x docs for SecRuleUpdateActionById

...It has two limitations: it cannot be used to change the ID or phase of a rule. Only the actions that  
can appear only once are overwritten. The actions that are allowed to appear multiple times in a list,  
will be appended to the end of the list.

Example foo bar...

then 3 paragraphs and 2 examples under that is another limitation

Note : If the target rule is a chained rule, action updates may only be made to the main (first) rule in the chain.

These need to be combined together. Perhaps something like

...It has limitations

1. it cannot be used to change the ID or phase of a rule.
2. Only the actions that can appear only once are overwritten. The actions that are allowed to appear  
   multiple times in a list, will be appended to the end of the list.
3. If the target rule is a chained rule, action updates may only be made to the main (first) rule in the chain.  
   This is a tighter restriction than modsecurity 2.x.

Example foo bar...
martinhsv commented 1 year ago

@diablodale ,

Thanks for raising these. I have corrected what you mentioned in (3) with the rest still to be addressed.