search

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
https://www.modsecurity.org
Apache License 2.0
7.61k stars 1.53k forks source link

Regular Expression Failure Triggers `!@rx` #3123

Open ssigwart opened 2 weeks ago

ssigwart commented 2 weeks ago

Describe the bug

When there's a regular expression error due to SecPcreMatchLimit or SecPcreMatchLimitRecursion (i.e. MSC_PCRE_LIMITS_EXCEEDED), a rule using !@rx will say that the rule was triggered. However, failures with @rx will say that the rule was not triggered. I think both should assume the rule was not triggered. See https://github.com/coreruleset/coreruleset/issues/3640#issuecomment-2035841946 for additional context.

To Reproduce

See https://github.com/coreruleset/coreruleset/issues/3640#issuecomment-2037347642.

You can probably reproduce by setting SecPcreMatchLimit and SecPcreMatchLimitRecursion really low (maybe 5) and adding a !@rx rule.

Expected behavior

I would expect !@rx to not trigger a rule if there's a MSC_PCRE_LIMITS_EXCEEDED error.

Server (please complete the following information):

Rule Set (please complete the following information):

airween commented 2 weeks ago

Hi @ssigwart,

thanks for reporting, I will take a look at this issue soon.